deck_2250368 Flashcards

Question 1

Q

Q1: What kind of intellectual property components grant the right to exclude others from selling an invention in the United States?

Answer

A

A1: Patents. A patent for an invention is the granting of a property to the inventor, issued by the Patent and Trademark Office. The right conferred by the patent grant is in the language of the statute and of the grant itself, the right to exclude others from making, using, offering for sale, or selling the invention in the United States or importing the invention into the United States. Copyrights protect original works of expression, such as novels, fine and graphic arts, music, phone records, photography, software, video, cinema, and choreography by preventing people from copying or commercially exploiting them without the copyright owner’s permission. Trademarks protect brand names and distinctive words, phrases, logos, symbols, slogans, and any other devices used to identify and distinguish products or services in the marketplace. Trade secrets protect sensitive information required for your business..

Question 2

Q

Q2: Which of the following describes sensitive intellectual property critical for your business?

Answer

A

A2: Trade secrets. Trade secrets protect sensitive information required for your business..

Question 3

Q

Q3: When a competitor creates a similar-looking but not identical mark, what are they using to attack the trademark?

Answer

A

A3: Confusion. Beyond counterfeiting a mark, an attacker could create a similar-looking mark to achieve confusion. Confusion involves a similarity in the overall impression created by the two marks, including the marks’ looks, phonetics, and underlying meanings..

Question 4

Q

Q4: What type of intellectual property would be protected by a copyright?

Answer

A

A4: An original artistic or literary work. A trademark prevents someone from using a similar mark. A copyright protects an original artistic or literary work. A patent protects an invention..

Question 5

Q

Q5: What is fair use of copyrighted material?

Answer

A

A5: An exception to the rights of a copyright holder that permits limited, third-party use of the material. Fair use limits the right of a copyright owner for purposes such as criticism, news reporting, teaching, and research. In general, nonprofit educational use is more acceptable. The amount of material copied is an issue. The economic effects should also be considered..

Question 6

Q

Q6: Most incident handlers move between two steps in their daily activity. Preparation is one step. What is the other step?

Answer

A

A6: Identification. The steady-state, day-to-day practices of most incident handlers are the first two steps: preparation and identification. Much time is spent getting ready to fight the next battle and looking for events that could be signs of trouble..

Question 7

Q

Q7: Of the following choices, which is an example of an event?

Answer

A

A7: Packet flooding within a network. Packet flooding within a network (could be bursty legitimate traffic) is an example of an event. Events are observable, measurable, occurrences in computer systems. An event is an occurrence that someone either directly experienced or that can be shown to have actually occurred. An event is something that is seen as a flash on the screen or is heard. It can also be something that is known to have occurred because it was collected in a log or audit file..

Question 8

Q

Q8: What are the steps of incident handling?

Answer

A

A8: Preparation, identification, containment, eradication, recovery, and lessons learned. The correct steps are preparation, identification, containment, eradication, recovery, and lessons learned..

Question 9

Q

Q9: In incident handling, what step must precede the containment phase?

Answer

A

A9: Identifying an incident’s existence. Once an incident has been defined, then you can move into the containment phase. Eradicate, recovery, and lessons learned occur after containment..

Question 10

Q

Q10: What defines a security incident?

Answer

A

A10: Harm done or threatened to a system. An incident refers to harm or the significant threat of harm..

Question 11

Q

Q11: Why is an incident-handling plan important?

Answer

A

A11: It will help you be prepared when an incident occurs.. All systems on the Internet will be subject to an incident at some point. It is important to have a plan in place for when this happens. Training your team on what to do is important, but it is not the reason for incident handling; instead, it is a form of preparation for incident handling..

Question 12

Q

Q12: Which of the following is the best choice for inclusion in a policy that governs the handler’s access to production systems during an incident?

Answer

A

A12: A process by which incident handlers can obtain necessary access during an incident. The incident-handling team must be able to access systems without the okay of system administrators. One idea is to keep passwords in a sealed envelope, although handlers should never use a privileged password unless they are qualified on that operating system. As encryption becomes ever more prevalent, an organization must set policy as to who owns secret keys and passphrases..

Question 13

Q

Q13: What should you consider before electing to use a video camera to record the incident- handling process?

Answer

A

A13: The tape may contain more information than you want to give away if the case goes to court.. Some organizations prefer to use video cameras. However, keep in mind that if your case does go to court, during the discovery process, you may have to turn the tape over to the opposing side. A tape may contain far more information about your operation than you want to give away..

Question 14

Q

Q14: Which of the following can be used to limit the presumption of privacy?

Answer

A

A14: Warning banners. Warning banners limit the presumption of policy..

Question 15

Q

Q15: Which of the following would be a reason to notify law enforcement of a security incident?

Answer

A

A15: Threat to public safety. When there is a threat to public safety, you must notify law enforcement..

Question 16

Q

Q16: When should you first contact local law enforcement regarding incident handling?

Answer

A

A16: Before an incident happens in order to develop contacts. It is important to develop a relationship with your local law enforcement representatives before an incident occurs. This will give you the right contacts so you do not waste time during an incident.\u00a0Having the relationship in place can only help when dealing with legal issues..

Question 17

Q

Q17: What can be used to reduce stress and the resulting errors on an incident handler during an incident?

Answer

A

A17: A checklist. Contact lists and secure communications are important and useful, but they focus on communications, which may or may not help reduce stress and lead to mistakes. Practice is extremely important, assuming you are correctly practicing the right thing. A checklist, however, provides direction and avoids many anticipated mistakes, which can reduce stress on the handler. Having a checklist to refer to on how to bring down a system or back up a system can help prevent errors and reduce the stress on the handler..

Question 18

Q

Q18: What is the primary role of management regarding incident handling?

Answer

A

A18: To approve procedures and policy before an incident occurs. The most important job that management has is to review the Incident Handling process during the Preparation phase and give their buy-in to the procedures. Management should also be given a status during the incident, but it is rare for a manager to be doing the hands-on work during an incident..

Question 19

Q

Q19: How would an incident handler define a war room?

Answer

A

A19: A secure room with copies of evidence from relevant incidents. A war room is a secured location where the incident handling team can display evidence for analysis..

Question 20

Q

Q20: Why might an organization decide against involving law enforcement after a computer security incident?

Answer

A

A20: Loss of control over how the incident is handled. Law enforcement may compel an organization to keep systems open and exposed to continued hacking. Law enforcement may have different goals in the case, and the organization could lose some control of how the incident is handled..

Question 21

Q

Q21: What part of an organization is an attacker most likely to target when attempting to socially engineer the organization?

Answer

A

A21: The help desk. If an attacker attempts to socially engineer an organization, one likely group is the help desk..

Question 22

Q

Q22: What must an incident handler do during the initial phases of an incident?

Answer

A

A22: Be calm and methodical about taking notes.. It is extremely important to remain calm and not rush yourself when handling an incident. Taking notes is very important and should not be put off until you have time, as your memory may not be 100% after working on the incident..

Question 23

Q

Q23: Which of the following organizations support interaction between law enforcement and commercial companies?

Answer

A

A23: HTCIA and Infragard. Contact local law enforcement before there is an incident. Get to know them through a local chapter of the HTCIA, ECTF, or Infragard, if such chapters exist in your area. Do a joint exercise with them and ask them questions in advance to try to determine what they are and are not interested in..

Question 24

Q

Q24: At what levels can events be detected during the identification phase?

Answer

A

A24: The network perimeter, the host perimeter, and the system level. Identification can occur at any of the following three levels: (1) the network perimeter, (2) the host perimeter, and (3) the host (or system) level..

Question 25

Q

Q25: Your incident-handling team has determined your organization has been hit by a virus that takes advantage of a specific version of a PDF reader. Your team is gathering a list of potentially affected users based on your software inventory. What stage of the incident-handling process is occurring?

Answer

A

A25: Identification. There are many questions that need to be asked during the initial assessment of an incident in order to determine whether it is an actual incident or an event and to assess the severity of the incident. One way to determine the severity is to ask yourself how widely the affected application or system is deployed in your environment. Deciding if an application should be ported to another operating system is important in the recovery and lessons-learned phases. Jump bag contents should be decided upon early in the preparation phase and realizing what you have learned is the last step, the lessons-learned phase..

Question 26

Q

Q26: What can be monitored using personal firewalls and host-based intrusion prevention systems, local firewalls, and port sentry tools?

Answer

A

A26: Host perimeter. The host perimeter border can be monitored using personal firewalls and host-based intrusion prevention systems, local firewalls, and port sentry tools..

Question 27

Q

Q27: Which port does the Tini Trojan horse command shell tool listen on, by default?

Answer

A

A27: TCP\/7777. Tini, a common Trojan horse backdoor remote command shell tool, listens on TCP port 7777 by default..

Question 28

Q

Q29: What would you use in conjunction with the tasklist command to determine which services have started?

Answer

A

A29: Net start. At the command line, to get a list of running services, you could execute the following command: C: \> net start..

Question 29

Q

Q30: In order to identify an incident, what devices on the network perimeter would you examine?

Answer

A

A30: Routers. The network perimeter is monitored by firewalls, routers that generate logs, external-facing intrusion detection systems, intrusion prevention systems, and other machines on the DMZ. These systems can provide earlier warnings about attacks as they monitor your borders with the Internet and other external networks..

Question 30

Q

Q31: In order to identify an incident, what devices at the host perimeter would you examine?

Answer

A

A31: Port sentry tools. The host perimeter is where you monitor activities across each host system’s interface, analyze what the machine is sending out to, and receive from the network. This border can be monitored using personal firewalls and host-based intrusion prevention systems, local firewalls, and port sentry tools..

Question 31

Q

Q32: In order to control the flow of information during an incident and\/or investigation, what process or policy must you follow?

Answer

A

A32: Need to know. The minimum people with the absolute need to know about an incident stops the rumor mill and stops the legal ramifications and\/or tipping of a potential insider perpetrator..

Question 32

Q

Q33: When dealing with an incident, which form of communication should be used to keep from tipping off the perpetrator?

Answer

A

A33: Out of band. Make sure to use out of band communications when dealing with an incident. If you use the same channels in which an incident occurred, you could tip off the perpetrator and\/or continue the incident by using compromised channels..

Question 33

Q

Q34: What is the goal of the identification phase of incident handling?

Answer

A

A34: Gather events, analyze them, and determine whether an incident exists.. The goal of the identification phase is to gather events, analyze them, and determine whether an incident exists..

Question 34

Q

Q35: How many individuals should be in charge of managing an incident?

Answer

A

A35: One. If one person is not in charge, no person is in charge. For an incident to be successfully managed, one person always needs to be in charge and accountable..

Question 35

Q

Q36: If an incident has two handlers, what is the preferred approach to note taking?

Answer

A

A36: Both people take notes, because two accounts of the incident are better than one.. During an incident, you should always take notes. Having an assistant take notes as well is important, but it does not relieve you of the responsibility..

Question 36

Q

Q37: Which tool can be used to make a complete bit-by-bit backup of a system’s hard drive?

Answer

A

A37: Dd. If possible, make a binary or bit-by-bit backup using dd..

Question 37

Q

Q38: To keep from losing valuable data, which of the following will a handler need to collect for incident handling or forensics?

