Info Security Test 2
Who would be most likely to erase only parts of the system logs file? A. A black hat hacker B. An everyday user C. A penetration tester D. The network admin
A. A black hat hacker
Which of the following would be the best open-source tool to use if you are looking for a web server scanner? A. Nikto B. NetScan C. Nessus D. OpenVAS
A. Nikto
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the host 192.168.0.34 filter? A. Only packets with 192.168.0.34 in either the source or destination address are captured. B. Only packets with 192.168.0.34 in the destination address are captured. C. Only packets on the 192.168.0.34 network are captured. D. Only packets with 192.168.0.34 in the source address are captured.
A. Only packets with 192.168.0.34 in either the source or destination address are captured.
Which of the following do hackers install in systems to allow them to have continued admittance, gather sensitive information, or establish access to resources and operations within the system? A. Backdoors B. cPassword C. Kerberos D. Crackers
A. Backdoors
You are looking for a vulnerability assessment tool that detects vulnerabilities in mobile devices and gives you a report containing a total risk score, a summary of revealed vulnerabilities, and remediation suggestions. Which of the following vulnerability assessment tools should you use? A. SecurityMetrics Mobile B. Retina CS for Mobile C. Nessus Professional D. Network Scanner
A. SecurityMetrics Mobile
Analyzing emails, suspect files, and systems for malware is known as which of the following? A. Sheep dipping B. Dynamic analysis C. Integrity checking D. Static analysis
A. Sheep dipping
In a world where so much private information is stored and transferred digitally, it is essential to proactively discover weaknesses. An ethical hacker's assessment sheds light on the flaws that can open doors for malicious attackers. Which of the following types of assessments does an ethical hacker complete to expose these weeknesses? A. Vulnerability assessment B. Host-based assessment C. Passive assessment D. External assessment
A. Vulnerability assessment
Which of the following best describes the Security Account Manager (SAM)? A. A file in the directory that performs the system's security protocol. B. A database that stores user passwords in Windows as an LM hash or a NTLM hash. C. The attribute that stores passwords in a Group Policy preference item in Windows. D. A protocol that allows authentication over an unsecure network through tickets or service principal names.
B. A database that stores user passwords in Windows as an LM hash or a NTLM hash.
Which of the following government resources is a dictionary of known patterns of cyberattacks used by hackers? A. CWE B. CAPEC C. CISA D. CVE
B. CAPEC
The results section of an assessment report contains four sub-topics. Which of the following sub-sections contains the origin of the scan? A. Target B. Services C. Classification D. Assessment
C. Classification
Which of the following techniques involves adding random bits of data to a password before it is stored as a hash? A. Password sniffing B. Keylogging C. Pass the hash D. Password salting
D. Password salting
Which of the following tasks is being described? 1. Sniff the traffic between the target computer and the server. 2. Monitor traffic with the goal of predicting the packet sequence numbers. 3. Desynchronize the current session. 4. Predict the session ID and take over the session. 5. Inject commands to target the server. A. Application hijacking B. Cookie hijacking C. Passive hijacking D. Session hijacking
D. Session hijacking
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the name of the company requesting payment? A. ACME, Inc B. The Home Depot C. Lowes D. Wood Specialist
A. ACME, Inc
Which of the following is used to remove files and clear the internet browsing history? A. CCleaner B. Steganography C. cPassword D. User Account Control
A. CCleaner
Which of the following best describes Qualys Vulnerability Management assessment tool? A. It is a cloud-based service that keeps all your data in a private virtual database. B. It scans for known vulnerabilities, malware, and misconfigurations. C. It has more than 50,000 vulnerability tests with daily updates. D. It scans for more than 6,000 files and programs that can be exploited.
