EEL 4806 Final Review Questions (Chapter 8-Chapter 14)

Which of these Bluetooth attacks can result in a denial of service?

Bluesmack

Which form of biometrics scans a pattern in the area of the eye around the pupil?

Iris scanning

Which of these would not be a result of a DHCP starvation attack for the victim?

Attacker getting a new IP address

How many stages are used in the WPA handshake?

Four

Why might you have more endpoints shown at layer 4 than at layer 2?

Systems may initiate multiple connections to the same host.

What does the following line mean? Sequence number: 4361 (relative sequence number)

The sequence number shown is not the real sequence number.

What technique would you likely be using if you had a Pringles can along with a laptop?

Wireless footprinting

What can you say about [TCP Segment Len: 35], as provided by Wireshark?

Wireshark has inferred this information.

What is an advantage of a phone call over a phishing email?

You are able to go into more detail with pretexting.

What is the primary difference between a worm and a virus?

A worm can self‐propagate.

What mode has to be enabled on a network interface to allow all headers in wireless traffic to be captured?

Monitor

What is the purpose of a packer for malware?

To obscure the actual program

Which program would you use if you wanted to only print specific fields from the captured packet?

tshark

What tool could you use to clone a website?

wget

What tool would allow you to run an evil twin attack?

wifiphisher

Which command‐line parameter would you use to disable name resolutions in tcpdump?

−n

What would a signal range for a Class A Bluetooth device commonly be?

300 ft.

In the following packet, what port is the source port? 20:45:55.272087 IP yazpistachio.lan.62882> loft.lan.afs3-fileserver: Flags [P.], seq 915235445:915235528, ack 3437317287, win 2048, options [nop,nop,TS val 1310611430 ecr 1794010423], length 83

62882

If you were to see the following command in someone's history, what would you think had happened? msfvenom -i 5 -p windows/x64/shell_reverse_tcp -o program

A malicious program was generated.

What would you need to do before you could perform a DNS spoof attack using Ettercap?

ARP spoof.

Which of these would be an example of pretexting?

An email from a former coworker

What is the primary purpose of polymorphic code for malware programs?

Antivirus evasion

Which social engineering principle may allow a phony call from the help desk to be effective?

Authority

What piece of information would you need to have to perform a Bluedump attack?

BDADD

What type of social engineering technique are you using if you are leaving USB sticks with malware on them around an office, expecting users to plug them into their systems?

Baiting

Why is bluesnarfing potentially more dangerous than bluejacking from the standpoint of the victim?

Bluejacking receives while bluesnarfing sends.

What is the policy that allows people to use their own smartphones on the enterprise network?

Bring your own device

In a botnet, what are the systems that tell individual bots what to do called?

C2 servers

What is the web page you may be presented with when connecting to a wireless access point, especially in a public place?

Captive portal

Which hardware vendor uses the term SPAN on switches?

Cisco

What attack can a proximity card be susceptible to?

Cloning

What type of building material would you select to keep the wireless signal mostly in the building, rather than leaking out?

Concrete

Your colleagues are suddenly calling you to indicate they received a strange email from you and are wondering what you are up to. If you didn't send the message, what should you suspect?

Contact spamming

What is the purpose of using a disassembler?

Converting opcodes to mnemonics

If you suddenly saw a large number of DHCPDISCOVER packets on your network, what might you begin investigating?

DHCP starvation attack

What is one downside to running a default tcpdump without any parameters?

DNS requests

At which protocol layer does the Berkeley Packet Filter operate?

Data Link

What piece of software could you use to recover from a ransomware attack?

Decryptor

What is the WPA four‐way handshake used for?

Deriving keys

How would someone keep a baiting attack from being successful?

Disable autorun.

What does the malware that is referred to as a dropper do?

Drops files that may be more malware

What would you use Cuckoo Sandbox for?

Dynamic analysis of malware

Which of these is not a good way to protect against identity theft?

Encrypting your file system

What program could be used to perform spoofing attacks and also supports plugins?

Ettercap

What statistic are you more likely to be concerned about when thinking about implementing biometrics?

False acceptance rate

Which of these would be a reason why it is best for communications to originate from inside the infected network?

Firewall

Which of these pieces of information would not be of interest to an attacker trying to steal your identity?

First book you ever read

What is the purpose of a deauthentication attack?

Forcing stations to reauthenticate

What would you use sslstrip for?

Getting plaintext traffic

What tool could you use to deeply analyze malicious software?

Ghidra

What do we call an ARP response without a corresponding ARP request?

Gratuitous ARP

If an attacker is using quid pro quo as a tactic to get you to provide information to them, who may they be most likely to indicate they are?

Help‐desk staff

If you wanted a tool that could help with both static and dynamic analysis of malware, which would you choose?

IDA

What is the SSID used for?

Identifying a network

What is the purpose of performing a Bluetooth scan?