Answer

A

A38: Both memory and file-system images. Grab an image of memory as well as the file system. The ideal image is the binary, bit-by-bit image; this gets everything on the disk, including deleted and fragmentary files..

Question 38

Q

Q39: When extended downtime is acceptable, what phase can you move into from containment?

Answer

A

A39: Eradication. After creating forensics images, you move onto the eradication phase when extended downtime is acceptable..

Question 39

Q

Q40: Who is the most appropriate sponsor for an incident-handling team?

Answer

A

A40: Senior legal counsel. Your incident-handling team should have a senior member of management as its sponsor. This manager can help to clear out obstacles when you are under fire. To do that, you should strive to find a sympathetic senior manager, such as a chief information security officer (CISO), Chief information officer (CIO), senior legal counsel, or another related position that makes most sense in your organizational structure..

Question 40

Q

Q41: Before dropping or pulling a system from the network, who do you need to inform and obtain approval from?

Answer

A

A41: Business unit. Containment (both short- and long-term) might stop the system from performing various business actions. Therefore, make sure you get approval before taking action that will impact business. Call the business unit teams before dropping a system..

Question 41

Q

Q42: What three areas does FIRST recommend using to characterize incidents?

Answer

A

A42: General category, criticality, and sensitivity. The FIRST organization distributes an incident case classification document that recommends characterizing incident based on three areas: (1) its general category, (2) the criticality of impacted systems and data, and (3) the sensitivity with which information about the case itself should be treated..

Question 42

Q

Q43: What is the goal of the containment phase of incident handling?

Answer

A

A43: Minimize the damage. The goal for containment is to stop the bleeding..

Question 43

Q

Q44: During the containment phase, why should an incident handler carefully avoid blaming any individual for an incident?

Answer

A

A44: Initial assumptions are often wrong and a handler needs cooperation at this phase of an investigation.. Often the facts change as more information becomes available during an incident. Early assumptions are often proved wrong. If you were to blame an individual and the facts later showed that the person was not at fault, your credibility would be lost, at least in that part of the organization..

Question 44

Q

Q45: What are the three subphases of containment?

Answer

A

A45: Short-term, system backup, and long-term. Containment includes three subphases: (1) short-term containment just to stop the damage, (2) system back-up, and (3) long-term containment to make sure the bad guy is denied access..

Question 45

Q

Q46: In what type of incident can coordination with an ISP be especially helpful for containment?

Answer

A

A46: Denial-of-service packet floods. ISPs are the only ones who can reliably stop a DoS attack before it hits your network since they are upstream..

Question 46

Q

Q47: Which activity is a sure sign of an inexperienced incident handler and should be avoided during the initial analysis portion of the containment phase?

Answer

A

A47: Sending an ICMP echo request to the source machine. Rookie incident handlers can be spotted a mile away with a network-logging system. They find an attack apparently coming from some IP address. So they ping the address, then they do an nslookup. Sometimes, they even Telnet to it..

Question 47

Q

Q48: Who on the incident handling team will actually write the incident report?

Answer

A

A48: On-site handler. The only one that can or will write the report is the on-site handler. The handler submits the draft to the head of the incident handling team..

Question 48

Q

Q49: How soon after resuming production should a lessons-learned meeting be conducted?

Answer

A

A49: Two weeks. The lessons-learned meeting should occur within two weeks of resuming production, while the events and report are still fresh in people’s minds..

Question 49

Q

Q50: What does an incident response team do during the lessons-learned phase?

Answer

A

A50: Develop a report based on the incident.. The lessons-learned phase requires the person handling the incident to document the findings and issue a report. Everyone involved in handling the incident should sign off on the report, agreeing to its contents..

Question 50

Q

Q51: What is the purpose of lessons learned?

Answer

A

A51: To learn from our mistakes and provide continuous process improvement.. The main purpose of lessons learned is to learn from our mistakes and to improve the process of incident handling and report creation..

Question 51

Q

Q52: What will you find when you examine the trust relationships of an affected system during an incident?

Answer

A

A52: Which additional systems may be affected by the incident. Trust model is a term used to refer to the set of permissions or trusts between systems. Which systems can the affected system access? Which systems can be used to access the affected system? Determining the trust model gives you an idea of the possible scope of the problem, as well as an idea of possible attack vectors..

Question 52

Q

Q53: You discover that some of your users have received an e-mail claiming to be from Microsoft telling them to install the Windows OS patch attached. How should you react?

Answer

A

A53: Find out how many users received the e-mail and spread the word that it is not to be installed.. It is important to not spread rumors or unnecessary information during an incident. If your users are all receiving e-mail such as this, they are all possible victims and they should all be warned. This is an example of when it is important to spread the word to avoid possible exploitation of users’ workstations. For the record, Microsoft does not send out patches via e-mail. You should also educate your users to never install software or patches they receive in e-mails, no matter who the sources claim to be..

Question 53

Q

Q54: For any business, which of the following is the most likely target of an espionage attack?

Answer

A

A54: Intellectual property. The physical differences between your organization and your competition are probably minimal. The trade secrets, marketing contacts, business plans and other intellectual property make all the difference. The odds are fairly high that these crown jewels are the target..

Question 54

Q

Q55: What threat can an active security awareness program address most effectively?

Answer

A

A55: Casual, nondestructive insider. Many casual threats come down to a lack of awareness on the employee’s part. You must make sure your awareness activities deal with each of these aspects of security..

Question 55

Q

Q56: What kind of threat is posed by an insider who sells company secrets to the competition?

Answer

A

A56: Intentional, nondestructive. A casual threat usually stems from the employee’s lack of understanding. The employee does not mean to cause any harm and if the employee realized his or her actions were causing harm, he or she would stop. Acts with a nondestructive intent are usually perpetrated by those that do not want to draw attention to the intrusion. They plan to gather data for a long period of time, may plant a backdoor for later use, and are careful to cover their tracks..

Question 56

Q

Q57: What type of insider threat disables antivirus and downloads untrusted programs?

Answer

A

A57: Casual, destructive. Casual, destructive insider threats include disabling antivirus programs and downloading untrusted programs..

Question 57

Q

Q58: Which of the following is a great way to thumbprint critical files?

Answer

A

A58: Invent an acronym that does not actually exist and plant it into the document.. A great way to thumbprint critical files is to invent an acronym that does not actually exist and plant it into the document..

Question 58

Q

Q59: Which of the following insider threats is potentially the least harmful to the organization?

Answer

A

A59: Casual, nondestructive. Casual, nondestructive insider threats are the least harmful to an organization and generally include forwarding emails and\/or leaving doors open..

Question 59

Q

Q60: What type of insider threat includes deleting data and website defacement?

Answer

A

A60: Intentional, destructive. Examples of intentional, destructive insider threats include logic bombs, website defacement, and deleting data..

Question 60

Q

Q61: Who is most likely to be prosecuted for espionage?

Answer

A

A61: Trusted insider. Almost every case of espionage prosecuted by the U.S. government involved a trusted insider..

Question 61

Q

Q62: Why is it important to hash your log files?

Answer

A

A62: To preserve their integrity. By hashing (file integrity) your log files, you are preserving their integrity to ensure that they have not been altered..

Question 62

Q

Q63: When handling an incident involving e-mail, which of the following is most important to determine?

Answer

A

A63: Whether the message came from inside or outside of the organization. In order to track down the sender of a message, and to determine the message’s route into an organization, it is important to determine if it was generated internally or externally..

Question 63

Q

Q64: Unknown to you, a new employee was actually hired by a competitor to obtain your proprietary information. Which type of threat is this?

Answer

A

A64: Intentional threat. The intentional, nondestructive insider threat is the hardest to detect. The goal of this type of threat is usually theft of trade secrets\/proprietary information. The intentional, destructive threat is performed by a disgruntled employee and is considered purposeful sabotage. The casual threat usually stems from an employee’s lack of understanding. The casual, nondestructive threat includes the “forgot to or did not realize I could not do that” threat. The casual, destructive threat includes not utilizing the latest virus detection file..

Question 64

Q

Q65: What action allows an attacker to grab all records associated with a DNS domain?

Answer

A

A65: Zone transfer. A zone transfer allows an attacker to connect with your DNS server and grab all records associated with a particular domain..

Answer 65

A

A66: The purpose is to search for all instances of the term wireless on the somecompany.net website.. The search wireless site: somecompany.net will produce a search result for the term wireless limited to the site somecompany.net..

Answer 66

A

A67: Hash and compare signatures.. Make sure you check the PGP signature as well as the MD5 and SHA-1 hashes from multiple mirrors when you download new or existing versions..

Answer 67

A

A68: www.uwhois.com. ARIN is the American Registry for Internet Numbers. RIPE NCC is the R\u00e9seaux IP Europ\u00e9ens Network Coordination Centre. APNIC is the Asia Pacific Network Information Centre. www.uwhois.com provides information for over 200 different countries..

Answer 68

A

A69: Robots.txt. To get Google to remove you, you not only have to request page removal using their form, you also have to alter the website’s robots.txt file or alter the page’s meta tag to indicate that you really want it removed..

Answer 69

A

A70: Nslookup. The nslookup command will reveal the IP address associated with a designated domain name..

Answer 70

A

A71: Nslookup. Nslookup is a program that can be used to interrogate DNS servers..

Answer 71

A

A72: Linux nslookup. In the latest versions of Linux nslookup, the command has been stripped so that it cannot perform zone transfers, a useful technique for getting a lot of information about a target domain..

Answer 72

A

A73: Whois database. One of the best tools to use for reconnaissance is a whois database, many of which exist on the Internet..

Answer 73

A

A74: You cannot really tell whether someone has looked you up.. The problem with identification is that you cannot really tell whether someone has looked you up..

Answer 74

A

A75: Common Vulnerabilities and Exposures. CVE is the Common Vulnerabilities and Exposures taxonomy established and maintained by MITRE. It is used to help identify particular attacks so we are using the same vernacular..

Answer 75

A

A76: Site. The site directive allows an attacker to search for pages on a single site or domain, narrowing down and focusing the search..

Answer 76

A

A77: Info. The info directive is not very useful. It returns a bunch of data, including results from link and related searches, as well as cached pages..

Answer 77

A

A78: Web spider. When a Web admin reviews Web logs an indication that someone has used a Web spider (also known as a Web crawler) to access every page on your site in a short period of time (say within 5 minutes) would show up easily..

Answer 78

A

A79: Scanning. Once a perpetrator has performed the appropriate level of reconnaissance on a site, his or her next steps are to scan, exploit the system by gaining access, and cover his or her tracks..

Answer 79

A

A80: UDP port 53. Normal DNS queries and responses use UDP port 53..

Answer 80

A

A81: TCP port 53. Zone transfers use TCP port 53..

Answer 81

A

A82: Driving around looking for wireless network access points with a laptop and suitable software. War driving is driving around with a computer and a wireless receiver while scanning for available wireless networking carriers. You can also scan while walking (war walking), biking (war biking), etc..

Answer 82

A

A83: THC-Scan Next Generation. THC-Scan Next Generation was written to allow for highly distributed war dialing attacks. An attacker can use a bot-net with 10, 100, 10,000 or more modems on victim machines to do the dialing now..