A. It is a cloud-based service that keeps all your data in a private virtual database.
Which of the following assessment types can monitor and alert on attacks but cannot stop them? A. Passive B. Host-based C. Vulnerability D. External
A. Passive
You believe your system has been hacked. Which of the following is the first thing you should check? A. Browser history B. Modified timestamps C. System log files D. Hidden files
C. System log files
Jaxon, a pentester, is discovering vulnerabilities and design flaws on the Internet that will open an operating system and applications to attack or misuse. Which of the following tasks is he accomplishing? A. Vulnerability scanning B. Vulnerability assessment C. Vulnerability research D. Vulnerability management
C. Vulnerability research
Heather is performing a penetration test of her client's malware protection. She has developed a malware program that doesn't require any user interaction and wants to see how far it will spread through the network. Which of the following types of malware is she using? A. Trojan horse B. Spyware C. Worm D. Virus
C. Worm
This type of assessment evaluates deployment and communication between the server and client. It is imperative to develop tight security through user authorization and validation. Open-source and commercial tools are both recommended for this assessment. Which of the following types of vulnerability research is being done? A. Application flaws B. Buffer overflows C. Default settings D. Open services
A. Application flaws
As an ethical hacker, you are looking for a way to organize and prioritize vulnerabilities that were discovered in your work. Which of the following scoring systems could you use? A. CVSS B. CVE C. CAPEC D. CISA
A. CVSS
Which of the following malware types shows the user signs of potential harm that could occur if the user doesn't take a certain action? A. Scareware B. Spyware C. Ransomware D. Adware
A. Scareware
Which of the following privilege escalation risks happens when a program is being installed without the constant supervision of the IT employee and fails to clean up after? A. Unattended installation B. Gaining credentials in LSASS C. DLL hijacking D. Kerberoasting
A. Unattended installation
Which of the following best describes an anti-virus sensor system? A. Analyzing the code of malware to understand its purpose without running it. B. A collection of software that detects and analyzes malware. C. Software that is used to protect a system from malware infections. D. Analyzing malware by running and observing its behavior and effects.
B. A collection of software that detects and analyzes malware.
Karen received a report of all the mobile devices on the network. This report showed the total risk score, summary of revealed vulnerabilities, and remediation suggestions. Which of the following types of software generated this report? A. A malware scanner B. A vulnerability scanner C. An antivirus scanner D. A port scanner
B. A vulnerability scanner
Which of the following laws is designed to regulate emails? A. USA Patriot Act B. CAN-SPAM Act C. CFAA D. HIPAA
B. CAN-SPAM Act
Which of the following best describes a rootkit? A. Allows the user to create a password to make the hidden file more secure. B. Can modify the operating system and the utilities of the target system. C. Scans the system and compares the current scan to the clean database. D. Allows each file an unlimited number of data streams with unlimited size.
B. Can modify the operating system and the utilities of the target system.
Jerry runs a tool to scan a clean system to create a database. The tool then scans the system again and compares the second scan to the clean database. Which of the following detection methods is Jerry using? A. Cross view-based B. Integrity-based C. Signature-based D. Behavior-based
B. Integrity-based
Which of the following is a protocol that allows authentication over a non-secure network by using tickets or service principal names (SPNs)? A. Unattended installation B. Kerberoasting C. Credentials in LSASS D. DLL hijacking
B. Kerberoasting
Which of the following solutions creates the risk that a hacker might gain access to the system? A. Inference-based B. Service-based C. Tree-based D. Product-based
B. Service-based
Which term describes the process of sniffing traffic between a user and server, then re-directing the traffic to the attacker's machine, where malicious traffic can be forwarded to either the user or server? A. DNS spoofing B. Cross-site scripting C. Man-in-the-middle D. Session hijacking
C. Man-in-the-middle
Which of the following system exploitation methods happens by adding a malicious file to a file path that is missing quotation marks and has spaces in it? A. Spyware B. Unsecure file and folder permissions C. Writable services D. Path interception
D. Path interception
Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what he has done? A. Passive hijacking B. Active hijacking C. Session sniffing D. Cross-site scripting
B. Active hijacking
[ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~] are the possible values in which of the following hash types? A. Mix alpha-numeric B. Ascii-32-95 C. Ascii-32-65-123-4 D. Alpha-numeric-symbol32-space
B. Ascii-32-95
This government resource is a community-developed list of common software security weaknesses. They strive to create commonality in the descriptions of weaknesses of software security. Which of the following government resources is described? A. CISA B. CWE C. CVE D. NVD
B. CWE
Which of the following best describes the process of using prediction to gain session tokens in an Application level hijacking attack? A. Convince the victim system that you are the server so you can hijack a session and collect sensitive information. B. Collect several session IDs that have been used before and then analyze them to determine a pattern. C. Obtain a user's HTTP cookies to collect session IDs embedded within the file to gain access to a session. D. Review a user's browsing history to enter a previously used URL to gain access to an open session.
B. Collect several session IDs that have been used before and then analyze them to determine a pattern.
A hacker has discovered UDP protocol weaknesses on a target system. The hacker attempts to send large numbers of UDP packets from a system with a spoofed IP address, which broadcasts out to the network in an attempt to flood the target system with an overwhelming amount of UDP responses. Which of the following DoS attacks is the hacker attempting to use? A. Teardrop attack B. Fraggle attack C. SYN flood D. Smurf attack
B. Fraggle attack
It may be tempting for an organization to feel secure after going through the process of penetration testing and the corrections and hardening that you must perform. Which of the following should you help them to understand? A. The risks associated with enforcing security procedures and what threats may have been overlooked. B. Hackers have time on their side, and there will always be new threats to security. C. They need a plan of action to control weaknesses and harden systems. D. How to define the effectiveness of the current security policies and procedures.
