Examen 5 Flashcards
(125 cards)
1
Q
Cryptography is the practice and study of techniques for secure communication in the presence of third parties (called adversaries.) More generally, it is about constructing and analyzing protocols that overcome the influence of adversaries and that are related to various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation. Modern cryptography intersects the disciplines of mathematics, computer science, and electrical engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce.
Basic example to understand how cryptography works is given below:
SECURE (plain text)
+1 (+1 next letter, for example, the letter “”T”” is used for “”S”” to encrypt.)
TFDVSF (encrypted text)
+=logic=> Algorithm
1=Factor=> Key
Which of the following choices is true about cryptography?
A. Algorithm is not the secret, key is the secret.
B. Symmetric-key algorithms are a class of algorithms for cryptography that use the different cryptographic keys for both encryption of plaintext and decryption of ciphertext.
C. Secure Sockets Layer (SSL) use the asymmetric encryption both (public/private key pair) to deliver the shared session key and to achieve a communication way.
D. Public-key cryptography, also known as asymmetric cryptography, public key is for decrypt, private key is for encrypt.
A
C. Secure Sockets Layer (SSL) use the asymmetric encryption both (public/private key pair) to deliver the shared session key and to achieve a communication way.
2
Q
Which of the following cryptography attack is an understatement for the extraction of
cryptographic secrets (e.g. the password to an encrypted file) from a person by a coercion or torture?
A. Chosen-Cipher text Attack
B. Ciphertext-only Attack
C. Timing Attack
D. Rubber Hose Attack
A
D. Rubber Hose Attack
3
Q
Which of the following is a detective control? A. Smart card authentication B. Security policy C. Audit trail D. Continuity of operations plan
A
C. Audit trail
4
Q
Which of the following is a common Service Oriented Architecture (SOA) vulnerability? A. Cross-site scripting B. SQL injection C. VPath injection D. XML denial of service issues
A
D. XML denial of service issues
5
Q
Which of the following is considered as one of the most reliable forms of TCP scanning? A. TCP Connect/Full Open Scan B. Half-open Scan C. NULL Scan D. Xmas Scan
A
A. TCP Connect/Full Open Scan
6
Q
Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test for?
A. To determine who is the holder of the root account
B. To perform a DoS
C. To create needless SPAM
D. To illicit a response back that will reveal information about email servers and how they treat undeliverable mail
E. To test for virus protection
A
D. To illicit a response back that will reveal information about email servers and how they treat undeliverable mail
7
Q
………. is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider. This type of attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there.
Fill in the blank with appropriate choice.
A. Collision Attack
B. Evil Twin Attack
C. Sinkhole Attack
D. Signal Jamming Attack
A
B. Evil Twin Attack
8
Q
Which NMAP feature can a tester implement or adjust while scanning for open ports to avoid detection by the network’s IDS?
A. Timing options to slow the speed that the port scan is conducted
B. Fingerprinting to identify which operating systems are running on the network
C. ICMP ping sweep to determine which hosts on the network are not available
D. Traceroute to control the path of the packets sent during the scan
A
A. Timing options to slow the speed that the port scan is conducted
9
Q
Susan has attached to her company’s network. She has managed to synchronize her boss’s sessions with that of the file server. She then intercepted his traffic destined for the server, changed it the way she wanted to and then placed it on the server in his home directory.
What kind of attack is Susan carrying on?
A. A sniffing attack
B. A spoofing attack
C. A man in the middle attack
D. A denial of service attack
A
C. A man in the middle attack
10
Q
Matthew received an email with an attachment named "YouWon$10Grand.zip." The zip file contains a file named "HowToClaimYourPrize.docx.exe." Out of excitement and curiosity, Matthew opened the said file. Without his knowledge, the file copies itself to Matthew's APPDATA\IocaI directory and begins to beacon to a Command-and-control server to download additional malicious binaries. What type of malware has Matthew encountered? A. Key-logger B. Trojan C. Worm D. Macro Virus
A
B. Trojan
11
Q
Nation-state threat actors often discover vulnerabilities and hold on to them until they want to launch a sophisticated attack. The Stuxnet attack was an unprecedented style of attack because it used four types of vulnerability. What is this style of attack called? A. zero-day B. zero-hour C. zero-sum D. no-day
A
A. zero-day
12
Q
A network security administrator is worried about potential man-in-the-middle attacks when users access a corporate web site from their workstations. Which of the following is the best remediation against this type of attack?
A. Implementing server-side PKI certificates for all connections
B. Mandating only client-side PKI certificates for all connections
C. Requiring client and server PKI certificates for all connections
D. Requiring strong authentication for all DNS queries
A
C. Requiring client and server PKI certificates for all connections
13
Q
What is not a PCI compliance recommendation?