Answer 83

A

A84: Use the buddy system, where two or more people go into each office or cubicle.. When you do desk-to-desk checks, you should always employ the two-person rule (a.k.a. the buddy system). With an explicit two-person team checking for unwanted\/unregistered modems, you will not be subject to claims of unfairness or, worse yet, theft from people’s desks. If a single person checks for modems late at night and something turns up missing from someone’s desk, you may have significant problems..

Answer 84

A

A85: Modems. War dialers are looking for modem carriers or a secondary dial tone. Once the modem is located, further steps are required in order to exploit..

Answer 85

A

A86: Perform periodic war-dialing scans against the company’s phone numbers.. An effective, nondisruptive way of protecting a network against entry points created by modems connected to computers within the corporate network is to perform periodic war-dialing scans against the company’s phone numbers. In this way, an administrator will see the network from the perspective of someone attempting to compromise the network and be able to detect any rogue modems that exist on the network..

Answer 86

A

A87: Aircrack-ng. With tools like Aircrack-ng, the attacker needs to sniff about 50 to 100 megabytes of data, which can often be done in 10 to 30 minutes. After grabbing this data, the tool cracks the WEP key, and the attacker can view all data on the LAN recorded earlier and sent later, as long as the WEP key remains constant..

Answer 87

A

A88: SELF. WarVOX can be configured with SELF as the caller ID value, which will make it set the Caller ID value to the same number that it is dialing. This option can be used to bypass PIN authentication in some voice mail systems..

Answer 88

A

A89: Nudging. Nudging sends a predefined string of characters to a discovered modem.

Answer 89

A

A90: WarVOX. WarVOX will record an MP3 file associated with each number dialed and answered..

Answer 90

A

A91: Social engineering. War dialers dial a sequence of telephone numbers in an attempt to locate modem carriers or a secondary dial tone. Social engineering is one of the methods for obtaining phone numbers for war dialing..

Answer 91

A

A92: Demon dialers. Demon dialers dial a single number to conduct a brute-force attack against passwords..

Answer 92

A

A93: SSID cloaking. You can configure most access points to omit their SSIDs from their beacons, a feature known as SSID cloaking..

Answer 93

A

A94: Addresses can be spoofed.. While you could allow only traffic from registered MAC addresses, such security is deeply flawed. A MAC address can be easily spoofed (either by using the ifconfig command in Linux\/Unix or a free tool called Macshift.exe for Windows)..

Answer 94

A

A95: The name of a wireless LAN. The SSID is merely the access point(s) identifier. It is not a password, encryption key, or log-in. It helps avoid giving it away to unauthorized users, but it can be discovered easily in any case..

Answer 95

A

A96: Kismet. Of the tools listed here, Kismet is the best for the job because it runs in passive mode. This means it does not stimulate the network to get a response. Instead, it patiently waits for messages sent across the network and can detect the presence of an access point, as long as traffic is being sent over the wireless LAN. Netstumbler can also be used to find access points, but it is not passive. ASLEAP does not look for access points; it is used to exploit the Lightweight Extensible Authentication Protocol(LEAP)..

Answer 96

A

A97: Both contain source and destination ports. The TCP header includes the source and destination ports, as well as other elements that a port scanner will manipulate as it generates packets, such as the TCP control bits. The UDP packet header is simple. It includes the source port and destination port. No sequence numbers are included..

Answer 97

A

A98: ACK. Transmission Control Protocol (TCP) has multiple flags that specify how data is handled. The SYN flag is used for synchronization. The ACK flag is used for acknowledgement. The FIN flag is used to end a connection gracefully. The RESET flag is used to tear down a connection. The URG flag is used to send urgent data, and finally, the PUSH flag is used to push data through the TCP stack..

Answer 98

A

A99: TCP 0.0.0.0: 34567 0.0.0.0: 0 LISTENING. You will be able to observe the listening port using the netstat command: c: \> netstat -na. More specifically, look for port 2222 using the netstat command: c: \> netstat -na | find “34567”. Since it is simply in a listening state, the addresses will be shown as 0.0.0.0. The lines with nc.exe are generated with the -nab netstat option that additionally shows the process ID and the executable to which it belongs..

Answer 99

A

A100: Source port. A source port-the User Datagram Protocol (UDP) has no three-way handshake, sequence numbers, acknowledgment numbers, or control bits; therefore it is a stateless protocol. The UDP packet header is simple. It includes the source port and destination port. No sequence numbers are included..

Answer 100

A

A101: It is sessionless. Transmission Control Protocol (TCP) is session-oriented, in that it applies sequence numbers to messages and tries to deliver them in an appropriate order and resends dropped messages. UDP (User Datagram Protocol) makes best-effort delivery, but messages may be dropped or delivered out of order. This makes UDP sessionless..

Answer 101

A

A102: The ACK bit set. All legitimate Transmission Control Protocol (TCP) connections (e.g. Telnet and FTP) are established through this three-way handshake. For the TCP three-way handshake, the client first sends a SYN flag. If the client receives the server’s SYN and ACK, it sends a final, lone ACK. Once the server receives and accepts the ACK, the connection has been established..

Answer 102

A

A103: The ability to forward a file to another system. FTP proxy bounce attacks utilize an ancient feature of FTP servers. These servers allow a user to tell the server to send the file to another system. Using this capability, an attacker can bounce an Nmap port scan off of someone’s FTP server, to help obscure the source of the attack. Make sure that you disable the FTP bounce capability from your public FTP servers..

Answer 103

A

A104: It is a stateless protocol.. The User Datagram Protocol (UDP) does not have a three-way handshake or sequence numbers; therefore, it is a stateless protocol..

Answer 104

A

A105: Fl0p. Fl0p focuses on passive layer 7 fingerprinting of attack patterns. It helps to identify manual interactions vs. automated attacks..

Answer 105

A

A106: sc config “Bonjour Service” start= disabled. The following command may be used to disable the ‘Bonjour Service’ on a Windows machine: sc config “Bonjour Service” start= disabled.

Answer 106

A

A107: FIN. The TCP FIN bit is used to cleanly end a TCP connection..

Answer 107

A

A108: ACK. A stateful packet filter remembers the outgoing SYNs, so it will only allow the incoming packet if it is tied to an earlier outgoing packet. Therefore, an ACK scan will not work through a properly configured stateful packet-filtering device..

Answer 108

A

A109: SYN. When Nmap is running without root privileges (UID 0), Nmap sends a SYN to port 80 instead of an ACK..

Answer 109

A

A110: ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request.. By default, to identify which addresses are in use, Nmap sends the following four packets to each address in the target range: (1) ICMP echo request, (2) TCP SYN to port 443, (3) TCP ACK to port 80, and (4) an ICMP timestamp request..

Answer 110

A

A111: Packet fragmentation. The IP identification field in the IP header is used for packet fragmentation..

Answer 111

A

A112: Control connection. The FTP control connection, from client to server, is used to send commands..

Answer 112

A

A113: Voice or video transmissions. UDP is useful for applications that value speed over reliable delivery, such as voice or video transmissions..

Answer 113

A

A114: Identify which hosts are on the same LAN.. ARP scans identify which hosts are on the same LAN as the machine running..

Answer 114

A

A115: Frag3. Different operating systems reassemble packets differently. The IDS does not necessarily know which method the end system will use, so it could get confused. For example, Snort reassembles packets in the same way as Linux, using the earlier Frag2 fragmentation preprocessor. In November 2004, the Frag3 preprocessor was released, which included multiple virtual defragmentation buffers, making Snort better at handling fragmentation attacks..

Answer 115

A

A116: Tiny fragment attack. Tiny fragment attacks attempt to bypass an IDS sensor by breaking up the packet into multiple fragments, the first being so tiny that it will not match any signatures on the IDS. This attack is detected by most IDS sensors today. The fragment overlap attack is another common fragmentation attack, which is not caught as often..

Answer 116

A

A117: Proxy. Proxy firewalls make a separate connection to the receiver and the packet header information is annihilated..

Answer 117

A

A118: All of the fragments. An intrusion detection system should reassemble the packet to determine if an attack is underway. To do this, they must have adequate resources to maintain the state of all sessions that may be fragmented..

Answer 118

A

A119: At the destination host. When IP packets are fragmented on a network, they are typically reassembled when they reach the destination host. The other devices listed typically allow the data to pass through fragmented..

Answer 119

A

A120: Firewalk. Firewalk is used to send packets through a packet filter device to determine which ports are open..

Answer 120

A

A121: Fragmentation offset. The fragmentation offset tells the IP where in the packet the fragment belongs. The offset indicates how far into the packet the fragment should be placed..

Answer 121

A

A122: -F3. Fragrouter uses the -F3 switch to send data in ordered, 8-byte IP fragments, with one fragment sent out of order. The other switches are actual switches used by Fragrouter, but they utilize different techniques for fragmenting IP packets..

Answer 122

A

A123: It determines the number of hops between the attacker and the filtering device. During the network discovery phase, Firewalk sends packets with incrementing TTLs to determine how many network hops exist between the tool and the firewall. When a packet reaches its maximum TTL (which is decremented by each hop), the final gateway sends back a time-to-live exceeded message. This is essentially the same function as traceroute, which is used to determine the hop count..

Answer 123

A

A124: Chkconfig. Redhat based versions of Linus leverage chkconfig to edit \/etc\/inetd.conf or \/etc\/xinetd.d, as well as your rc.d files..

Answer 124

A

A125: URL encoding. URL encoding converts the HTTP request into a different representation by changing ASCII characters into their hexadecimal or other values and prepending them with a % character..

Answer 125

A

A126: Dictionary. Enum performs rudimentary dictionary password attacks using a supplied password list..

Answer 126

A

A127: The privileges of the Web server that initiated the program. CGI\/ASP\/JSP programs usually have the privileges of the Web server that called them..

Answer 127

A

A128: Nikto. For websites that require basic authentication, Nikto offers guessing from a standard list of users and passwords as well as complete brute-force password guessing..

Answer 128

A

A129: It only detects vulnerabilities it knows about.. A vulnerability scanner, like antivirus software, can only detect those vulnerabilities that it knows about. This can sometimes give a false sense of security, due to the misconception that the scanner will provide 100% protection..

Answer 129

A

A130: Dictionary. An attacker can use Nikto to launch a password-guessing attack. Password guesses are based on a dictionary\/wordlist file. A hybrid attack is a mixture of a dictionary and brute-force attack. A brute-force attack tries to guess your password by trying every single combination of characters until your password is found..

Answer 130

A

A131: Netcat. Netcat can be used to set the route a packet will take at the source, and store that information along with the packet..

Answer 131

A

A132: Generate traffic with spoofed source IP address.. Spoofing datagram protocols is trivial because there is no concept of a session. An attacker can simply generate spoofed UDP or ICMP packets and send them into most networks, where they will be accepted by destination hosts that are waiting for the given UDP or ICMP packets. Of course, the attacker likely will not see the response to those packets, which will be routed to the address that the attacker spoofed..

Answer 132

A

A133: Have normal interactions with the victim while keeping a close record of how sequence numbers change with time. Recording sequence numbers of same sized packets from previous connections’ TCP sequence numbers can be predicted by maintaining normal communications with the targeted host and watching how the sequence numbers are generated. That will make it easier to predict the upcoming sequence number..

Answer 133

A

A134: Router\/Firewall anti-spoof filter. An anti-spoof filter drops (and should log) all packets coming on one interface with source IP addresses found on the other interface. For containment on incoming spoofed packets, you can apply temporary filters explicitly blocking the incoming packets, if someone is spoofing your addresses on the Internet, or you can rely on your anti-spoof filters to catch the data..