B. Hackers have time on their side, and there will always be new threats to security.
Which of the following is the first step you should take if malware is found on a system? A. Check for suspicious or unknown registry entries. B. Isolate the system from the network immediately. C. Look through the event log for suspicious events. D. Sanitize the system using updated anti-malware software.
B. Isolate the system from the network immediately.
A virus has replicated itself throughout the infected systems and is executing its payload. Which of the following phases of the virus lifecycle is the virus in? A. Design B. Launch C. Incorporation D. Replication
B. Launch
Which of the following best describes a reverse proxy method for protecting a system from a DoS attack? A. Creates an area of the network where offending traffic is forwarded and dropped. B. Redirects all traffic before it is forwarded to a server, so the redirected system takes the impact. C. Adds extra services so that there are too many platforms for the attacker to be able to flood. D. Limits the potential impact of a DoS attack by providing additional response time.
B. Redirects all traffic before it is forwarded to a server, so the redirected system takes the impact.
Carl received a phone call from a woman who states that she is calling from his bank. She tells him that someone has tried to access his checking account and she needs him to confirm his account number and password to discuss further details. He gives her his account number and password. Which of the following types of non-technical password attack has occured? A. Shoulder surfing B. Social engineering C. Password guessing D. Dumpster diving
B. Social engineering
The method of embedding data into legitimate files like graphics to hide it and then extracting the data once it reaches its destination is called: A. Execution path profiling B. Steganography C. NTFS data streaming D. Rootkits
B. Steganography
On your network, you have a Windows 10 system with the IP address 10.10.10.195. You have installed XAMPP along with some web pages, php, and forms. You want to put it on the public-facing internet, but you are not sure if it has any vulnerabilities. On your Kali Linux system, you have downloaded the nmap-vulners script from GitHub. Which of the following is the correct nmap command to run? A. nmap -sC vulners -sV 10.10.10195 B. nmap --script vulners -sV 10.10.10.195 C. nmap -sC nmap-vulners -sV 10.10.10.195 D. nmap --script nmap-vulners -sV 10.10.10.195
D. nmap --script nmap-vulners -sV 10.10.10.195
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the account manager's email address? A. [email protected] B. [email protected] C. [email protected] D. [email protected]
Which of the following describes a session ID? A. A unique token that a server assigns for the duration of a client's communications with the server. B. The destination IP address of an encrypted packet sent from a server to a client. C. The source IP address of an encrypted packet sent from a server to a client. D. The symmetric key used to encrypt and decrypt communications between a client and a server.
A. A unique token that a server assigns for the duration of a client's communications with the server.
Which of the following motivates attackers to use DoS and DDoS attacks? A. Hacktivism, profit, and damage reputation B. Distraction, turf wars, and fun C. Distraction, extortion, and theft D. Hacktivism, turf wars, and profit
A. Hacktivism, profit, and damage reputation
Which of the following protocols is one of the most common methods used to protect packet information and defend against network attacks in VPNs? A. IPsec B. SYN C. ECC D. BLE
A. IPsec
Which of the following is characterized by an attacker using a sniffer to monitor traffic between a victim and a host? A. Passive hijacking B. Session ID C. Session key D. Active hijacking
A. Passive hijacking
Part of a penetration test is checking for malware vulnerabilities. During this process, the penetration tester will need to manually check many different areas of the system. After these checks have been completed, which of the following is the next step? A. Run anti-malware scans B. Isolate system from network C. Sanitize the system D. Document all findings
A. Run anti-malware scans
A penetration tester discovers a vulnerable application and is able to hijack a website's URL hyperlink session ID. The penetration tester is able to intercept the session ID; when the vulnerable application sends the URL hyperlink to the website, the session IDs are embedded in the hyperlink. Which of the following types of session hijacking countermeasures is the penetration tester using? A. Session fixation attack B. TCP/IP session hijacking C. UDP session hijacking D. Man-in-the-middle attack
A. Session fixation attack
Your network administrator is configuring settings so the switch shuts down a port when the max number of MAC addresses is reached. What is the network administrator taking countermeasures against? A. Sniffing B. Filtering C. Spoofing D. Hijacking
A. Sniffing
James, a hacker, has hacked into a Unix system and wants to change the timestamps on some files to hide his tracks. Which of the following timestamp tools would he most likely use? A. Touch B. ctime C. Timestomp D. Meterpreter
A. Touch
You are using Wireshark to try and determine if a denial-of-service (DDoS) attack is happening on your network (128.28.1.1). You previously captured packets using the tcp.flags.syn==1 and tcp.flags.ack==1 filter, but only saw a few SYN-ACK packets. You have now changed the filter to tcp.flags.syn==1 and tcp.flags.ack==0. After examining the Wireshark results shown in the image, which of the following is the best reason to conclude that a DDoS attack is happening? A. The Transmission Control Protocol shows the hex value of the SYN flag is 0x002. B. There are multiple SYN packets with different source addresses destined for 128.28.1.1. C. The source address for all SYN packets is 198.28.1.1. D. There was a flood of SYN packets without a matching SYN-ACK packet.
