Section 10: Identifying Common Attack Vectors Summary Challenge

Which two statements are true regarding exploit kits in the cyber kill chain model? (Choose two.) Exploitation kits (or exploit kits) are sets of tools that are utilized to gain access to a targeted host, either through manual or automated interaction. Even today, the automated interaction is not well developed and most exploitation kits are using the manual interaction-based techniques. The typical exploit kit provides a user-friendly web interface that helps the attacker track the infection campaign. A key downside of an exploit kit is the complexity with which it can be used only by the technology or the security experts.

Exploitation kits (or exploit kits) are sets of tools that are utilized to gain access to a targeted host, either through manual or automated interaction. The typical exploit kit provides a user-friendly web interface that helps the attacker track the infection campaign.

Match the SQL injection attacks with the corresponding explanations. allows an attacker to delete information with the intent to cause harm or delete log or audit information in a database

compromised availability of data

Match the SQL injection attacks with the corresponding explanations. involves the alteration of the contents of a database

compromised data integrity

What is a good indication of shellcode being traversed across the network? detecting a pattern of code that contains a sequence of JUMP instructions detecting a pattern of code that contains a sequence of RETURN instructions detecting a pattern of code that contains a sequence of NOP instructions detecting a pattern of code that contains a sequence of ESC instructions

detecting a pattern of code that contains a sequence of NOP instructions

What is an HTTP exploit that allows attackers to access restricted directories and execute commands outside of the root directory of the web server? XSS web redirection directory traversal HTTP 302 cushioning iFrames

directory traversal

What is the primary infection vector for the Emotet malware? JavaScript Notepad VMware OVA email messages

email messages

Which method allows an attack to use a compromised computer to attack other computers within the same network? pivoting DNS tunneling XSS SQL injection Punycode

pivoting

What kind of response message can a root name server send to the DNS recursor to inform it to ask the gTLD name servers for the .com domain name space? referral global ephemeral hierarchical

referral

Which type of cross-site scripting attack only requires that the malicious script is embedded in a link? stored reflected request forgery injected

reflected

Match the Metasploit payload type to its explanation. self-contained and completely standalone

singles

What are the three basic types of payloads within the Metasploit framework? (Choose three.) singles stagers stages crypto active

singles, stages, stagers

Match the Metasploit payload type to its explanation. set up a network connection between the attacker and victim, which is compact and reliable

stagers

Match the Metasploit payload type to its explanation. downloaded by stager modules

stages

Referring to the URL being accessed that is shown here, which encoding is used to represent the URL in ASCII? www.xn--gwtq9nb2a.jp Unicode Punycode UTF-32 EUC

punycode

Which protocol uses the well-known TCP port 110? POP IMAP SMTP DNS

POP

DNS listens on which well-known ports? TCP port 53 and UDP port 53 UDP port 67 and UDP port 68 TCP port 21 and TCP port 22 TCP 161 and UDP 161

TCP 53; UDP 53

targets Java runtime environment, drops ransomware on target systems

neutrino

largely targets adobe flash vulnerabilities and it largely safe from anti virus detection

nuclear

initiated by a client

odd-numbered identifier

Request was successful

200: OK

Match the SMTP client reply code with its function. success

2xx

Resource moved permanently

301: moved permanently

Match the SMTP client reply code with its function. OK so far

3xx

Requires authentication with server

401: unauthorized

Access denied

403: forbidden

Not found

404

Proxy Authentication Required

407

maps hostnames to IPv6 address

AAAA`

Which SQL command is used to modify the database structure? UPDATE CHANGE ALTER EDIT

ALTER

Which two statements are true regarding an SQL injection attack? (Choose two,) An SQL injection attack involves the alteration of SQL statements that are used within a web application by using attacker-supplied data. An SQL injection attack involves the alteration of SQL statements that are used within an email application by using attacker-supplied data. Insufficient input validation and improper construction of SQL statements in web applications can expose them to SQL injection attacks. SQL injection is not a potentially destructive attack and is considered as a minor threat to web application when compared to other attacks.

An SQL injection attack involves the alteration of SQL statements that are used within a web application by using attacker-supplied data. Insufficient input validation and improper construction of SQL statements in web applications can expose them to SQL injection attacks.