Answer 134

A

A135: ACK. The TCP three-way handshake consists of three steps: 1) SYN, 2) ACK-SYN, and 3) ACK..

Answer 135

A

A136: Another remote host is considered trusted.. A new entry in the Unix \/etc\/hosts.equiv file means that another remote host is considered trusted. The hosts.equiv file will list the hosts that are trusted by the local machine..

Answer 136

A

A137: The attacker is inserted between the source and destination of a connection.. Monkey-in-the middle according to the dsniff README, refers to an attacker inserting himself between the source and destination of the packets to gather information..

Answer 137

A

A138: 00.80.AD.45.CD.47. A MAC address is a 48-bit globally unique address that is hard coded into the network card. A MAC address looks something like 00.80.AD.45.CD.47 and is used to tell one network card from another..

Answer 138

A

A139: 48 bits. A MAC address is 48 bits long and identifies each network card on the Internet..

Answer 139

A

A140: Promiscuous. When an Ethernet interface is gathering all traffic, it is said to be in promiscuous mode..

Answer 140

A

A141: Dsniff. “Dsniff” is an active network sniffer and will inject packets onto the network to redirect traffic back to the sniffer. An active sniffer, such as Dsniff, injects packets into the network to redirect traffic to it. Dsniff offers a variety of techniques for redirecting traffic..

Answer 141

A

A142: IP forwarding routes the packets intercepted by the attacker’s machine to the desired destination.. An attacker can use dsniff’s arpspoof component to inject spurious ARP responses into a LAN. This will redirect all traffic from its intended destination and forward it to the attacker running a sniffer. Then, if IP forwarding is activated, the packet will route through the attacker’s machine and get forwarded to the true destination..

Answer 142

A

A143: Tcpkill. Tcpkill just injects resets into the conversation. It is not elegant, but it is highly useful. Using this tool, an attacker can drop live connections in a denial-of-service attack. More, interestingly, an attacker can drop a connection, forcing the victims into setting up a connection again. When they set up a new connection, they will likely reauthenticate, giving the attacker a chance to grab authentication information..

Answer 143

A

A144: Driftnet. Driftnet monitors HTTP looking for JPEG images, which it sniffs and reconstitutes on the screen. A commercial tool, Niksun, can reconstitute an entire browsing session (as well as numerous other application-layer interactions) from captured traffic..

Answer 144

A

A145: ARP cache poisoning. ARP cache poisoning or spoofing is a technique where an attacker sends fake Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker’s MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead..

Answer 145

A

A146: Macof. Macof manipulates the MAC to physical plug mapping. It floods the switch with traffic containing many bogus MAC addresses..

Answer 146

A

A147: You can only capture traffic from the system in which you are sniffing.. One advantage to a non-switched network from a sniffing perspective is that all traffic is forwarded to all ports making all traffic visible to the sniffer. In a switched LAN, you can only capture traffic from the system in which the sniffer is running..

Answer 147

A

A148: Data link. The MAC address maps to the data link layer (layer 2) in the OSI Model..

Answer 148

A

A149: Activating port-level security on the switch.. Activating port-level security on a network’s switch will help protect it against an ARP-spoofing attack generated by Dsniff..

Answer 149

A

A150: Hardware address. Hardware addresses are known as a MAC addresses; each Ethernet card is programmed with a unique MAC address value..

Answer 150

A

A151: The digital certificate was not signed by a trusted authority, and the name does not match.. The Internet Explorer warning message states: “The security certificate was issued by a company you have not chosen to trust” and “The name of the security certificate does not match the name of the site.”.

Answer 151

A

A152: ARP on both Unix and Windows. Messed-up ARP entries could be a sign of sniffing on a switched network. To check from your local machine on Win32, type: c: \arp -a. To check from Unix, type: $ arp -a or $ arp -e depending on the Unix flavor..

Answer 152

A

A153: CAM table. A MAC table, filter table, or Content addressable memory (CAM) table refers to a dynamic table in a network switch that maps MAC addresses to ports..

Answer 153

A

A154: The user’s session may have just been stolen.. The victim usually notices that his\/her session disappears. The user will likely just try to log in again, not knowing that his or her session was not dropped; it was just stolen. Session hijacking focuses on session-oriented applications such as Telnet, FTP, rlogin, or SSH. It does not work for protocols and services that have no session, such as DNS..

Answer 154

A

A155: Error messages from SSH clients.. Error messages from SSH clients can be used as a potential Indicator of Compromise (IOC) for session hijacking attacks against SSH clients..

Answer 155

A

A156: Ipconfig \/displaydns. The ‘ipconfig \/displaydns’ displays DNS content and command can be used to look for strange DNS cache entries on your Windows machines..

Answer 156

A

A157: SSH. Session hijacking focuses on session-oriented applications like telnet, ftp, rlogin, or ssh. It doesn’t work for

Answer 157

A

A158: Sniffit. The ettercap tool is well organized, and quite reminiscent of Sniffit. However, Sniffit allows an attacker to only look at data whereas ettercap gives an attacker the option to take over a session..

Answer 158

A

A159: ARPWatch. To check for ARP attacks across the network, use ARPWatch..

Answer 159

A

A160: Sequence numbers. The TCP sequence numbers of the sessions are discovered by gathering data through sniffing on the network. These sequence numbers can be used together with spoofing to take over a session..

Answer 160

A

A161: An ACK storm will begin.. If an attacker takes over a session using a new set of sequence numbers, an ACK storm will begin while the two hosts squabble over what the correct sequence numbers should be..

Answer 161

A

A162: The attacker becomes a relay between both sides of a connection and allows only some traffic to pass.. The real Alice and Bob will not gather the data because it is destined for media access control (MAC) addresses other than their own. Eve, therefore, becomes a relay between Alice and Bob, allowing some traffic to pass and others to drop. Eve can alter the TCP sequence numbers inside the data that is being bridged, thereby avoiding ACK storms while injecting additional traffic..

Answer 162

A

A163: Gets. Bounds checking is any method of detecting whether a variable is within some bounds before it is used. Since the gets function has no bounds checking, it should always be avoided..

Answer 163

A

A164: DNS. The Domain Name System (DNS) is the process that translates (also called mapping) names to numbers so computers can understand them. Once that translation is done, another translation must be done to take the Internet Protocol (IP) address and turn it into the media access control (MAC) address..

Answer 164

A

A165: Flushing the DNS server’s cache. After identifying the problem, you need to quickly get rid of the bad DNS entries. You can do this by rebooting the DNS server or using a process to flush the server’s cache..

Answer 165

A

A166: Local name server. The local name server receives the query and if it has the information cached from a previous lookup, it will send a response..

Answer 166

A

A167: !exploitable. Microsoft released a tool in 2009 called “!exploitable” (pronounced bang “exploitable”) that works with a debugger to analyze software crashes to determine whether they may be exploitable to run the code of an attacker’s choosing on a target machine..

Answer 167

A

A168: It lets the data overflow into the neighboring memory space and eventually into the pointer space.. When programs do not check and limit the amount of data copied into a variable’s assigned space, that variable’s space can be overflowed. When that buffer is overflowed, the data placed in the buffer will go into the neighboring variable’s space and eventually into the pointer’s space..

Answer 168

A

A169: An attacker can send a spoofed DNS reply using the proper query ID without having seen the DNS query.. When DNS servers use a predictable sequence of query IDs when resolving recursive queries, an attacker may be able to determine the current sequence number and identify future sequence numbers. Knowledge of future sequence numbers helps an attacker flood a DNS server with spoofed responses to recursive queries..

Answer 169

A

A170: You push things onto the top of the stack and you pop things from the top of the stack.. A stack is a particular kind of abstract data type or collection in which the principal (or only) operations on the collection are the addition of an entity to the collection, known as push and removal of an entity, known as pop. You push things on the top of the stack and you pop things from the top of the stack..

Answer 170

A

A171: NOP sled, attacker machine code, and return pointer. The NOPs could be implemented using the standard instruction for the processor, which may be detected if it moves across the network. The package that contains the NOP sled, attacker machine code, and return pointer is called an egg..

Answer 171

A

A172: Meterpreter. The Meterpreter does not touch the hard drive, but it gives access purely by manipulating the memory..

Answer 172

A

A173: Encode the exploit.. To avoid null characters and any thing else the program may filter, this step may involve some creative assembly language programming and\/or some encoding of the instructions so that they do not get filtered! Attackers may need to encode the exploit to avoid filtering..

Answer 173

A

A174: Reverse shell. the reverse shell payload shovels a shell back to the attacker on a TCP port. The attacker will likely have a Netcat listener waiting to receive the shell..

Answer 174

A

A175: Transaction ID number. A DNS query ID, also known as a transaction ID, is a 16-field identifying a specific DNS transaction. The transaction ID is created by the message originator and is copied by the responder into its response message. Using the transaction ID, the DNS client can match responses to its requests..

Answer 175

A

A176: Instruction pointer. When running a program, the central processing unit fetches instructions from memory, one by one, and in sequence. The CPU contains a register called the instruction pointer, which tells it where to grab the next instruction for the running program. The processor grabs one program instruction from memory by using the instruction pointer to refer to a location in memory where the instruction is located..

Answer 176

A

A177: Query ID. Each DNS query has a query ID which is often predictable, based on earlier query IDs..

Answer 177

A

A178: It has three DNS servers-one that is internal only; one that is external only; and one that is for externally accessible internal\/DMZ hosts.. Split-split DNS involved three DNS servers-one that is internal only; one that is external only; and one that is for externally accessible internal\/DMZ hosts. The local name server and anything it is dependent on will only be able to resolve names for local systems, and will not respond to queries from outside machines. Outside machines must resolve names of local systems using an entirely different name server..

Answer 178

A

A179: Strcpy. Look for functions like strcpy, strncpy, strcat, sprintf, Scanf, fgets, gets, getws, memcpy, and memmove. These functions are known for not checking their own buffers. If you use them in your code, they could easily lead to buffer overflows..

Answer 179

A

A180: Split DNS. With a proper “split DNS” deployment, insider machines query an internal name server for internal names and outsiders query outside DNS for external domain names..

Answer 180

A

A181: Deploy non-executable system stacks.. Identifying buffer overflow attacks can be tricky. First, look for unusual server crashes. Also, you can use various non-executable system-stack features in Solaris, Windows, Linux, and HP-UX to alert you when someone tries to execute code out of the stack..

Answer 181

A

A182: Using a NOP sled. To improve the odds that the return pointer will be okay, attackers include NOPs in advance of the executable code. Then, if the pointer goes to the NOPs, nothing will happen. Execution will continue down the stack until it gets to your exploit..

Answer 182

A

A183: printf (“%s”, buffer);. The correct usage of the printf statement to copy a string to a buffer is “printf (“%s”, buffer);”. The incorrect usage of the printf statement that will still compile but results in a format string attack vulnerability is “printf (buffer);”. The syntax of “printf (%s, buffer);” and “printf (“s”, buffer);” is incorrect as the string needs to be enclosed within double quotes, and the conversion of the string requires the string conversion identifier character “%”..