B. There are multiple SYN packets with different source addresses destined for 128.28.1.1.
A hacker has gained physical access to a system and has changed an administrator's account password. Which of the following tools did the hacker most likely use to accomplish this? A. StegoStick B. Ultimate Boot CD C. CCleaner D. Timestomp
B. Ultimate Boot CD
Which of the following is an attack where all traffic is blocked by taking up all available bandwidth between the target computer and the Internet? A. Amplification attack B. Volumetric attack C. Fragmentation attack D. Phlashing attack
B. Volumetric attack
The ping command is designed to test connectivity between two computers. There are several command options available to customize ping, making it a useful tool for network administrators. On Windows, the default number of ping requests is set is four. Which of the following command options will change the default number of ping requests? A. -f B. -l C. -n D. -a
C. -n
Which of the following best describes a DoS attack? A. A hacker attempts to impersonate an authorized user by stealing the user's token. B. A hacker penetrates a system by using every character, word, or letter to gain access. C. A hacker overwhelms or damages a system and prevents users from accessing a service. D. A hacker intercepts traffic between two systems to gain access to a system
C. A hacker overwhelms or damages a system and prevents users from accessing a service.
As the cybersecurity specialist for your company, you have used Wireshark to check for man-in-the-middle DHCP spoofing attacks using the bootp filter. After examining the results, what is your best assessment? A. No man-in-the-middle spoofing attacks are currently present. B. A man-in-the-middle spoofing attack is possible due to the DHCP Offer packet captured from the hacker. C. A man-in-the-middle spoofing attack is possible due to two DHCP ACK packets. D. Two man-in-the-middle spoofing attacks were captured.
C. A man-in-the-middle spoofing attack is possible due to two DHCP ACK packets.
Which of the following best describes the key difference between DoS and DDoS? A. Sends a large number of legitimate-looking requests. B. Results in the server being inaccessible to users. C. Attackers use numerous computers and connections. D. The target server cannot manage the capacit
C. Attackers use numerous computers and connections.
Creating an area of the network where offending traffic is forwarded and dropped is known as _________? A. Enable router throttling B. Reverse proxy C. Black hole filtering D. Anti-spoofing measures
C. Black hole filtering
The list of cybersecurity resources below are provided by which of the following government sites? - Information exchange - Training and exercises - Risk and vulnerability assessments - Data synthesis and analysis - Operational planning and coordination - Watch operations - Incident response and recovery A. CAPEC B. CWE C. CISA D. CVE
C. CISA
Which of the following are protocols included in the IPsec architecture? A. SIP, AH, and ESP B. IKE, AH, and ACK C. IKE, AH, and ESP D. SIP, AH, and ACK
C. IKE, AH, and ESP
Which of the following is a tool for cracking Windows login passwords using rainbow tables? A. Trinity Rescue Kit B. GreyFish C. Ophcrack D. ERD Commander
C. Ophcrack
Which of the following tools can be used to create botnets? A. Trin00, Targa, and Jolt2 B. Jolt2, PlugBot, and Shark C. Shark, PlugBot, and Poison Ivy D. Poison Ivy, Targa, and LOIC
C. Shark, PlugBot, and Poison Ivy
Which of the following best describes shoulder surfing? A. Finding someone's password in the trash can and using it to access their account. B. Guessing someone's password because it is so common or simple. C. Someone nearby watches you enter your password on your computer and records it. D. Giving someone you trust your username and account password.
C. Someone nearby watches you enter your password on your computer and records it.
Which of the following is malware that works by stealth to capture information and then sends it to a hacker to gain remote access? A. ERD Commander B. Writable services C. Spyware D. Crackers
C. Spyware
Which of the following is the name of the attribute that stores passwords in a Group Policy preference item in Windows? A. SAM B. SPNs C. cPasswords D. LSASS
C. cPasswords
While performing a penetration test, you captured a few HTTP POST packets using Wireshark. After examining the selected packet, which of the following concerns or recommendations will you include in your report? A. Keep-alive connections are being used. B. The checksum is unverified. C. The urgent pointer flag is set to 0. D. Passwords are being sent in clear text.