Which language is used to describe the style and display properties of an HTML web page? CSS XSS XML CSRF

CSS

What are two types of Windows memory-based protection measures that can be deployed to combat the use of shellcode? (Choose two.) DEP defender ASLR PowerShell

DEP ASLR

What is the primary thing that pivoting allows an attacker to do? Escalate the privilege of the attacker on the compromised system Expand the access for the attacker after gaining a foothold in the network.. Establish a persistence presence on the compromised system. Hide tracks of the attacker to avoid detection.

Expand the access for the attacker after gaining a foothold in the network..

Which three are valid HTTP request methods? (Choose three.) GET QUIT PUT HEAD FETCH

GET PUT HEAD

Which three are SMTP commands? (Choose three.) HELO QUIT DATA SEND SAVE

HELO DATA QUIT

What are two features of HTTP/2? (Choose two.) HPACK, a stateful header compression mechanism, is available to compress header frames. HTTP/2 streams allow concurrent multiplexing of different HTTP request/response exchanges over different TCP connections. HTTP/2 does not allow an unsolicited push of data from the server to the client. Messages are processed more efficiently by using binary message framing. HTTP/2 is a stateless protocol.

HPACK, a stateful header compression mechanism, is available to compress header frames. Messages are processed more efficiently by using binary message framing.

Which protocol is typically used as the communication channel between the client and the DDNS provider? HTTP/HTTPS DHCP ARP ICMP

HTTP/S

maps mail servers to domain

MX

Which statement is true regarding a persistent XSS attack? The attacker embeds the malicious code within the page that is stored on the web server itself. The attacker includes HTML code within a link to a web address. XSS is also called a reflected attack. A persistent XSS attack involves the alteration of SQL statements that are used within a web application.

The attacker embeds the malicious code within the page that is stored on the web server itself.

Which three are valid SQL commands? (Choose three.) SELECT UPDATE DESTROY ALTER MODIFY

UPDATE- modifying data SELECT- exfiltrating data ALTER- modifying database structure

very versatile and utilizes a robust toolkit

angler

When a URL is encoded to hide an attack, what value can the forward slash (/) character be encoded as? %20 %2f %3c %5c

%2f

What is the default port for HTTPS? 443 8080 80 22

443

Match the SMTP client reply code with its function. temporary failure

4xx

Match the SMTP client reply code with its function. permanent failure

5xx

maps hostnames to IPv4 address

A

Which entity, that issues and signs digital certificates, is trusted by the browser? Certificate Authority Certificate Notary Certificate Controller Certificate Licensor

Certificate Authority

Which three are important distinctions of HTTP? (Choose three.) Cookie information is sent in the URL. Cookie information is sent in the URI. Cookie information is sent in the response header. Cookie information is sent in the request header. Cookie information is sent in the request body. Cookie information is sent in the response body. Cookie information is sent via the response codes. Cookie information is always private and encrypted. Cookie information is stored on the client's browser.

Cookie information is sent in the response header. Cookie information is sent in the request header. Cookie information is stored on the client's browser.

Regarding DDNS, which two statements are true? (Choose two.) Attackers dislike using DDNS due to its inflexibility. DDNS is a popular choice for home users who wish to host a website. Clients often use DHCP to communicate to the DDNS provider. DDNS is useful in residential networks because the IP subnets don't change. DDNS is often used by attackers for CnC servers.

DDNS is a popular choice for home users who wish to host a website. DDNS is often used by attackers for CnC servers.

Which statement is true regarding DNS tunneling? DNS tunneling involves the tunneling of DNS through other protocols. DNS tunneling involves tunneling of other protocols through DNS. DNS traffic is always monitored on all networks for suspicious activity. So DNS tunneling cannot pose any significant risk to a network. In DNS tunneling, traffic is usually initiated from the server to the client.

DNS tunneling involves tunneling of other protocols through DNS.

SQL injection attacks typically allow an attacker to perform which malicious activity? Inject operating system commands to the vulnerable SQL database server. Inject operating system commands to the vulnerable web server that has a trust relationship to the SQL database server. Inject malicious SQL queries to obtain sensitive information from the back-end SQL database. Inject malicious HTTP GET requests to obtain sensitive information stored on the SQL database of the web server.

Inject malicious SQL queries to obtain sensitive information from the back-end SQL database.