Answer 183

A

A184: 33. If you use a format string directive like %.255d, the snprintf call will think it printed 255 characters, plus our address, for a total of 259 characters. In this way, you can load the number 259 into a memory location of our choice. This could be done to obtain any other number. Therefore, a %.29d will print 29 plus 4, or the number 33..

Answer 184

A

A185: An NOP sled for the Intel processor. Note that 0x90 is the x86 NOP instruction. Also known as a NOP slide or NOP ramp, a NOP sled is a sequence of NOP (no-operation) instructions meant to “slide” the CPU’s instruction execution flow to its final, desired, destination whenever the program branches to a memory address anywhere on the sled..

Answer 185

A

A186: By manipulating input to a vulnerable function call. Format strings can be exploited through the misuse of function calls..

Answer 186

A

A187: A programmer’s failure to specify a format-string argument for a printf, snprintf, or sprintf instruction. By failing to include a format-string argument in a printf, snprintf or sprintf function, the function will assume, incorrectly, that the input data is actually the format-string argument. So the attack vector or vulnerability is created when the function accepts processing instructions via user-supplied input..

Answer 187

A

A188: 5. You can write five or greater anywhere in the memory on a 32-bit machine. The four comes from the 32-bit architecture. You add one because of the %d printing one character. If the machine is a 64-bit architecture, you could write any number greater than eight, (eight comes from the 64 bits for addresses, divided by eight for each ASCII character written by the printf family). Again you add one because of the %d printing one character. So, you can write nine or greater anywhere in the memory on a 64-bit machine..

Answer 188

A

A189: 4. Snprintf starts to scan the user_input string for format information. It finds some information that was provided by the attacker. It finds numerous strange characters, \xc0\xfa\xff\xbf, and writes the four ASCII characters into the buffer. These are treated as four ASCII characters because snprintf interprets the \ character as an escape, and the x as an indication of a hexadecimal number..

Answer 189

A

A190: 124. The attacker can enter the directive %.[number]d into the variable that will be interpreted as the format string. This will cause the snprintf function to think that [number] of characters are written. Therefore, by using a format string directive like %.124d, the snprintf call will think it printed 124 characters, plus the address, for a total of 128 characters. In this way, the number 128 can be loaded into a memory location of your choosing. This could be done to obtain any other number..

Answer 190

A

A191: 5. With a format string attack, any value of five or greater can be written anywhere in the memory. If a format string directive like %.1d is used, the snprintf call will think it printed one character, plus the address, for a total of five characters, (no null characters in addresses)..

Answer 191

A

A192: The “x” characters. The printf function is supposed to include a format string as its argument. This format string specifies the way that printf is supposed to display the characters it is printing and is usually included in quotes as the first argument in the function call..

Answer 192

A

A193: Three hexadecimal values from the stack. The attacker types in %x %x %x, which gets loaded into the user input. When the program gets to the snprintf function call, these %x format string parameter’s are sent to snprintf, which interprets the user_input buffer as the format string. This format string says to print three hexadecimal numbers into the variable buffer. The program will dutifully fetch the next three values on the stack and load them into the variable buffer. If the variable buffer is later printed to the screen, the attacker will be able to see the contents of these next three values on the stack..

Answer 193

A

A194: Syslog. An rpc.statd attack passes user-supplied data from the network to the syslog daemon, syslog without a format string. The portmapper, mountd (NFS mount daemon) and named (the DNS name daemon) are not vulnerable to the rpc.statd attack..

Answer 194

A

A195: It loads the number 15 into storage9.. If a format string ever includes the directive %n, the printf function will store the number of characters it would have printed so far in its operation. For example, if it has printed 15 characters so far (Good day world!), it will store the number 15 in the storage9 variable..

Answer 195

A

A196: 0x00. The null character, 0x00, cannot be used as an input string to the functions printf, snprintf and sprintf functions or processing will stop. This, in effect, allows the attacker to write any value of five or greater anywhere in memory for a 32-bit architecture, or nine or greater for a 64-bit architecture..

Answer 196

A

A197: Edit the source code to the executable.. By altering the value stored at a memory address, an attacker can overwrite return pointers and redirect execution flow of a program, change parameters in a program, or manipulate an application-level userID. The attacker cannot, however, edit the source code to the executable..

Answer 197

A

A198: Incremental mode. Incremental mode in John the Ripper uses brute-force guessing. Wordlist mode leverages a wordlist (a text file containing one word per line) and some password files. Single crack mode will use the login names, “GECOS” \/ “Full Name” fields, and users’ home directory names as candidate passwords, also with a large set of mangling rules applied. External mode leverages program code of some functions that John will use to generate the candidate passwords it tries..

Answer 198

A

A199: It encrypts passwords in the SAM.. SYSKEY allows 128-bit encryption of passwords in the SAM and should be installed on all domain controllers..

Answer 199

A

A200: Abel. Cain is highly interactive, with a fancy GUI offering all kinds of interesting attack functionality. Abel runs in the background, and can be remotely accessed to dump data from its host system..

Answer 200

A

A201: Two 7-character passwords. If LanMan hashing is enabled, the password hash is stored in two 7-character length “chunks”, thereby reducing the strength of your password to seven characters. Passwords are padded with fixed padding to make them exactly 14 characters long..

Answer 201

A

A202: Level 3. At Level 3 Lan Manager Compatibility, clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it..

Answer 202

A

A203: Most people use common words.. Since most people use common dictionary words as passwords, by putting together a dictionary of words, you can easily guess someone’s password..

Answer 203

A

A204: It can damage non-repudiation.. It is not a good idea to crack passwords to migrate users as it can seriously damage non-repudiation. If the security team at one point in time has everyone’s password, a defendant can claim that he\/she is being framed..

Answer 204

A

A205: ARP cache poisoning for traffic redirection. Cain includes a lot of functionality, including an ARP cache poisoning tool for traffic redirection..

Answer 205

A

A206: Dictionary attack. The fastest method for cracking passwords is a dictionary attack. This is done by testing all the words in a dictionary or word file, against the password hashes. There are fewer possibilities with this method than with a brute-force or hybrid attack. Since most people use common dictionary words as passwords, by putting together a dictionary of words, you can easily guess someone’s password. Why bother going through every possible combination of letters if you can guess 70% of the passwords on a system by just using a dictionary of 10,000 words? On most systems a dictionary attack can be completed in a short period of time (i.e., in minutes) compared to a brute-force attack (which might take years)..

Answer 206

A

A207: Alt. If a user adds characters to his\/her password using Alt characters (those characters you can create by holding down the Alt key), the amount of time to crack them increases significantly, now ranging from many months to years. According to Microsoft, if the password contains certain Alt characters, the system will also not be able to generate an LM hash..

Answer 207

A

A208: UID number. The UID number is used to determine what permissions an account has in accessing elements of the file system..

Answer 208

A

A209: 5. With a script or automated tool, password guessing is very slow, ranging in speed from one guess every three seconds to at most five guesses per second..

Answer 209

A

A210: Windows 2003. All WinNT\/2000\/XP\/2003 machines, by default, store two representations of each password: the LanMan hash and the NT hash. Windows Vista, 2008, and 7 do not include LanMan hashes in a default installation..

Answer 210

A

A211: Hybrid. The hybrid attack builds on the dictionary method by adding numeric and symbol characters to dictionary words. Many users choose passwords such as “bogus11” or “he11o!!” (where the letter l’s are replaced by numeric ones). These passwords are just dictionary words slightly modified with additional numbers and symbols..

Answer 211

A

A212: DES. Within the LanMan hashes each 7-byte string is used as a DES key to encrypt a constant. Windows NT\/2000\/XP\/2003 all store the older, much weaker LanMan hashes along with the NT hashes..

Answer 212

A

A213: Password file. Password cracking is the process of trying to guess or determine someone’s plain text password when you have only their encrypted password..

Answer 213

A

A214: Brute force. The most powerful cracking method is the brute force method. This method will always recover the password, no matter how complex. It is just a matter of time..

Answer 214

A

A215: John.potJohn.pswd. JCracked passwords are printed to the screen and stored in the file john.pot. If you ever run John the Ripper to evaluate the strength of passwords, make sure you delete the john.pot file when you are finished with the audit. Otherwise, you will leave cracked passwords sitting around for prying eyes to discover..

Answer 215

A

A216: \/etc\/shadow. Modern Linux systems typically store passwords in the \/etc\/shadow file..

Answer 216

A

A217: Encrypt files. Encrypt data on your hard drives using a file system encryption tool. That way, if your data is stolen by a worm or bot, attackers cannot read it, unless they also steal the key..

Answer 217

A

A218: Antivirus. Additionally, antivirus solutions help in thwarting these attacks. They detect many worms and bots, although a brand new piece of code could still fool them. You will also want to link your incident response capabilities with network management personnel. Include them on our incident response team, because you may need to cut off certain network segments of your network in real time..

Answer 218

A

A219: A bot. Many worms have a payload that consists of a bot. Bots are software programs that perform some action on behalf of a human, typically with little or no human intervention. Bots are specialized backdoors used for controlling systems en masse, with a single attacker controlling groups of bots numbering from a dozen to over a million infected machines..

Answer 219

A

A220: Through an IRC channel on standard ports. To send control information to a bot-net, attackers use a variety of protocols. One of the most common means remains using an IRC channel on a standard IRC port (TCP 6667 is very common)..

Answer 220

A

A221: XOR. The XOR function is used along with a random key to create polymorphic code. Malware authors sometimes use encryption methods, simplicity of implementing the algorithm, size limitations on the code, and pre-packed options (metasploit) offer these techniques. Often times there is no need as XOR techniques bypass most of the detection mechanisms already..

Answer 221

A

A222: White worm. An ethical or white worm is one mechanism for administrators to deploy patches quickly. Some feel that ethical worms are too risky given the limited benefits they can offer. In particular, the legal liability issues are paramount. Would you want to risk the wrath of thousands of lawyers sharpening their knives to sue you for an ethical worm gone awry, just to help spread some patches on the Internet? Most software companies would avoid taking that risk..

Answer 222

A

A223: Sadmind\/IIS. In May 2001, the Sadmind\/IIS worm mushroomed through the Internet, targeting Sun Solaris and Microsoft Windows. As its name implies, this worm exploited the Sadmind service used to coordinate remote administration of Solaris machines. From these victim machines, the worm spread to Microsoft’s IIS Web server, where it spread further to other Solaris machines, continuing the cycle..

Answer 223

A

A224: Klez. In January 2002, the Klez worm spread via Microsoft Outlook e-mail and employed simple polymorphic techniques to evade e-mail spam filters. These filters look for a bunch of messages with the same subject sent to different users, a pretty reasonable sign of a spam message. Klez randomly altered the subject line of the e-mail it generated to evade the filters. While only a small piece of Klez (the subject line and even the attachment file type) was polymorphic it was a start down this road..

Answer 224

A

A225: A worm spreads across a network.. The defining characteristic of a worm is that it spreads across a network. A virus’s defining characteristic is that it infects a host file, such as a document, e-mail, or executable. However, some malicious software is both a worm and a virus, because it propagates across a network and infects a host file..

Answer 225

A

A226: Nimda. To date, the most successful multi-exploit worm was Nimda in September 2001. Launched one week after the September 11, 2001 terrorist attacks, Nimda exploited Microsoft Windows systems in more than a dozen ways, including spreading via the Internet Explorer browser, IIS Web server, Outlook e-mail, and Windows file sharing. Nimda, with its quick spread using a large number of Windows exploitation techniques, gave a preview of worms to come..

