DF 311 Midterm

Ace your homework & exams now with Quizwiz!

Which of the following is NOT a memory dump file format?

.mtv

All of the following are places to look for indicators of compromise EXCEPT

/etc/proxychains.conf file

Hypertext Transfer Protocol (HTTP) is associated with which network port?

80

The IP addresses highlighted in the packet capture below come from a "victim" computer that has been attacked using a MITM technique. The victim's computer has mistakenly routed his internet traffic through an attacker machine instead of through the default gateway (access point). What kind of attack is this?

ARP Cache Poisoning

What does AFF stand for?

Advanced Forensics Format

The screen capture below shows three Powershell commands that have been joined together to filter Windows environment. Which of the following statements below best describes the data being displayed? Get-ChildItem -Path "C:\users\jadkins\Downloads"|select name, lastwritetime, creationtime | sort-object -property creationtime

All files in the Downloads folder sorted by the time they were created

According to the Hashcat command below, what kind of attack is being run? ./hashcat.exe -a 3 -m 0 ntlmhash.txt -o cleartext.txt -0

Brute-force

Which of the following protocols resolves a www address (URL) to an IP address?

Domain Name Service (DNS)

What is the significance of the EAPOL protocol?

EAPOL is a wifi authentication protocol

In the image below, what will the -d option do in this case? cewl -d 0 -m 4 -w mywordlist.txt https://en.wikipedia.org/wiki/Star_Trek

Extract all unique words on the page (according to specified word size), ignoring all links

The following is a combinator attack that will use two wordlists to try and crack an NTLM v2 hash ./hashcat.exe -a 0 -m 5600 ntlmhash.txt rockyou.txt -o cleartext.txt -0

False, the option of -a 0 tells us that this is a single dictionary attack

The following Powershell command will create a memory dump file in a raw file format. ./winpmem64.exe memorydump.mem

False, this command will create a memory dump file with a .mem file format

Which one of these Powershell commands will display a list network connections and ports so you can identify indicators of compromise like a TCP connection that has lasted a long time?

Get-NetTCPConnection

Which of the following protocols provides instructions on how to navigate the world wide web (www)?

HTTP

According to the feedback provided by Hashcat seen below, what was the result of the password attack? Status... Exhausted

Hashcat couldn't guess the password

What does IoC stand for?

Indicators of Compromise

What will the --vhdx option in this command do? ./kape.exe --tsource C:\ --target RegistryHives --tdest C:\kape\ --vhdx hashcat

It will create a hard disk image file

What will the following command in Kali Linux do? cewl -d -m 4 -w mywordlist.txt https://en.wikipedia.org/wiki/Star_Trek

It. will create a custom word list called mywordlist.txt

What is the name of the corporate investigation and risk consulting firm that created the Kape tool which forensically extracts Windows password hashes from a computer?

Kroll

During incident response, what is the MOST preferred method of gathering information from a compromised machine?

Live examination using a tool like Powershell

What type of hash is being attacked according to the Hashcat commands? ./hashcat.exe -a 3 -m 0 ntlmhash.txt -o cleartext.txt -0

MD5

What technique of attack is being demonstrated here?

Man-in-the-middle (MiTM) attack

What type of password attack is this? ./hashcat.exe -a 3 -m 5600 ?u?1?1?1?1?d?d?d?d?s

Masking

What kind of hash is this? Billy-Bob Thornton::MicrosoftAccount...

NTLM v2

Which of the following is true about the QUIC protocol?

QUIC was built on top of the existing UDP protocol

What does RDP stand for?

Remote Desktop Protocol

What kind of password attack is this according to the Hashcat statement? ./hashcat.exe -a 0 -m 5600 ntlmhash.txt rockyou.txt -r d3ad0ne.rule -o cleartext.txt -0

Rule-based

Which of these registry hives contains the information associated with Windows user passwords?

SAM, SYSTEM

For Windows computers, what are the 3 log file types that can be found in the Event Log viewer?

System, Security, Application

Which of the following protocols provides a command line interface to communicate with a REMOTE device or server

Telnet

Why did this Hashcat statement fail? ./hashcat.exe -a 1 -m 5600 ntlmhash.txt rockyou.txt -o cleartext.txt -0

The -a (attack mode) should be set to 0

What is the BSSID?

The MAC address of the access point

Which of the following statements is true about the password we are trying to crack according to the Hashcat command statements? ./hashcat.exe -a 3 -m 5600 ?u?1?1?1?1?d?d?d?d?s

The password will end with a special character

Why will this Hashcat statement fail when it is executed? .\hashcat.exe -a 0 -m 5600 ntlmhash.txt rockyou.txt -o cleartext.txt -0

The slash at the beginning needs to be a forward slash (./)

A TCP connection that lasts more than 72 hours in an example of an "unusual" artifact that may be an indicator of compromise.

True

Finding a log entry with a timestamp of 2 am which says the "Telnet service has started successfully" is a possible compromise.

True

What kind of hashes are these? Administrator:500:...

Windows NTLM

The screen capture below shows joined Powershell commands that provide environment data about a Widows computer. Which of the following choices best describes the information that Powershell is displaying? Get-Process |sort Starttime -Descending -ErrorAction SilenetlyContinue | select Name, StartTime

Windows processes (programs) sorted in descending order by the time they started

what Linux command in Kali will get the below information displayed?

ifconfig

What is the name of the command line application in Kali Linux that will extract Windows user password hashes from SAM and SYSTEM registry hives?

secretsdump


Related study sets

physiologic changes and assessment during the postpartum period - sherpath

View Set

Acct Exam 2 Q and Brief exercises

View Set

Prep U Chapter 34: Assessment and Management of Patients with Inflammatory Rheumatic Disorders

View Set

1 Samuel Questions- (Journeying with God)

View Set