Which two languages are commonly used in client scripting? (Choose two.) JavaScript VBScript Perl PHP Python

JavaScript Visual Basic Script

Which resource record type is used to display the mail servers for a domain? CNAME MX AAAA PTR

MX

identifies the name servers for a zone

NS

Regarding the obfuscation of JavaScript, which two statements are true? (Choose two.) Obfuscation is a way to hide the real meaning and intent of JavaScript code. Adding comments to the JavaScript to explain about the code is a form of obfuscation. Automatically renaming variables as short meaningless names to make the code less readable and harder to understand is a form of obfuscation. Once the JavaScript is obfuscated, it will be indecipherable.

Obfuscation is a way to hide the real meaning and intent of JavaScript code. Automatically renaming variables as short meaningless names to make the code less readable and harder to understand is a form of obfuscation

maps IP address to hostname

PTR

Match the Metasploit payload type to its explanation. helps circumvent restrictive outbound firewalls

PassiveX

What is the purpose of HTTP/2 stream prioritization? The application layer negotiates which protocol should be performed over a secure connection. Prioritization allows an endpoint to express how it prefers its peer to allocate resources when managing concurrent streams. Prioritization guarantees that the stream will be processed or transmitted in a particular order. Prioritization allows an endpoint to force a peer to process concurrent streams in a particular order.

Prioritization allows an endpoint to express how it prefers its peer to allocate resources when managing concurrent streams.

Why is Punycode required? Punycode represents internationalized domain names as ASCII-only characters. Punycode allows the use of ASCII and Unicode characters in the domain names. Punycode allows the use of non-ASCII characters in the URLs. Punycode supports domain names and URLs using only Unicode characters.

Punycode represents internationalized domain names as ASCII-only characters.

What are three uses for the utility nslookup? (Choose three.) Query DNS servers for A records. Display the default DNS server . Display all mail servers for a domain. Display owner information about a domain.

Query DNS servers for A records. Display the default DNS server . Display all mail servers for a domain.

Which statement is true regarding reflective DLL injection? Reflective DLL injection is a technique whereby a stage payload is injected into a compromised host process running in memory; therefore it is never written to the target hard drive. Reflective DLL injection is a feature that is built into some CPUs to prevent code from executing in certain areas of memory. Reflective DLL injections are Windows stager-based payloads that have distinct advantages and disadvantages. Reflective DLL injection works with stage payloads to perform a specific task.

Reflective DLL injection is a technique whereby a stage payload is injected into a compromised host process running in memory; therefore it is never written to the target hard drive.

What is a characteristic of SQL? SQL is a browser (client-side) scripting language. SQL is used to create static and dynamic web pages. SQL is used to query, operate, and administer a relational database. The most common operation in SQL is to query for information, which makes use of the SQL query command. SQL is a server-side scripting language.

SQL is used to query, operate, and administer a relational database.

What are three characteristics of scripting? (Choose three.) Scripting is always safe and useful. Scripting can be used to deliver malware. Scripting can be used to redirect the user to malicious websites. Scripting is primarily used to create dynamic content on a web page. Scripting languages are harder to learn and faster to code in than structured and compiled languages.

Scripting can be used to deliver malware. Scripting can be used to redirect the user to malicious websites. Scripting is primarily used to create dynamic content on a web page.

Which two statements are true about shellcode? (Choose two.) Shellcode is the payload that is attached to an exploit that will execute the action the attacker desires. Shellcode is a means of hiding the real meaning of any code or program. Shellcode payloads come in four variations: staged, unstaged, multistaged, and none. DEP and ASLR are the methods that can be used to combat the shellcode attack. When shellcode is used in plaintext traffic, it is very difficult to detect.

Shellcode is the payload that is attached to an exploit that will execute the action the attacker desires. DEP and ASLR are the methods that can be used to combat the shellcode attack.

What happens to the victim's browser during an HTTP 302 cushioning? The browser is redirected to the malicious web page that delivers the exploit to the victim's machine through a series of HTTP 302 redirections. The browser displays the HTTP 302 redirection warning and prevents the web redirection to the malicious web page that delivers the exploit to the victim's machine. The browser executes the malicious script and is then redirected to the malicious web page that delivers the exploit to the victim's machine. The browser loads the iFrame and is then redirected to the malicious web page that delivers the exploit to the victim's machine.

The browser is redirected to the malicious web page that delivers the exploit to the victim's machine through a series of HTTP 302 redirections.