Answer 226

A

A227: Double dash (–). The – syntax acts as a comment delimiter, and can therefore be used to tell the database to ignore anything passed to it after the user’s input..

Answer 227

A

A228: Close the browser, edit the cookie, and reopen the browser.. Some types of cookies (persistent cookies) are written to the local file system on the browser’s machine. If persistent cookies are used, an attacker can simply close the browser, which will force a write of the cookies, edit the cookies with vi or notepad, and rerun the browser. By rerunning the browser, the cookie file will be read and the session ID will be modified..

Answer 228

A

A229: Jikto. Billy Hoffman wrote a tool called Jikto which is a series of browser scripts. When passed into a browser, they make the browser conduct a scan of other websites to determine whether they are hosting vulnerable Web server content, such as the PHP, CGI, ASP, and Cold Fusion scripts that are measured by the Nikto..

Answer 229

A

A230: A malformed packet attack. A malformed packet attack involves sending a single packet or a small stream of packets to a system and is formed in a way not anticipated by the developers of the target machine or application that will process the packet..

Answer 230

A

A231: FTP. The victim user’s browser transmits the malicious code to the vulnerable script on the target site as a Web request..

Answer 231

A

A232: Resource starvation attack. The most common type of denial-of-service attacks is the packet flood. The attacker can remotely send more packets to a machine than it can handle, exhausting all of its resources. Packet flood examples include Smurf, SYN Flood, DDoS, etc..

Answer 232

A

A233: It is a field selector, allowing an attacker to retrieve a wide range of data.. An asterisk (*) is a wildcard selector. By using it, an attacker can retrieve a wide range of data-it is a wildcard after all. An asterisk on its own is not a comment delimiter or query terminator..

Answer 233

A

A234: Percent (%). The percent (%) symbol matches any substring. The semicolon character is a statement terminator. The underscore character represents a single character to match a pattern from a word or string. The asterisk pattern character (also called “star”) matches zero or more characters..

Answer 234

A

A235: A malformed packet attack. Examples of a malformed packet attack include sending packets that are too long, such as a ping of death, or strangely fragmented packets, such as a Teardrop attack..

Answer 235

A

A236: The application level. The session tracking information is at the application level. If the session ID is not handled properly, an attacker can still modify their session credential over the SSL pipe and become some other user. It is important to keep in mind that this technique of modifying session credentials is independent of the use of the Secure Socket Layer protocol..

Answer 236

A

A237: A session ID. If it is a valid user account and valid password, most applications will generate a session ID..

Answer 237

A

A238: Including JavaScript in the Web page to filter out unwanted characters sent through the Web page.. Many Web applications use JavaScript on the browser to filter out different characters that they do not want to be sent into the application. It is easy for an attacker to get around this. They could use a customized browser or they could use a proxy tool..

Answer 238

A

A239: Asterisk (*). A semicolon (;) is a query terminator, an asterisk (*) is a wildcard selector, and the percent (%) character matches any substring. The underscore character represents a single character to match a pattern from a word or string..

Answer 239

A

A240: A packet flood attack. Packet floods involve sending more packets to a machine than it can handle. The attacker either causes all available processing power of the target machine to be tied up or even exhausts all bandwidth of the connection to the target..

Answer 240

A

A241: Per-session cookies. Nonpersistent cookies (the cookies that are just stored in memory) are sometimes referred to as per-session cookies..

Answer 241

A

A242: Block the source IP address being exploited.. Blocking the source IP address and\/or account being exploited is an effective means of containing SQL injection..

Answer 242

A

A243: The certificate that the attacker’s browser is using was not issued by a valid CA.. The Web browser itself will complain, saying, “This certificate I’ve got is bad, because it wasn’t issued by a valid certificate authority.” However, remember that the attacker using the proxy is also running the browser. Therefore, the attacker will get a warning message on the browser saying, “This certificate is bad. Do you want to continue?” Of course, the attacker will click to continue the session. The attacker can eliminate this warning by merely importing the proxy certificate into the browser. After all, the attacker is running both the browser and the proxy..

Answer 243

A

A244: A local denial-of-service attack. Local denial-of-service attacks are run from an account on the victim machine. These could be as simple as unplugging the power to consuming all network, CPU, or memory resources..

Answer 244

A

A245: A packet flood attack. The most common denial-of-service attack is a packet flood. It is so popular because the attack can be launched remotely, allowing the attacker to have distance between himself\/herself and the victim..

Answer 245

A

A246: Account harvesting. Account harvesting is the ability to discern valid user IDs based on how the application responds when the user tries to authenticate..

Answer 246

A

A247: Pulsing zombies periodically go dormant, while ISPs can easily trace an active flow of traffic.. Pulsing zombies bomb for about 10 minutes, go dormant for some period, and then go active again. It is easier to do a trace if a zombie is actively sending traffic, because an ISP can quickly identify the flow of traffic throughout their network in real-time, rather than having to consult a possibly nonexistent log..

Answer 247

A

A248: Blocking the source IP address. To contain a denial-of-service attack, you must block the source IP address. Most of the attacks built into these DoS Suites can be defended against by having up-to-date patches installed on the system. Also, if you shut down unnecessary services, they will not be able to be exploited with a malformed packet attack..

Answer 248

A

A249: In upstream routers or firewalls. Filtering ICMP packets at your network gateway (your router or firewall) would assist in reducing the likelihood of a Smurf flood attack..

Answer 249

A

A250: By consuming all link capacity or by filling the connection queue. SYN flooding can result in a denial-of-service in one of two ways: the attack can either exhaust the connection queue of the victim or suck up all link capacity..

Answer 250

A

A251: High-orbit ion cannon. SYN floods typically involve spoofed traffic and never complete the TCP three-way handshake. For identification of a DNS amplification attack, look for massive floods of traffic that are DNS responses (destination UDP port 53), typically with large DNS records in them. A Smurf attack will include ICMP or UDP traffic. It also has support for a feature called boosters, which are simply customizable JavaScript-based scripts that cause HOIC to access multiple pages on a target Web server, instead of just one page. The scriptable HOIC page request makes it harder to filter out HOIC traffic from normal Web surfing traffic, resulting in a tool that is harder for defenders to block than the earlier LOIC tool..

Answer 251

A

A252: Sending spoofed traffic. You should deploy egress anti-spoof filters at your border routers. These filters drop all outgoing packets that have a source address that is not located on your network. All packets leaving your network should have a source address associated with your network. If they do not either something is configured incorrectly or an attacker is launching spoofed packets..

Answer 252

A

A253: To the broadcast address of a network. With a Smurf attack, an attacker sends out a packet to the broadcast address of a network. All of the machines on that network will respond to the ping. However, the attacker will send the ping with a spoofed source IP address of the victim. Therefore, all responses to the ping will be sent to the victim machine, not back to the attacker. The network that responds to the broadcast address is called the Smurf amplifier..

Answer 253

A

A254: Call your upstream ISP and ask for help. For containment, if you are under a large flood, one option would be to call your upstream ISP or carrier to have them throttle the attack. This will sometimes involve them null routing (sometimes called black holing) of filtering traffic before it gets to your environment..

Answer 254

A

A255: Throttle an incoming connection with a load balancer.. A containment step in defending against Slowloris would be to throttle incoming connections with a load balancer. The other options are part of the preparation (apply vendor patches, if and when they are available), identification (IDS signatures for the attack across HTTP), or recovery (reset HTTP daemon\/service when attack is in progress) phases..

Answer 255

A

A256: The network that responds to the broadcast address. A network that responds to the ICMP directed broadcast traffic is called a Smurf amplifier..

Answer 256

A

A257: ICMP. Both Smurf and PapaSmurf rely on ICMP packets..

Answer 257

A

A258: Very little bandwidth is required.. The advantage for the attacker in a Slowloris attack is that it requires very little bandwidth for the attacker, unlike a packet flood..

Answer 258

A

A259: A DoS suite. Instead of launching each one of these individual attacks against a target, attackers have rolled together many individual DoS exploits into a suite. These suites try numerous different, individual malformed packet attacks just to see if one will crash the target..

Answer 259

A

A260: A Smurf attack. A Smurf attack is in the category of network-based denial-of-service attacks, focusing on creating a packet flood. The official name of this type of attack is a directed broadcast attack. It is more commonly referred to, though, as a Smurf attack, named after one of the first tools used to launch the attack..

Answer 260

A

A261: Application level Trojan horse backdoor. Sub7 and BO2K are both examples of evil applications that get installed at the application level, running on top of typical operating system applications. User mode, kernel level, BIOS level, and microcode all infect deeper into the system itself, while these applications run on top of the OS and system components that already exist..

Answer 261

A

A262: Netcat. Netcat is an application that can be used to create a backdoor listening service on a victim host computer. NetStumbler is used in discovering wireless networks. l0phtcrack is used for cracking passwords. Ethereal is a network sniffer and Nmap is used for scanning hosts on a network..

Answer 262

A

A263: S. Periodically, Setiri, running on the victim machine, surfs to the connection broker using an invisible browser. All access occurs through the personal firewall, network firewall, and anonymizer using S..

Answer 263

A

A264: A backdoor. A backdoor is a program that allows an attacker to access a system, bypassing security controls. A Trojan horse is a program that looks innocuous, but is really sinister. Rootkits, worms, and viruses often create backdoors, but technically speaking the backdoor is typically just one part of their payload..

Answer 264

A

A265: Upload, download, and execute programs. Setiri is a pretty scary backdoor tool written by two security consultants from South Africa - Rooelof Temmingh and Haroon Meer. The backdoor itself does not have many fancy functions; it can only upload files, execute programs, and download files. Still, for a backdoor, that is about all you need to accomplish any attack..

Answer 265

A

A266: Tracing back to the original attacker. With the Setiri architecture, many levels of indirection between the victim and the attacker. Tracing back to the attacker is incredibly difficult for this type of attack..

Answer 266

A

A267: Having problematic default security. VNC is free, very popular, and quite feature rich! It uses TCP port 5900 to send a GUI across the network. Several companies use it for legitimate remote administration. However, VNC’s default security is problematic. It includes a password, but it has been subject to monkey-in-the-middle and buffer overflow attacks in the past. VNC can be properly secured, though especially when used in conjunction with SSH..

Answer 267

A

A268: Smart card security tokens. With a keystroke logger, the Trojan horse backdoor can write all of the users’ keystrokes to the file system so that the attacker can later look at the contents of the file. The victim might use a very long, extremely secure passphrase, made up of a mixture of alphanumeric and special characters, which is used to protect the private key stored locally on a hard drive. If the attacker can get the victim to install a keystroke logging backdoor, the attacker can use the keystroke logger to grab the unguessable passphrase..

Answer 268

A

A269: Rootkit. A rootkit alters your operating system so that while it looks intact, it really gives control to an attacker. In this case, the intern specified a password known only to him, but had the ability to log in as any user..

Answer 269

A

A270: Trojan horse. A Trojan horse is a program that looks like it has some useful function, but is really sinister. It has some hidden capability used by the attacker..