A. Limit access to card holder data to as few individuals as possible.
B. Use encryption to protect all transmission of card holder data over any public network.
C. Rotate employees handling credit card transactions on a yearly basis to different departments.
D. Use a firewall between the public network and the payment card data.
A
C. Rotate employees handling credit card transactions on a yearly basis to different departments.
14
Q
When you are testing a web application, it is very useful to employ a proxy tool to save every request and response. You can manually test every request and analyze the response to find vulnerabilities. You can test parameter and headers manually to get more precise results than if using web vulnerability scanners.
What proxy tool will help you find web vulnerabilities?
A. Burpsuite
B. Maskgen
C. Dimitry
D. Proxychains
A
A. Burpsuite
15
Q
Which of the following algorithms provides better protection against brute force attacks by using a 160-bit message digest? A. MD5 B. SHA-1 C. RC4 D. MD4
A
B. SHA-1
16
Q
During a penetration test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of packet inspection is the firewall conducting? A. Host B. Stateful C. Stateless D. Application
A
C. Stateless
17
Q
Which tool allows analysts and pen testers to examine links between data using graphs and link analysis? A. Maltego B. Cain & Abel C. Metasploit D. Wireshark
A
A. Maltego
18
Q
This configuration allows NIC to pass all traffic it receives to the Central Processing Unit (CPU), instead of passing only the frames that the controller is intended to receive. Select the option that BEST describes the above statement. A. Multi-cast mode B. WEM C. Promiscuous mode D. Port forwarding
A
C. Promiscuous mode
19
Q
Yancey is a network security administrator for a large electric company. This company provides power for over 100, 000 people in Las Vegas. Yancey has worked for his company for over 15 years and has become very successful. One day, Yancey comes in to work and finds out that the company will be downsizing and he will be out of a job in two weeks. Yancey is very angry and decides to place logic bombs, viruses, Trojans, and backdoors all over the network to take down the company once he has left. Yancey does not care if his actions land him in jail for 30 or more years, he just wants the company to pay for what they are doing to him.
What would Yancey be considered?
A. Yancey would be considered a Suicide Hacker
B. Since he does not care about going to jail, he would be considered a Black Hat
C. Because Yancey works for the company currently; he would be a White Hat
D. Yancey is a Hacktivist Hacker since he is standing up to a company that is downsizing
A
A. Yancey would be considered a Suicide Hacker
20
Q
An enterprise recently moved to a new office and the new neighborhood is a little risky. The CEO wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do this job?
A. Use fences in the entrance doors.
B. Install a CCTV with cameras pointing to the entrance doors and the street.
C. Use an IDS in the entrance doors and install some of them near the corners.
D. Use lights in all the entrance doors and along the company’s perimeter.
A
B. Install a CCTV with cameras pointing to the entrance doors and the street.
21
Q
What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack?
A. Injecting parameters into a connection string using semicolons as a separator
B. Inserting malicious Javascript code into input parameters
C. Setting a user’s session identifier (SID) to an explicit known value
D. Adding multiple parameters with the same name in HTTP requests
A
A. Injecting parameters into a connection string using semicolons as a separator
22
Q
You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly.
What is the best nmap command you will use?
A. nmap -T4 -F 10.10.0.0/24
B. nmap -T4 -r 10.10.1.0/24
C. nmap -T4 -O 10.10.0.0/24
D. nmap -T4 -q 10.10.0.0/24
A
A. nmap -T4 -F 10.10.0.0/24
23
Q
Suppose you've gained access to your client's hybrid network. On which port should you listen to in order to know which Microsoft Windows workstations has its file sharing enabled? A. 1433 B. 161 C. 445 D. 3389
A
C. 445
24
Q
The company ABC recently discovered that their new product was released by the opposition before their premiere. They contract an investigator who discovered that the maid threw away papers with confidential information about the new product and the opposition found it in the garbage. What is the name of the technique used by the opposition? A. Hack attack B. Sniffing C. Dumpster diving D. Spying
A
C. Dumpster diving
25
When you return to your desk after a lunch break, you notice a strange email in your inbox. The sender is someone you did business with recently, but the subject line has strange characters in it. What should you do?
A. Forward the message to your company's security response team and permanently delete the message from your computer.
B. Reply to the sender and ask them for more information about the message contents.
C. Delete the email and pretend nothing happened
D. Forward the message to your supervisor and ask for her opinion on how to handle the situation
A. Forward the message to your company's security response team and permanently delete the message from your computer.
26
```
Which of the following is a symmetric cryptographic standard?
A. DSA
B. PKI
C. RSA
D. 3DES
```
D. 3DES
27
In this attack, a victim receives an e-mail claiming from PayPal stating that their account has been disabled and confirmation is required before activation. The attackers then scam to collect not one but two credit card numbers, ATM PIN number and other personal details. Ignorant users usually fall prey to this scam. Which of the following statement is incorrect related to this attack?