D. Passwords are being sent in clear text.
It is important to be prepared for a DoS attack. These attacks are becoming more common. Which of the following best describes the response you should take for a service degradation? A. Have more than one upstream connection to use as a failover. B. Include a checklist of all threat assessment tools. C. Add extra services, such as load balancing and excess bandwidth. D. Services can be set to throttle or even shut down.
D. Services can be set to throttle or even shut down.
Your network administrator has set up training for all the users regarding clicking on links in emails or instant messages. Which of the following is your network administrator attempting to prevent? A. Packet sniffing B. DNS spoofing C. Packet filtering D. Session fixation
D. Session fixation
You suspect that an ICMP flood attack is taking place from time to time, so you have used Wireshark to capture packets using the tcp.flags.syn==1 filter. Initially, you saw an occasional SYN or ACK packet. After a short while, however, you started seeing packets as shown in the image. Using the information shown, which of the following explains the difference between normal ICMP (ping) requests and an ICMP flood? A. The normal ICMP ping request only has one source address. B. With the ICMP flood, ICMP packets are sent and received at a quicker rate than normal ICMP packets. C. The only difference is the number of packets that are sent. D. With the flood, all packets come from the same source IP address in quick succession.
D. With the flood, all packets come from the same source IP address in quick succession.
Which of the following includes a list of resolved vulnerabilities? A. Security vulnerability summary B. Security vulnerability report C. Statistical vulnerability report D. Statistical vulnerability summary
A. Security vulnerability summary
The program shown is a crypter. Which of the following best defines what this program does? A. A crypter compresses the malware to reduce its size and help hide it from anti-malware software. B. A crypter can encrypt, obfuscate, and manipulate malware to make it difficult to detect. C. A crypter takes advantage of a bug or vulnerability to execute the malware's payload. D. A crypter is the main piece of the malware, the part of the program that performs the malware's intended activity.
B. A crypter can encrypt, obfuscate, and manipulate malware to make it difficult to detect.
Using Wireshark filtering, you want to see all traffic except IP address 192.168.142.3. Which of the following is the best command to filter a specific source IP address? A. ip.src == 192.168.142.3 B. ip.src ne 192.168.142.3 C. ip.src eq 192.168.142.3 D. ip.src && 192.168.142.3
B. ip.src ne 192.168.142.3
As the cybersecurity specialist for your company, you believe a hacker is using ARP poisoning to infiltrate your network. To test your hypothesis, you have used Wireshark to capture packets and then filtered the results. After examining the results, which of the following is your best assessment regarding ARP poisoning? A. ARP poisoning is occurring, as indicated by the short time interval between ARP packets. B. ARP poisoning is occurring, as indicated by the multiple Who Has packets being sent. C. ARP poisoning is occurring, as indicated by the duplicate response IP address. D. No ARP poisoning is occurring.
C. ARP poisoning is occurring, as indicated by the duplicate response IP address.
You have just captured the following packet using Wireshark and the filter shown. Which of the following is the captured password? A. p@ssw0rd B. watson C. St@y0ut!@ D. watson-p
C. St@y0ut!@
Using sniffers has become one way for an attacker to view and gather network traffic. If an attacker overcomes your defenses and obtains network traffic, which of the following is the best countermeasure for securing the captured network traffic? A. Eliminate unnecessary system applications. B. Use intrusion detection countermeasures. C. Use encryption for all sensitive traffic. D. Implement acceptable use policies.
C. Use encryption for all sensitive traffic.
Which of the following is also known as ZeroAccess and has virus, Trojan horse, and rootkit components? A. DeepSound B. Sirefef C. Touch D. GrayFish
B. Sirefef
Which of the following best describes the verification phase of the vulnerability management life cycle? A. Communicate clearly to management what your findings and recommendations are for locking down the systems and patching problems. B. Is critical to ensure that organizations have monitoring tools in place and have regularly scheduled vulnerability maintenance testing. C. Proves your work to management and generates verifiable evidence to show that your patching and hardening implementations have been effective. D. Protect the organization from its most vulnerable areas first and then focus on less likely and less impactful areas.
C. Proves your work to management and generates verifiable evidence to show that your patching and hardening implementations have been effective.