Identifying endpoints

What would you use VirusTotal for?

Identifying malware against antivirus engines

What social engineering vector would you use if you wanted to gain access to a building?

Impersonation

What practice could an organization use to protect itself against data loss from ransomware?

Implement good backup practices

What are the two types of wireless networks?

Infrastructure and ad hoc

What part of the encryption process was weak in WEP?

Initialization vector

Why would someone use a Trojan?

It pretends to be something else.

What wireless attack would you use to take a known piece of information to be able to decrypt wireless traffic?

Key reinstallation

You are working on a red team engagement. Your team leader has asked you to use baiting as a way to get in. What are you being asked to do?

Leave USB sticks around

What would you use a bluebugging attack for?

Listening to a physical space

What is a viable approach to protecting against tailgaiting?

Man traps

What could you use to generate your own malware?

Metasploit

If you saw the following in your ifconfig output, what could you say is happening? eth0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=50b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV,CHANNEL_IO> ether 14:98:77:31:b2:33 inet6 fe80::10c6:713a:e86f:556d%en0 prefixlen 64 secured scopeid 0x7 inet 192.168.1.144 netmask 0xffffff00 broadcast 192.168.1.255 inet6 2601:18d:8b7f:e33a::52 prefixlen 64 dynamic inet6 fd23:5d5f:cd75:40d2:87:38bc:9448:3407 prefixlen 64 autoconf secured nd6 options=201<PERFORMNUD,DAD> media: autoselect (1000baseT <full-duplex,flow-control,energy-efficient-ethernet>) status: active

Network sniffing

What wouldn't you see when you capture wireless traffic that includes radio headers?

Network type

Which of these tools would be most beneficial when trying to dynamically analyze malware?

OllyDbg

What would the result of a high false failure rate be?

People having to call security

What is the tactic of allowing software to continue running across reboots of a system called?

Persistence

What types of authentication are allowed in a WPA‐encrypted network?

Personal and enterprise

You get a phone call from someone telling you they are from the IRS and they are sending the police to your house now to arrest you unless you provide a method of payment immediately. What tactic is the caller using?

Pretexting

What persistence mechanism might allow malware to protect itself against anti‐malware software?

Pre‐boot malware

Which functionality in Wireshark will provide you with percentages for every protocol in the packet capture, ordered by protocol layers?

Protocol hierarchy

What is the difference between a virus and ransomware?

Ransomware may be a virus.

Why would you use automated tools for social engineering attacks?

Reduce complexity

What kind of access point is being used in an evil twin attack?

Rogue

What tool could you use to generate email attacks as well as wireless attacks?

SE Toolkit

Which end of a client‐server communication goes on the infected system if it is communicating with infrastructure?

Server

What is the /etc/ettercap/etter.dns file used for?

Setting up mail for Ettercap

What does WPA3 use to start the authentication and association process between stations and access points?

Simultaneous authentication of equals

You've received a text message from an unknown number that is only five digits long. It doesn't have any text, just a URL. What might this be an example of?

Smishing

Which of the social engineering principles is in use when you see a line of people at a vendor booth at a security conference waiting to grab free USB sticks and CDs?

Social proof

How does an evil twin attack work?

Spoofing an SSID

What is one advantage of static analysis over dynamic analysis of malware?

Static analysis limits your exposure to infection.

What network technology makes sniffing harder for attackers?

Switches

What problem does port spanning overcome?

Switches filter traffic.

What protocol is being used in the frame listed in this summary? 719 42.691135 157.240.19.26 192.168.86.26 TCP 1464 443 → 61618 [ACK] Seq=4361 Ack=1276 Win=31232 Len=1398 TSval=3725556941 TSecr=1266252437 [TCP segment of a reassembled PDU]

TCP

What are two sections you would commonly find in a portable executable file?

Text and data

What would be one reason not to write malware in Python?

The Python interpreter may not be available.

Your sslstrip session is not going well. What might you suspect?

The sessions are all TLS v1.3.

The following shows a time stamp. What does the time of this message reflect? 630 41.897644 192.168.86.210 239.255.255.250 SSDP 750 NOTIFY * HTTP/1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]

The time since packet start.

Why would you use an encoder when you are creating malware using Metasploit?

To evade antivirus

Why would you use wireless social engineering?

To gather credentials

If you saw the following command line, what would you be capturing? tcpdump -i eth2 host 192.168.10.5

Traffic to and from 192.168.10.5

What is a method to successfully get malware onto a mobile device without having to get the user to do something they wouldn't normally do?

Using a third‐party app store

Which of these forms of biometrics is least likely to give a high true accept rate while minimizing false reject rates?

Voiceprint

What tool could you use to enable sniffing on your wireless network to acquire all headers?

airmon‐ng

Why might you have problems with sslstrip?

sslstrip doesn't work with newer versions of TLS.