In dynamic DNS, the term "dynamic" refers to which two of the following characteristics? (Choose two.) The client's IP address changes frequently. The client has a dynamic IP address range. The hostname of the client's machine changes frequently. The client's IP address is not routable.

The client's IP address changes frequently. The client has a dynamic IP address range.

What is the first step in the email process? The client receives email from the mail server. The sending MTA looks up the MX record for the receiving domain. The sending MTA sends email over SMTP to the receiving MTA. The sending client sends email to the sending MTA.

The sending client sends email to the sending MTA.

Which type of web-based attack uses malicious scripts that are injected into otherwise benign and trusted websites? The malicious scripts are then served to other victims who are visiting the infected websites. XSS web redirection directory traversal HTTP 302 cushioning

XSS

Regarding exploit kits, which option best explains a shadow domain? a second-level domain that is registered by a malicious person using compromised domain registration information from a legitimate site the series of redirects that a web browser goes through when a web page is unavailable due to being moved websites set up by company's information security teams to act as a "honey pot" to catch malicious actors who may try to deface their website domains that are registered with dynamic DNS or fast flux DNS services to keep the domain and IP addresses frequently rotating to prevent detection by scanning tools

a second-level domain that is registered by a malicious person using compromised domain registration information from a legitimate site

Match the SQL injection attacks with the corresponding explanations. allows an attacker to log on to an application, potentially with administrative privileges, without supplying a valid username and password

authentication bypass

What is a DNS server that is responsible for the RRs for its zones considered to be? canonical recursive distributed authoritative

authoritative

What is the primary goal of an attacker when using an iFrame or HTTP 302 cushioning? help the user find the correct web page location ensure that the victim's web browser ends up on the attacker's web page, which serves out the malicious exploit to the victim offer a secure transaction in a web page protect against malware infiltration

ensure that the victim's web browser ends up on the attacker's web page, which serves out the malicious exploit to the victim

initiated by the server

even numbered identifier

Which three are valid fields in the Set-Cookie HTTP header? (Choose three.) Expires Domain Session Encrypted Path

expires domain path

What is typically used by the attackers as a launching platform to deliver the payload to the targeted system? exploit kit day zero malware CnC channel SQL injections

exploit kit

What is the functional purpose of the HTTP 302 response code? alert users that an attack is underway identify a temporary URL redirection for a website and redirect the user to it ask for authentication of the user alert the user that the web page is no longer available

identify a temporary URL redirection for a website and redirect the user to it

Which vulnerability is required to make SQL injection attacks possible? improper user input validation by the web application improper SQL database schema improper trust relationship between the web application and the SQL database improper SQL syntax validation by the SQL database

improper user input validation by the web application

Match the SQL injection attacks with the corresponding explanations. allows an attacker to obtain, either directly or indirectly, sensitive information in a database

information disclosure

Which exploit kit component consists of code that gathers data about a victim's computer and finds vulnerable applications? payload delivery page landing page downloader page command-and-control page

landing page

commonly utilized to drop ransomware on target systems

magnitude

Match the Metasploit payload type to its explanation. advanced, multifaceted payload that operates via DLL injection

meterpreter

What is the primary motivation behind the Emotet campaign? espionage entertainment money revenge

money

Which three options are reasons for using HTTPS? (Choose three.) for the web server to authenticate the browser using an EAP method to encrypt the data that is sent between the browser and the web server to ensure the identity, trust, and validity of the web server to ensure that the data that is sent between the browser and the web server cannot be decrypted then re-encrypted by a man-in-the-middle to avoid detection when used to transport the attack CnC traffic

to encrypt the data that is sent between the browser and the web server to ensure the identity, trust, and validity of the web serve to avoid detection when used to transport the attack CnC traffic

Which two methods are commonly used by attackers to obfuscate their malicious JavaScript code? (Choose two.) using white-space characters and line breaks throughout the code without altering its functionality using meaningful variable names in the JavaScript code to make the code more readable using character codes and string manipulation that is combined with the misuse of eval expressions 'eval()' using self-learning source code that automatically sets the encoding variable key used during the encoding process

using white-space characters and line breaks throughout the code without altering its functionality using character codes and string manipulation that is combined with the misuse of eval expressions 'eval()'

"Münich" is encoded as "mnich-kva" using Punycode. An internationalized domain name adds what which set of characters in front of the Punycode-encoded "mnich-kva"? %255c xn-- / %p

xn--

used for connection control messages

zero (0x0) identifier