Daphne has determined that she has malware on her Linux machine. She prefers to only use open-source software. Which anti-malware software should she use? A. ClamAV B. Kaspersky C. Bitdefender D. Avira
A. ClamAV
Heather wants to gain remote access to Randy's machine. She has developed a program and hidden it inside a legitimate program that she is sure Randy will install on his machine. Which of the following types of malware is she using? A. Virus B. Trojan horse C. Spyware D. Worm
B. Trojan horse
Which of the following assessment types relies on each step to determine the next step, and then only tests relevant areas of concern? A. Product-based B. Tree-based C. Inference-based D. Service-based
C. Inference-based
Which of the following best describes active scanning? A. A scanner allows the ethical hacker to scrutinize completed applications when the source code is unknown. B. A scanner tries to find vulnerabilities without directly interacting with the target network. C. A scanner transmits to a network node to determine exposed ports and can also independently repair security flaws. D. A scanner is limited to the moment in time that it is running and may not catch vulnerabilities that only occur at other times.
C. A scanner transmits to a network node to determine exposed ports and can also independently repair security flaws.
An attacker installed a malicious file in the application directory. When the victim starts installing the application, Windows searches in the application directory and selects the malicious file instead of the correct file. The malicious file gives the attacker remote access to the system. Which of the following escalation methods best describes this scenario? A. Clear text credentials in LDAP B. Kerberoasting C. DLL hijacking D. Unattended installation
C. DLL hijacking
Hackers can maintain access to a system in several ways. Which of the following best describes the unsecure file and folder method? A. Services with weak permissions allow anyone to alter the execution of the service. B. The hacker will have rights to do whatever the admin account can do. C. This can lead to DLL hijacking and malicious file installations on a non-admin targeted user. D. There is no problem if the path is written within quotation marks and has no spaces.
C. This can lead to DLL hijacking and malicious file installations on a non-admin targeted user.
Which of the following parts of the Trojan horse packet installs the malicious code onto the target machine? A. Dropper B. Server C. Wrapper D. Construction kit
A. Dropper
Phil, a hacker, has found his way into a secure system. He is looking for a Windows utility he can use to retrieve, set, back up, and restore logging policies. Which of the following utilities should he consider? A. auditpol B. secedit C. poledit D. gpedit
A. auditpol
You are cleaning your desk at work. You toss several stacks of paper in the trash, including a sticky note with your password written on it. Which of the following types of non-technical password attacks have you enabled? A. Password guessing B. Dumpster diving C. Shoulder surfing D. Social engineering
B. Dumpster diving
First, you must locate the live nodes in the network. Second, you must itemize each open port and service in the network. Finally, you test each open port for known vulnerabilities. These are the three basic steps in which of the following types of testing? A. Baseline B. Penetration C. Stress D. Patch level
B. Penetration
Which of the following virus types is shown in the code below? A. Cavity B. Direct action C. Logic bomb D. Metamorphic
C. Logic bomb
Cameron wants to send secret messages to his friend Brandon, who works at a competitor's company. To secure these messages, he uses a technique to hide a secret message within a video. Which of the following techniques is he using? A. RSA algorithm B. Public-key cryptograph C. Encryption D. Steganography
D. Steganography
Which of the following phases of the vulnerability management lifecycle implements patches, hardening, and correction of weaknesses? A. The monitoring phase B. The verification phase C. The risk assessment phase D. The remediation phase
D. The remediation phase
Anti-malware software utilizes different methods to detect malware. One of these methods is scanning. Which of the following best describes scanning? A. Scanning uses live system monitoring to detect malware immediately. This technique utilizes a database that needs to be updated regularly. Scanning is the quickest way to catch malware programs. B. Scanning establishes a baseline and keeps an eye on any system changes that shouldn't happen. The program will alert the user that there is possible malware on the system. C. Scanning aids in detecting new or unknown malware that is based on another known malware. Every malware has a fingerprint, or signature. If a piece of code contains similar code, the scan should mark it as malware and alert the user. D. Scanning is when the anti-malware software opens a virtual environment to mimic CPU and RAM activity. Malware code is executed in this environment instead of the physical processor.
A. Scanning uses live system monitoring to detect malware immediately. This technique utilizes a database that needs to be updated regularly. Scanning is the quickest way to catch malware programs.
