Ethical Hacker CH10

Which of the following best describes a DoS attack?

A hacker overwhelms or damages a system and prevents users from accessing a service.

As the cybersecurity specialist for your company, you have used Wireshark to check for man-in-the-middle DHCP spoofing attacks using the bootp filter. After examining the results, what is your best assessment?

A man-in-the-middle spoofing attack is possible due to two DHCP ACK packets.

Which of the following describes a session ID?

A unique token that a server assigns for the duration of a client's communications with the server.

You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the name of the company requesting payment?

ACME, Inc

As part of your penetration test, you are using Ettercap in an attempt to spoof DNS. You have configured the target and have selected the dns_spoof option (see image).To complete the configuration of this test, which of the following MITM options should you select?

ARP poisoning

Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on the network?

ARP poisoning

As the cybersecurity specialist for your company, you believe a hacker is using ARP poisoning to infiltrate your network. To test your hypothesis, you have used Wireshark to capture packets and then filtered the results. After examining the results, which of the following is your best assessment regarding ARP poisoning?

ARP poisoning is occurring, as indicated by the duplicate response IP address.

Creating an area of the network where offending traffic is forwarded and dropped is known as _________?

Black hole filtering

Which of the following are network sniffing tools?

Cain and Abel, Ettercap, and TCPDump

Which of the following best describes the process of using prediction to gain session tokens in an Application level hijacking attack?

Collect several session IDs that have been used before and then analyze them to determine a pattern.

Which of the following tasks is being described? Sniff the traffic between the target computer and the server. Monitor traffic with the goal of predicting the packet sequence numbers. Desynchronize the current session. Predict the session ID and take over the session. Inject commands to target the server.

Session hijacking

Which of the following tools can be used to create botnets?

Shark, PlugBot, and Poison Ivy

Which term describes the process of sniffing traffic between a user and server, then re-directing the traffic to the attacker's machine, where malicious traffic can be forwarded to either the user or server?

Man-in-the-middle

Which of the following best describes a reverse proxy method for protecting a system from a DoS attack?

Redirects all traffic before it is forwarded to a server, so the redirected system takes the impact.

Using Wireshark filtering, you want to see all traffic except IP address 192.168.142.3. Which of the following is the best command to filter a specific source IP address?

ip.src ne 192.168.142.3

You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the account manager's email address?

[email protected]

A security analyst is using tcpdump to capture suspicious traffic detected on port 443 of a server. The analyst wants to capture the entire packet with hexadecimal and ascii output only. Which of the following tcpdump options will achieve this output?

-SX port 443

The ping command is designed to test connectivity between two computers. There are several command options available to customize ping, making it a useful tool for network administrators. On Windows, the default number of ping requests is set is four. Which of the following command options will change the default number of ping requests?

-n

Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what he has done?

Active hijacking

An attacker may use compromised websites and emails to distribute specially designed malware to poorly secured devices. This malware provides an access point to the attacker, which he can use to control the device. Which of the following devices can the attacker use?

Any device that can communicate over the intranet can be hacked.

Which of the following best describes the key difference between DoS and DDoS?

Attackers use numerous computers and connections.

A hacker has discovered UDP protocol weaknesses on a target system. The hacker attempts to send large numbers of UDP packets from a system with a spoofed IP address, which broadcasts out to the network in an attempt to flood the target system with an overwhelming amount of UDP responses. Which of the following DoS attacks is the hacker attempting to use?

Fraggle attack

Which of the following motivates attackers to use DoS and DDoS attacks?

Hacktivism, profit, and damage reputation

Which of the following are protocols included in the IPsec architecture?

IKE, AH, and ESP

Which of the following protocols is one of the most common methods used to protect packet information and defend against network attacks in VPNs?

IPsec

Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the host 192.168.0.34 filter?

Only packets with 192.168.0.34 in either the source or destination address are captured.

Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the net 192.168.0.0 filter?

Only packets with either a source or destination address on the 192.168.0.0 network are captured.

Which of the following is characterized by an attacker using a sniffer to monitor traffic between a victim and a host?

Passive hijacking

While performing a penetration test, you captured a few HTTP POST packets using Wireshark. After examining the selected packet, which of the following concerns or recommendations will you include in your report?

Passwords are being sent in clear text.

A penetration tester discovers a vulnerable application and is able to hijack a website's URL hyperlink session ID. The penetration tester is able to intercept the session ID; when the vulnerable application sends the URL hyperlink to the website, the session IDs are embedded in the hyperlink. Which of the following types of session hijacking countermeasures is the penetration tester using?

Session fixation attack

It is important to be prepared for a DoS attack. These attacks are becoming more common. Which of the following best describes the response you should take for a service degradation?

Services can be set to throttle or even shut down.

Your network administrator has set up training for all the users regarding clicking on links in emails or instant messages. Which of the following is your network administrator attempting to prevent?

Session fixation

Your network administrator is configuring settings so the switch shuts down a port when the max number of MAC addresses is reached. What is the network administrator taking countermeasures against?

Sniffing

You have just captured the following packet using Wireshark and the filter shown. Which of the following is the captured password?

St@y0ut!@

You are using Wireshark to try and determine if a denial-of-service (DDoS) attack is happening on your network (128.28.1.1). You previously captured packets using the tcp.flags.syn==1 and tcp.flags.ack==1 filter, but only saw a few SYN-ACK packets. You have now changed the filter to tcp.flags.syn==1 and tcp.flags.ack==0. After examining the Wireshark results shown in the image, which of the following is the best reason to conclude that a DDoS attack is happening?

There are multiple SYN packets with different source addresses destined for 128.28.1.1.

Using sniffers has become one way for an attacker to view and gather network traffic. If an attacker overcomes your defenses and obtains network traffic, which of the following is the best countermeasure for securing the captured network traffic?

Use encryption for all sensitive traffic.

Which of the following is an attack where all traffic is blocked by taking up all available bandwidth between the target computer and the Internet?

Volumetric attack

You suspect that an ICMP flood attack is taking place from time to time, so you have used Wireshark to capture packets using the tcp.flags.syn==1 filter. Initially, you saw an occasional SYN or ACK packet. After a short while, however, you started seeing packets as shown in the image. Using the information shown, which of the following explains the difference between normal ICMP (ping) requests and an ICMP flood?

With the flood, all packets come from the same source IP address in quick succession.

Which of the following actions was performed using the WinDump command line sniffer?

Wrote packet capture files from interface 1 into mycap.pcap.