Answer 270

A

A271: Fport. Fport is an application that will help determine whether a machine has been compromised by a backdoor application by mapping listening ports to running applications. Lsof is a Unix application that will perform the same task. TCP Wrappers is used as a defensive measure to protect a host from certain IP addresses. Nmap can be used to determine which ports are listening on a system, but will not map those ports to running processes or applications..

Answer 271

A

A272: Trojan horse. A Trojan horse is a program that looks like it has some useful function, but is really sinister..

Answer 272

A

A273: Running antivirus software. One of the best ways to determine whether a system is infected with an application-level Trojan backdoor is to run antivirus software on the system. Windows update will only update the system’s software. Running applications in debug mode is rarely helpful in this situation and checking file sizes and performing memory dumps are much too time consuming to be effective in most cases..

Answer 273

A

A274: Setiri. While these are all backdoor Trojan applications, only Setiri utilizes an invisible browser window to communicate with an attacker and thus bypass personal firewalls, NAT, and stateful inspection firewalls..

Answer 274

A

A275: Sockets. The Sockets Volatility module will list open network sockets, showing the process ID using the socket, the port it uses, the protocol associated with the communication, and the date and time that the socket was opened..

Answer 275

A

A276: Pslist. The Pslist Volatility module shows a list of processes, including the PID, name, and Parent Process ID..

Answer 276

A

A277: FastDump. HBGary offers a free tool called FastDump for memory capture..

Answer 277

A

A278: Digital DNA. HBGary released the commercial Responder tool, which also analyzes memory dumps. One of its most interesting features is its Digital DNA technology to analyze code specimens to determine whether they are related to known malware found in the wild based on the functions they use and the behavior they exhibit..

Answer 278

A

A279: ManTech. The MemoryDD.bat script is part of Mandiant’s free Memoryze suite. Alternatively, HBGary offers a free tool called fastdump for memory capture. Matthieu Suiche distributes a free program called win32dd, and ManTech offers the free mdd tool..

Answer 279

A

A280: Tasklist \/m \/fi “pid eq [pid]”. For the list of DLLs loaded by a specific process, the following could be executed: ‘tasklist \/m \/fi “pid eq [pid]”’.

Answer 280

A

A281: Pslist. The pslist module walks the doubly-linked list pointed to by PsActiveProcessHead and shows the offset, process name, process ID, the parent process ID, number of threads, numbers of handles, and date\/time when the process started and exited..

Answer 281

A

A282: Pslist. Use Volatility’s connections module to determine which processes are communicating on the network. Then use the pslist Volatility module to cross- reference PIDs associated with established network connections. The will help you determine the name of each process associated with each connection..

Answer 282

A

A283: Modules. This modules Volatility module shows the device drivers loaded by the Windows machine from which the dump was created. It also reveals related SYS files..

Answer 283

A

A284: Python volatility connections -f ‘path-to-image-file’. The Volatility command “Python volatility connections -f ‘path-to-image-file’” will produce output similar to the “netstat -nao | find ““ESTABLISHED” command..

Answer 284

A

A285: Tasklist \/m. For the list of DLLs loaded by every running process, the following command could be used:

Answer 285

A

A286: MemoryDD. MemoryDD.bat script is part of Mandiant’s free Memoryze suite..

Answer 286

A

A288: Wmic process get name,parentprocessid,processid. The following wmic command is similar to the Volatility pslist command:

Answer 287

A

A289: Echo. One way to detect the presence of a rootkit is to compare the output of the ls program with the output from “echo *”. The output should include exactly the same files. “echo *” tells the shell to show the contents of the directory. “echo *” is usually not Trojaned with a rootkit. Therefore, if the unaltered “echo *” output differs from the “ls -la” command, you should be suspicious..

Answer 288

A

A290: Internet Storm Center Web interface to NSRL and Team Cymru databases. For a comprehensive set of MD5 and SHA-1 hashes, check the National Software Reference Library (NSRL) created and maintained by NIST. It is free for download across the Internet. Get it at http: \/\/www.nsrl.nist.gov. The Internet Storm Center has built a free website that allows users to search the NSRL by simply pasting in an MD5 or SHA1 hash into a Web form. The same search page also allows users to paste in an MD5 hash (not an SHA1 hash) of malware specimens, and it will search the Team Cymru hash registry to look for matching malware..

Answer 289

A

A291: AIDE. User-mode rootkit detection: AIDE is a free, open-source file integrity checker. Tripwire comes in free and commercial packages..

Answer 290

A

A292: It maintains root access to a system once initially obtained.. Contrary to what their name implies, rootkits do not allow an attacker to gain root access. Rootkits depend on an attacker already having root access. To accomplish these goals, Rootkits alter the existing operating system on the victim machine. Rather than adding a new application to the system like seen with application-level Trojan Horse backdoors, rootkits alter the existing programs on the machine..

Answer 291

A

A293: Debug right. On Windows, anyone with the debug right can inject a DLL into a running process..

Answer 292

A

A294: AFX. AFX consists of only one executable program, the AFX Windows Rootkit Configuration Console, which is used to configure and generate custom rootkits based on the attacker’s needs..

Answer 293

A

A295: File. In essence, there are four categories of hiding tools: (1) process hiding, (2) network hiding, (3) file hiding, and (4) event hiding. For process hiding, LRK includes a replacement for ps, top, and pidof. For network hiding, the netstat command is changed to hide TCP and UDP ports in use by the attacker. Files are hidden by changing the ls and find commands so that they do not display the attacker’s files. The du command is changed so that it omits the attacker’s file from its disk usage calculation. Finally, the attacker modifies syslogd so that it will not record log events associated with the attacker’s machine and\/or accounts on the victim box..

Answer 294

A

A296: Z2. The z2 tool (Zap2) erases utmp, wtmp and lastlog files..

Answer 295

A

A297: Posted on bulletin boards. The original rootkits were kept within the computer underground and distributed via bulletin boards and later Internet relay chat..

Answer 296

A

A298: LRK6. The LRK6 rootkit replaces sshd with a modified version that includes a backdoor root password. Because the backdoor password is stored in the binary sshd program, even if the system administrator alters the system’s actual root password (or wipes the password file clean), the attacker can still login as root using the backdoor password..

Answer 297

A

A299: Ring 3. User mode applications operate in Ring 3..

Answer 298

A

A300: Init. KIS survives across reboot by altering an executable of the attacker’s choice (usually init)..

Answer 299

A

A301: KIS. KIS is an example of a Unix kernel-level rootkit that can be used to compromise a Unix system. The other applications are all backdoor applications, not rootkits, and allow an attacker backdoor access to a system..

Answer 300

A

A302: KIS does not listen on a port. Kernel Intrusion System receives commands on the network using a sniffer, but does not listen on a port. It grabs all packets going to some arbitrary UDP port selected by the attacker..

Answer 301

A

A303: By using a graphical user interface (GUI). KIS is incredibly easy to use. The server configuration occurs through a graphical user interface (GUI). Additionally, the client contacts the server through the GUI. A GUI can be used to hide processes, unhide processes, start programs, and configure execution redirection..

Answer 302

A

A304: System kernel. To open a program file, the file system integrity checker has to make calls into the system kernel..

Answer 303

A

A305: NTLDR. During the boot process, a program called NTLDR verifies the integrity of Ntoskrnl.exe before the kernel is loaded into memory..

Answer 304

A

A306: Vitriol. The resulting Vitriol rootkit is implemented as a hypervisor underneath MacOS X running on Core Duo and Core 2 Duo chips (which offer the VT-x instruction set)..

Answer 305

A

A307: Buildkernel. You could use Bill Stearns’ wonderful kernel-building package (called, appropriately enough “buildkernel”), at http: \/\/www.stearns.org\/buildkernel, which includes an option for creating a kernel that does not support modules..

Answer 306

A

A308: Ntoskrnl.exe and win32k.sys. The kernel functionality is built into Windows machines through the following files ntoskrnl.exe and win32k.sys. On Windows, an attacker would alter Ntoskrnl.exe or win32k.sys with modified software that provides a backdoor and hides an attacker’s presence on the machine..

Answer 307

A

A309: It stole legitimate private keys issued by Microsoft to a legitimate software company and used them to sign malware.. Stuxnet was able to steal legitimate private keys issued by Microsoft to a legitimate software company and use them to sign malware. This technique was used in the Stuxnet worm, which relied on stolen signing keys issued to two legitimate companies..

Answer 308

A

A310: FU. The FU tool utilizes the system memory map object on Windows. The Super User Control Kit (SUCKit) patches the kernel in memory through \/dev\/kmem in Linux. Sumfuq is a SunOS 4.1.X rootkit. Buildkernel is a kernel-building package..

Answer 309

A

A311: System calls. To interact with the kernel, user mode processes rely on a concept termed “system calls”. These system calls include functions for executing a program or opening a file..

Answer 310

A

A312: Vista. Starting with Windows Vista (and following with Windows 7 and Windows 2008), Microsoft required mandatory device driver signing for Windows kernel components..

Answer 311

A

A313: Ring 0. The kernel runs in Ring level 0 on both Linux and Windows operating systems..

Answer 312

A

A314: Loadable kernel modules. Loadable kernel modules is the most popular method for manipulating the kernel..

Answer 313

A

A315: An attacker can hide multiple files in a single file without disrupting the size or operability of the original file as reported by the dir command.. The Windows NT File System (NTFS) supports a feature known as file streaming. Each file acts similar to a chest of drawers and under the primary file, there can be an arbitrary number of data streams. When data is hidden in an alternate stream, Windows Explorer still only shows the name and size of the original file stream of data (the top drawer or original file)..

Answer 314

A

A316: Utmp. On a Unix system, the utmp file contains information about users who are currently logged on to the system. The btmp file contains information about bad log-in attempts. The wtmp file contains information about past, successful log-ins. There is no ctmp file by default..

Answer 315

A

A317: Use remove.c or other specialized tools to remove specific entries.. An attacker cannot simply edit the utmp, wtmp, btmp and lastlog files by hand since they are binary files. An attacker can choose from several tools including “remove”, and “marry”, and others to alter these files..

Answer 316

A

A318: The current directory. The “.” entry in each directory is the current directory. Typing in “cd.” changes you to the current directory..

Answer 317

A

A319: ..”. Every directory on a Unix system contains the “.” directory, which represents the current directory, and the “..” directory, which represents the parent directory..

Answer 318

A

A320: LADS. LADS, by Frank Heyne, is a tool for finding alternate data streams in Windows NT File System (NTFS)..

Answer 319

A

A321: \/r. With Windows Vista, Windows 2008 Server, and Windows 7, Microsoft added the \/r option to the dir command, which makes it display a list of ADSs included in the given directory..

Answer 320

A

A322: Smbclient. The Linux smbclient program can also read data from alternate data streams from a Windows share, but the attacker must know the stream name to be able to refer to it and pull out the data..

Answer 321

A

A323: \/dev. \/dev is a virtual directory, that is it doesn’t exist anywhere on your disk. It contains special files (called device files) which work as an interface to the kernel. The files are automatically created and removed by the kernel..

Answer 322

A

A324: NTFS. File streaming applies only to NTFS partitions; it does not apply to FAT partitions..

Answer 323

A

A325: Id. The Linux id command can be used to print user identity. For example, it can be used to check user id (uid), group id (gid) and the current user’s effective groups..