An ethical hacker is running an assessment test on your networks and systems. The assessment test includes the following items: -Inspecting physical security -Checking open ports on network devices and router configurations -Scanning for Trojans, spyware, viruses, and malware -Evaluating remote management processes -Determining flaws and patches on the internal network systems, devices, and servers Which of the following assessment tests is being performed? A. Active assessment B. Passive assessment C. Internal assessment D. External assessment
B. Internal assessment
A hacker finds a system that has a poorly design and unpatched program installed. He wants to create a backdoor for himself. Which of the following tools could he use to establish a backdoor? A. AuditPol B. CCleaner C. Timestomp D. Metasploit
D. Metasploit
As part of your penetration test, you are using Ettercap in an attempt to spoof DNS. You have configured the target and have selected the dns_spoof option (see image). To complete the configuration of this test, which of the following MITM options should you select? A. ARP poisoning B. Port stealing C. DHCP spoofing D. NDP poisoning
D. NDP poisoning
Jack is tasked with testing the password strength for the users of an organization. He has limited time and storage space. Which of the following would be the best password attack for him to choose? A. Dictionary attack B. Brute force attack C. Keylogger attack D. Rainbow attack
D. Rainbow attack
Which of the following actions was performed using the WinDump command line sniffer? A. Requested that hexadecimal strings be included from interface 1 to mycap.pcap. B. Wrote packet capture files from interface 1 into mycap.pcap. C. Requested that asci strings are included from interface 1 to mycap.pcap. D. Read packet capture files from interface 1 in mycap.pcap file.
B. Wrote packet capture files from interface 1 into mycap.pcap.
Daphne suspects a Trojan horse is installed on her system. She wants to check all active network connections to see which programs are making connections and the FQDN of where those programs are connecting to. Which command will allow her to do this? A. netstat -f -a -b B. netstat -f -b C. netstat -a -b D. netstat -f -a
B. netstat -f -b
Rose, an ethical hacker, has created a report that clearly identifies her findings and recommendations for locking down an organization's systems and patching problems. Which of the following phases of the vulnerability management life cycle is she working in? A. Create a baseline B. Risk assessment C. Verification D. Remediation
B. Risk assessment
You have created and sorted an md5 rainbow crack table. You want to crack the password. Which of the following commands would you use to crack a single hash? A. rcrack . -l /root/hashes.txt B. rcrack . -h 202cb962ac59075b964b07152d234b70 C. rtgen sha1 ascii-32-95 1 20 0 1000 1000 0 D. rtgen md5 ascii-32-95 1 20 0 1000 1000 0
B. rcrack . -h 202cb962ac59075b964b07152d234b70
Mark is moving files from a device that is formatted using NTFS to a device that is formatted using FAT. Which of the following is he trying to get rid of? A. Antivirus and anti-spyware programs. B. Malicious alternate data streams. C. Encrypted steganographic information. D. Software programs that hackers use.
B. Malicious alternate data streams.
Jessica, an employee, has come to you with a new software package she would like to use. Before you purchase and install the software, you would like to know if there are any known security-related flaws or if it is commonly misconfigured in a way that would make it vulnerable to attack. You only know the name and version of the software package. Which of the following government resources would you consider using to find an answer to your question? A. CVE B. NVD C. CWE D. CVSS
B. NVD
Which of the following best describes the heuristic or behavior-based detection method? A. Runs a tool to scan a clean system and create a database, then scans the system and compares the current scan to the clean database. B. Uses an algorithm as it goes through the system files, processes, and registry keys to create a baseline that is compared to the data returned by the operating system's APIs. C. Scans a system's processes and executable files, looking for byte sequences of known malicious rootkit programs. D. Searches for execution path hooking, which allows a function value in an accessible environment to be changed.
D. Searches for execution path hooking, which allows a function value in an accessible environment to be changed.
You have just run the John the Ripper command shown in the image. Which of the following was this command used for? A. To extract the password hashes and save them in the secure.txt file. B. To extract the password from a rainbow hash and save it in the secure.txt file. C. To extract the password and save it in the secure.txt file. D. To extract the password and save it in a rainbow table named secure.txt.
A. To extract the password hashes and save them in the secure.txt file.
You are an ethical hacker contracting with a medical clinic to evaluate their environment. Which of the following is the first thing you should do? A. Create reports that clearly identify the problem areas to present to management. B. Define the effectiveness of the current security policies and procedures. C. Choose the best security assessment tools for the systems you choose to test. D. Decide the best times to test to limit the risk of having shutdowns during peak business hours.
B. Define the effectiveness of the current security policies and procedures.
Clive, a penetration tester, is scanning for vulnerabilities on the network, specifically outdated versions of Apple iOS. Which of the following tools should he use? A. Nikto B. NetScan C. Retina CS D. Nessus
D. Nessus
You are using a password attack that tests every possible keystroke for each single key in a password until the correct one is found. Which of the following technical password attacks are you using? A. Password sniffing B. Pass the hash C. Keylogger D. Brute force
D. Brute force
An attacker may use compromised websites and emails to distribute specially designed malware to poorly secured devices. This malware provides an access point to the attacker, which he can use to control the device. Which of the following devices can the attacker use? A. Only routers and switches on the Internet can be hacked. B. Only servers and routers on the Internet can be hacked. C. Only servers and workstations on the intranet can be hacked. D. Any device that can communicate over the intranet can be hacked.
