CYSA+ Chapter 2 Review Questions
What process uses information such as the way that a system's TCP stack responds to queries, what TCP options it supports, and the initial window size it uses?
OS Detection. Operating system detection often uses TCP options support, IP ID sampling, and window size checks, as well as other indicators that create unique fingerprints for various operating systems. Service identification often leverages banners since TCP capabilities are not unique to a given service. Fuzzing is a code testing method, and application scanning is usually related to web application security.
Selah believes that an organization she is penetration testing may have exposed information about their systems on their website in the past. What site might help her find an older copy of their website?
The Internet Archive. The Internet Archive maintains copies of sites from across the Internet, and it can be used to review the historical content of a site. WikiLeaks distributes leaked information, whereas the Internet Rewinder and TimeTurner are both made-up names.
What technique is being used in this command? dig axfr @dns-server example.com
Zone Transfer. The axfr flag indicates a zone transfer in both the dig and host utilities.
What method used to replicate DNS information between DNS servers can also be used to gather large amounts of information about an organization's systems?
Zone Transfer. Zone transfers are intended to allow DNS database replication, but an improperly secured DNS server can also allow third parties to request a zone transfer, exposing all of their DNS information. Traceroute is used to determine the path and latency t a remote host, whereas dig is a useful DNS query tool. DNS sync is a made up technical term.
What type of analysis is best suited to identify a previously unknown malware package operating on a compromised system?
Heuristic Analysis. Heuristic Analysis focuses on behaviors, allowing a tool using it to identify malware behaviors instead of looking for a specific package. Trend analysis is typically used to identify large-scale changes from the norm, and it is more likely too be useful for a network than for a single PC. Regression analysis is used in statistical modeling.
What organization manages the global IP address space?
IANA. The Internet Assigned Numbers Authority manages the global IP address space. ARIN is the American Registry for Internet Numbers, WorldNIC is not an IP authority, and NASA tackles problems in outer space, not global IP space.
Before Ben send a Word document, he uses the built-in Document Inspector to verify that the file does not contain hidden content. What is this process called?
Metadata Scrubbing. Metadata purging removes hidden information about a file like the creator, creation time, system used to create the file, and a host of other information. The other answers are all made up.
Which of the following options is the most likely used for the host listed int he dhcpd.conf entry? host db1 { option host-name "sqldb1.example.com"; hardware ethernet 8a:00:83:aa:21:9f fixed address 10.1.240.10
Microsoft SQL Server. Although it is possible that a system named "db1" with a hostname "sqldb1" is not a Microsoft SQL server, the most likely answer is that it is a MS-SQL server.
What tool would you use to capture IP traffic information to provide flow and volume information about a network?
Netflow. Netflow is a Cisco network protocol that collects IP traffic information that allows analysis of traffic flow and volume. netstat provides information about local connections, which applications have made them, and other useful local information. Libpcap is the Linux packet capture library and would not be used alone. pflow is a made-up term.
What method is used to replicate DNS information for DNS servers but is also a tempting exploit target for attackers?
Zone Transfers. DNS zone transfers provide a method to replicate DNS information between DNS servers, but they are also a tempting targer for attackers due to the amount of information that they contain. A properly secured DNS server will only allow zone transfers to specific, permitted peer DNS servers. DNSSEC is a suite of NS security specifications, AXR is a made up term (AXFR is the zone transfer command0< and DNS registration is how you register a domain name.
What flag does nmap use to enable operating system identification?
-o. Nmap's operating system identification flag is -o. This enables OS detection. -A also enables OS identification and othe features. -osscan with modifiers like -limit and -guess set specific OS identification features. -os and -id are not nmap flags.
Which Cisco log level s the most critical?
0. Log level 0 is used for emergencies in Cisco's logging level scheme. Log level 7 is for debugging information and is at the bottom of the scale.
During passive intelligence gathering, you are able to run netstat on a workstation located at your target's headquarters. What information would you not be able to find using netstat on a Windows system?
Active IPX Connections. IPX connections are not shown by netstat. IPX is a non-IP protocol. Active TCP connections, executables that are associated with them, and route table information are all available via netstat.
What type of data can frequently be gathered from images taken on smartphones?
Exif. Exif (Exchangeable Image Format) data often includes location and camera data, allowing the images to be mapped and identified to a specific device or type of camera.
Which of the following is not a reason that penetration testers often perform packet capture while conducting port and vulnerability scanning?
Plausible Deniability. A packet capture can't provide plausible deniability, as it provides evidence of action. Packet capture is often used to document work, including the time that a given scan or process occurred, and it can also be used to provide additional data for further analysis.
Which of the following is not a common DNS anti-harvesting technique?
Registering Manually. Registering manually won't prevent DNS harvesting, but privacy services are often used to prevent personal or corporate information from being visible via domain registrars. CAPTCHAs, rate limiting, and blacklisting systems or networks that are gathering data are all common anti-DNS harvesting techniques.
Which type of Windows log is most likely to contain information about a file being deleted?
Security Logs. Microsoft Windows security logs an contain information about files being opened, created, or deleted if configured to do so. Configuration and httpd logs are not a type of Windows logs, and system logs contain information about events logged by Windows components.
During an information gathering exercise, Chris is asked to find out detailed personal information about his target's employees. What is frequently the best place to find this information?
Social Media. Social media can be a treasure trove of personal information. Company websites and forums are usually limited in the information they provide, and Creepy is a geolocation tool that gathers data from social media and geotagging.
What command-line tool can be used to determine the path that traffic takes to a remote system?
Traceroute. Traceroute (or tracert on Windows systems) is a command-line tool that uses ICMP to trace the route that a packet takes to a host. Whois and nslookup are domain tools, and routeview is not a command-line tool.
Which lookup tool provides information about a domain's registrar and physical location?
Whois. Whois provides information that can include the organization's physical address, registrar, contact information, and other details. Nslookup will provide IP address or hostname information, whereas host provides IPv4 and IPv6 addresses as well as email service information. Traceroute attempts to identify the path to a remote host as well as the systems along the route.