Answer 324

A

A326: Uname -a. The uname -a command can be used to check the kernel version of the system..

Answer 325

A

A327: wtmp. The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null user name indicates a logout on the associated terminal..

Answer 326

A

A328: Utmp. The utmp file displays information about who is currently using the system. There may be more users currently using the system, because not all programs use utmp logging..

Answer 327

A

A329: \/tmp. On many Unix variants, the \/tmp file is emptied over a period of time and\/or during a reboot..

Answer 328

A

A330: \/etc. The \/etc directory, is often thought to be a bad place to store hidden files because it holds the configuration of the machine..

Answer 329

A

A331: Ptunnel. The differences between these tunneling tools are that Ptunnel carries TCP connections over ICMP echo and reply packets. Loki carries shell between its Linux client and Linux server software using ICMP echo and reply packets. ICMP Shell is just another Linux shell tool. PingChat is a Windows chat program that leverages ICMP and ICMP Cmd is a Windows shell tool that leverages ICMP..

Answer 330

A

A332: Reverse www shell. Reverse www shell is a Linux tool which, when installed on an internal host, can be used to allow an attacker external access to the internal network through the organization’s firewall..

Answer 331

A

A333: Tunneling. One of the most common ways to hide information as it is transmitted across a network is to use a technique called tunneling. Tunneling will leverage a tunneling protocol when one network protocol (the delivery protocol) encapsulates a different payload protocol. By using tunneling one can (for example) carry a payload over an incompatible delivery-network, or provide a secure path through an untrusted network..

Answer 332

A

A334: A promiscuous sniffing backdoor can take action based on traffic that is not destined for the infected host, making it harder to determine which hosts have the backdoor installed.. The backdoor is not located at the destination of the backdoor traffic. If the sniffer is in promiscuous mode, it can gather packets with a destination address of other systems on the local area network (LAN)..

Answer 333

A

A335: Protocol. With tunneling, one protocol is carried inside of another protocol..

Answer 334

A

A336: Nushu. Nushu introduces an unusual anomaly when implementing this process. If investigators run a sniffer, such as tcpdump, on the victim machine, they will see the sequence numbers generated by the normal kernel code. They can then compare those local sequence numbers with the sequence numbers of supposedly the same packets sniffed from somewhere on the network between the victim and ultimate destination. By comparing these two sets of sequence numbers for what are supposed to be the same packets, they will see a difference! The sequence numbers in the packets sniffed locally vs. the packets sniffed from the network will be different by the offset for each session..

Answer 335

A

A337: Promiscuous sniffer. Non-promiscuous sniffing backdoors grab data destined only for one machine - the system where the backdoor itself is running. The promiscuous backdoor on the other host on the LAN receives the commands by sniffing them from the LAN. Both hosts are on the same LAN, so the packets can easily be sniffed. Now, here is the part that really throws off the investigators: when sending responses, the backdoor running on the other host on the LAN generates spoofed packets, which appear to be coming from the DNS server. Only later do they realize that the backdoor is not even on the DNS server. Instead, it is a promiscuous mode sniffing backdoor located on the other host on the LAN..

Answer 336

A

A338: ASCII files. Covert_TCP itself only transfers ASCII files between systems. However, the exact concepts can be used to transport commands for a backdoor shell or any other movement of data across the network..

Answer 337

A

A339: No additional software must be installed.. No attacker software is required on the bounce server! All it needs is a TCP\/IP stack and network connectivity..

Answer 338

A

A340: Sneakin. Sneakin allows incoming shell access that looks like outgoing telnet. Sneakin is very confusing for firewalls that allow outgoing telnet..

Answer 339

A

A341: ICMP echo. Ptunnel is one of the most flexible tools in this genre. Written by Daniel St\u00f8dle, this free tool runs on Linux or Windows, carrying TCP connections inside of ICMP echo and ICMP echo reply packets..

Answer 340

A

A342: Reverse www shell. HTTP is often used as a reverse shell transport protocol because TCP: 80 outbound is commonly open on packet filtering devices. This can be used to pass commands and\/or interactive shells can be launched back from the destination machine to an attacker\/bot machine..

Answer 341

A

A343: Execute commands on your host. Approximately every three seconds, the reverse www shell program on the internal system surfs the Internet asking for commands from the attacker’s external machine. The attacker types in commands at the external machine on the Internet and sends the commands back to the victim machine as HTTP responses. These commands are then executed on the internal network host. The results are pushed out with the next Web request..

Answer 342

A

A344: Client and proxy. Ptunnel is what’s known as a CGI Proxy service. It leverages a website based proxy on and clients connect to it to retrieve websites..

Answer 343

A

A345: An MD5-based challenge\/response authentication algorithm. The Ptunnel proxy can be configured to authenticate the Ptunnel client using an MD5-based challenge\/response authentication algorithm..

Answer 344

A

A346: Least significant bit (LSB). Data can be embedded in an image file using a basic technique call LSB (which stands for least significant bit). With this technique, the least significant bits of the image file are replaced with data..

Answer 345

A

A347: The resulting executable’s file size and behavior are the same as the original.. Hydan first encrypts the message with the blowfish encryption algorithm using your passphrase as a key. It then embeds the encrypted message inside the executable program. The result is a single executable that includes the hidden encrypted message. This executable is the same size as the original executable, and the exact same functionality..

Answer 346

A

A348: Blowfish. The tool first encrypts the message with the blowfish encryption algorithm using your passphrase as a key..

Answer 347

A

A349: Executable. Typical computer steganography techniques hide data in pictures or sounds. However, a tool called Hydan embeds data inside of computer executable programs, without altering the program’s function or size!!.

Answer 348

A

A350: The histogram of encrypted data looks flat and has an even distribution of characters.. The histogram for encrypted text is flat while the histogram for normal text is nonuniform. It is easy for an automated program to distinguish between encrypted and unencrypted text..

Answer 349

A

A351: Image size. Another technique for hiding data in a file is substitution. Data in a host file can be replaced or substituted with the message to be hidden. If there is a small amount of text to be hidden, little change will occur to the host file. If a large amount of text is to be hidden, the host file could be degraded significantly. In order to make this technique undetectable to the human observer, substitution usually replaces insignificant data in the host file..

Answer 350

A

A352: Not as flat as the original. A normal bitmap image has few near-duplicate colors because of the inherent randomness in a photographic picture. Its color histogram is quite flat. A bitmap hiding embedded data has a larger number of near-duplicate colors and, therefore, will have a color histogram that looks different from a normal image..

Answer 351

A

A353: Secrecy. Cryptography (crypto) is a tool to protect confidentiality and integrity and provide nonrepudiation for the senders of data. However, despite all of these benefits, crypto does not guarantee the secrecy of your data. Stego can be used for a variety of reasons but most often it is used to conceal the fact that sensitive information is being sent or stored. It can also be used to disguise encrypted data. This helps prevent attacks on encrypted data or in scenarios where encrypted data is inappropriate for transmissions (e.g., in countries where encryption is against the law)..

Answer 352

A

A354: Overt message. Steganography, (stego) works by embedding a secret message within an open or overt message. Everyone will see the overt message, but will never know that it is a cover for the real message hidden inside..

Answer 353

A

A355: MP3Stego. MP3Stego hides data in Motion Pictures Experts Group (MPEG) audio files. Invisible Secrets hides data in banner ads that appear on websites. Stash hides data in a variety of image formats. S-Mail hides data in EXE and dynamic-linked library (DLL) files..

Answer 354

A

A356: StegDetect. The StegDetect tool can be used to identify steganography in use in JPEG images. It looks for data hidden using the JSteg, Jphide, Invisible Secrets, and Outguess programs, as well as other stego tools..

Answer 355

A

A357: 256. An 8-bit color image has 256 possible colors. This number can be generated by calculating 2 raised to the 8th power (2^8). S-Tools introduces other colors similar to those in the image (256). These new colors are undetectable to the human eye, but are used in conjunction with the existing colors to hide data..

Answer 356

A

A358: Substitution. In order to make the substitution technique undetectable to the human observer, substitution usually replaces insignificant data in the host file. With injection, data is added to a host file in such a way that a program reading the file ignores the added data. Generating a new file eliminates the need for a host file. The secret message itself can be used to generate a new file..

Answer 357

A

A359: Color look-up table. A normal bitmap image with 8 bits representing each color has 256 possible colors. These colors are represented in the color look-up table..

Answer 358

A

A360: Substitution. There are three different types or classifications of steganography. The first classification used hides a message within a file, by either injecting it or embedding it. This can and will increase the size of the file, thus making it noticeable to a trained eye. A second option may be to replace certain information in a file. This method would not increase the size and make it much harder to detect. This method is often referred to as substitution. A final method is the newest technique. It creates a new text file or image based on the secret information you want to hide..

Answer 359

A

A361: Up to one dollar per number. On the black market, an unused stolen credit card number typically sells for 50 cents to a dollar. Thus, with a heist of a million cards, the attacker could get upwards of a million dollars..

Answer 360

A

A362: California. When personally identifiable information for citizens of the state of California is exposed, those citizens must be informed, as a matter of California law..

Answer 361

A

A363: Authenticate the caller.. Be careful about revealing information about an account or believing what you are told. You could be experiencing a social engineering attack. Authenticate the user before proceeding..

Answer 362

A

A364: Regularly look for and remediate each vulnerability you find.. While the other steps are important, if you cannot detect an attack, you should prevent one from happening. Make sure that all software receives detailed security scrutiny through a vulnerability assessment or penetration tests, so that you can find vulnerabilities before attackers do..

Answer 363

A

A365: Review your SSH server log files.. Although diligent log reviews may not stop an attack entirely, it can allow you to discover the attacker early in the process, minimizing the damage to your reputation and finances..

Answer 364

A

A366: Speak with the admin over the phone to set a new password. You do not want passwords to become compromised by social engineering or because they are weak. Ideally, a phone call will let the admin authenticate the account holder. An e-mailed password could be intercepted or obtained by someone using social engineering. A weak password could be guessed. Employees should use their own accounts, not those of others, for auditing and accountability reasons..

Answer 365

A

A367: Install software to force strong password complexity. Configure systems with tools that force password complexity so that users and administrators cannot choose trivial-to-guess passwords..

Answer 366

A

A368: If required, retained for as short a time as possible. Storing credit card numbers or other sensitive data online for longer than is required is a major security risk. Most organizations have no need to retain credit card numbers at all, or, if they do, they only require the data for a maximum of several days to support returns and refunds..

Answer 367

A

A369: Require cryptographic authentication.. MAC address filtering at access points is a security measure that is easily bypassed by an attacker running Wellenreiter or any other wireless sniffer. Likewise, configuring access points to remove SSIDs from their beacons and disabling responses to probe requests with any SSID are only marginal increases in security, easily bypassed using these same tools. Rely instead on cryptographic authentication for access to their networks, using protocols such as 802.11i..

Answer 368

A

A370: Disable the service.. All services without a defined business need should be disabled, lest they offer an avenue for an attacker to gain access..

Answer 369

A

A371: A DNS server. DNS servers listen on port 53 for queries from DNS clients..

Answer 370

A

A372: InterNIC. InterNIC provides the public information regarding Internet domain name registration services for a particular domain\/website..

Brainscape's Knowledge GenomeTM

deck_2250368 Flashcards

Brainscape's Knowledge Genome^TM