D. Any device that can communicate over the intranet can be hacked.
Which of the following includes all possible characters or values for plaintext? A. Chain_len B. Table_index C. Chain_num D. Charset
D. Charset
A security analyst is using tcpdump to capture suspicious traffic detected on port 443 of a server. The analyst wants to capture the entire packet with hexadecimal and ascii output only. Which of the following tcpdump options will achieve this output? A. src port 443 B. -SA port 443 C. -SXX port 443 D. -SX port 443
D. -SX port 443
Which of the following could a hacker use Alternate Data Streams (ADS) for? A. Modifying evidence B. Tracking evidence C. Erasing evidence D. Hiding evidence
D. Hiding evidence
Which of the following are the three metrics used to determine a CVSS score? A. Risk, temporal, and severity B. Base, temporal, and environmental C. Risk, change, and severity D. Base, change, and environmental
B. Base, temporal, and environmental
Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on the network? A. MAC spoofing B. MAC flooding C. Port mirroring D. ARP poisoning
D. ARP poisoning
Which of the following are network sniffing tools? A. Ufasoft snif, TCPDump, and Shark B. Ettercap, Ufasoft snif, and Shark C. WinDump, KFSensor, and Wireshark D. Cain and Abel, Ettercap, and TCPDump
D. Cain and Abel, Ettercap, and TCPDump
Rudy is analyzing a piece of malware discovered in a pentest. He has taken a snapshot of the test system and will run the malware. He will take a snapshot afterwards and monitor different components such as ports, processes, event logs, and more for any changes. Which of the following processes is he using? A. Static analysis B. Malware disassembly C. Sheep dipping D. Host integrity monitoring
D. Host integrity monitoring
Which of the following assessment types focus on all types of user risks, including threats from malicious users, ignorant users, vendors, and administrators? A. Wireless network assessment B. Passive assessment C. External assessment D. Host-based assessment
D. Host-based assessment
Roger, a security analyst, wants to tighten up privileges to make sure each user has only the privileges they need to do their work. Which of the following additional countermeasure could he take to help protect privelige? A. Create plain text storage for passwords. B. Restrict the interactive logon privileges. C. Allow unrestricted interactive logon privileges. D. Instigate multi-factor authentication and authorization.
D. Instigate multi-factor authentication and authorization.
There are two non-government sites that provide lists of valuable information for ethical hackers. Which of the following best describes the Full Disclosure site? A. A list searchable by mechanisms of attack or domains of attack. B. A list of standardized identifiers for known software vulnerabilities and exposures. C. A community-developed list of common software security weaknesses. D. A mailing list that often shows the newest vulnerabilities before other sources.
D. A mailing list that often shows the newest vulnerabilities before other sources.
Patrick is planning a penetration test for a client. As part of this test, he will perform a phishing attack. He needs to create a virus to distribute through email and run a custom script that will let him track who has run the virus. Which of the following programs will allow him to create this virus? A. Webroot B. ProRat C. TCPView D. JPS
D. JPS
Which of the following best describes CCleaner? A. A command line tool in Windows 2000 that will dump a remote or local event log into a tab-separated text file. It can also be used to filter specific types of events. B. A software that can clear cookies, stored data like passwords, browser history, and temporary cached files. It can clear the recycling bin, clipboard data, and recent documents lists as well. C. A program that searches for carrier files through statistical analysis techniques, scans for data hiding tools, and can crack password-protected data to extract the payload. D. A tool that can remove files and clear internet browsing history. It also frees up hard disk space. It clears the temporary files, history, and cookies from each of the six major search engines.
D. A tool that can remove files and clear internet browsing history. It also frees up hard disk space. It clears the temporary files, history, and cookies from each of the six major search engines.
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the net 192.168.0.0 filter? A. Only packets with a destination address on the 192.168.0.0 network are captured. B. Only packets with a source address of 192.168.0.0 are captured. C. Only packets with a source address on the 192.168.0.0 network are captured. D. Only packets with either a source or destination address on the 192.168.0.0 network are captured.
D. Only packets with either a source or destination address on the 192.168.0.0 network are captured.
Sam has used malware to access Sally's computer on the network. He has found information that will allow him to use the underlying NTLM to escalate his privileges without needing the plaintext password. Which of the following types of attacks did he use? A. Dictionary attack B. Rainbow attack C. Password sniffing D. Pass the hash
D. Pass the hash