A. Do not reply to email messages or popup ads asking for personal or financial information
B. Do not trust telephone numbers in e-mails or popup ads
C. Review credit card and bank account statements regularly
D. Antivirus, anti-spyware, and firewall software can very easily detect these type of attacks
E. Do not send credit card numbers, and personal or financial information via e-mail
D. Antivirus, anti-spyware, and firewall software can very easily detect these type of attacks
28
ICMP ping and ping sweeps are used to check for active systems and to check
A. if ICMP ping traverses a firewall.
B. the route that the ICMP ping took.
C. the location of the switchport in relation to the ICMP ping.
D. the number of hops an ICMP ping takes to reach a destination.
A. if ICMP ping traverses a firewall.
29
While conducting a penetration test, the tester determines that there is a firewall between the tester's machine and the target machine. The firewall is only monitoring TCP handshaking of packets at the session layer of the OSI model. Which type of firewall is the tester trying to traverse?
A. Packet filtering firewall
B. Application-level firewall
C. Circuit-level gateway firewall
D. Stateful multilayer inspection firewall
C. Circuit-level gateway firewall
30
A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS?
(Tiene el protocolo IPP: Internet Printing Protocol)
A. The host is likely a printer.
B. The host is likely a Windows machine.
C. The host is likely a Linux machine.
D. The host is likely a router.
A. The host is likely a printer.
31
DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which security feature on switches leverages the DHCP snooping database to help prevent man-in-the-middle attacks?
A. Port security
B. A Layer 2 Attack Prevention Protocol (LAPP)
C. Dynamic ARP inspection (DAI)
D. Spanning tree
C. Dynamic ARP inspection (DAI)
32
```
What would you enter, if you wanted to perform a stealth scan using Nmap?
A. nmap -sU
B. nmap -sS
C. nmap -sM
D. nmap -sT
```
B. nmap -sS
33
Which of the following conditions must be given to allow a tester to exploit a Cross-Site Request Forgery (CSRF) vulnerable web application?
A. The victim user must open the malicious link with an Internet Explorer prior to version 8.
B. The session cookies generated by the application do not have the HttpOnly flag set.
C. The victim user must open the malicious link with a Firefox prior to version 3.
D. The web application should not use random tokens.
D. The web application should not use random tokens.
34
What is the best Nmap command to use when you want to list all devices in the same
network quickly after you successfully identified a server whose IP address is 10.10.0.5?
A. nmap -T4 -F 10.10.0.0/24
B. nmap -T4 -q 10.10.0.0/24
C. nmap -T4 -O 10.10.0.0/24
D. nmap -T4 -r 10.10.1.0/24
A. nmap -T4 -F 10.10.0.0/24
35
```
In Wireshark, the packet bytes panes show the data of the current packet in which format?
A. Decimal
B. ASCII only
C. Binary
D. Hexadecimal
```
D. Hexadecimal
36
```
While doing a Black box pen test via the TCP port (80), you noticed that the traffic gets blocked when you tried to pass IRC traffic from a web enabled host. However, you also noticed that outbound HTTP traffic is being allowed. What type of firewall is being utilized for the outbound traffic?
A. Stateful
B. Application
C. Circuit
D. Packet Filtering
```
B. Application
37
What is the correct process for the TCP three-way handshake connection establishment and connection termination?
A. Connection Establishment: FIN, ACK-FIN, ACKConnection Termination: SYN, SYN-ACK, ACK
B. Connection Establishment: SYN, SYN-ACK, ACKConnection Termination: ACK, ACK-SYN, SYN
C. Connection Establishment: ACK, ACK-SYN, SYNConnection Termination: FIN, ACK-FIN, ACK
D. Connection Establishment: SYN, SYN-ACK, ACKConnection Termination: FIN, ACK-FIN, ACK
D. Connection Establishment: SYN, SYN-ACK, ACKConnection Termination: FIN, ACK-FIN, ACK
38
```
As an Ethical Hacker you are capturing traffic from your customer network with Wireshark and you need to find and verify just SMTP traffic. What command in Wireshark will help you to find this kind of traffic?
A. request smtp 25
B. tcp.port eq 25
C. smtp port
D. tcp.contains port 25
```
B. tcp.port eq 25
39
```
Which of the following is a design pattern based on distinct pieces of software providing application functionality as services to other applications?
A. Service Oriented Architecture
B. Object Oriented Architecture
C. Lean Coding
D. Agile Process
```
A. Service Oriented Architecture
40
```
What is the way to decide how a packet will move from an untrusted outside host to a protected inside that is behind a firewall, which permits the hacker to determine which ports are open and if the packets can pass through the packet-filtering of the firewall?
A. Firewalking
B. Session hijacking
C. Network sniffing
D. Man-in-the-middle attack
```
A. Firewalking
41
```
The collection of potentially actionable, overt, and publicly available information is known as
A. Open-source intelligence
B. Human intelligence
C. Social intelligence
D. Real intelligence
```
A. Open-source intelligence
42
```
Which of the following parameters enables NMAP's operating system detection feature?
A. NMAP -sV
B. NMAP -oS
C. NMAP -sR
D. NMAP -O
```
D. NMAP -O
43
```
Which of the following is the structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange?
A. PKI
B. single sign on
C. biometrics
D. SOA
```
A. PKI
44
What network security concept requires multiple layers of security controls to be placed throughout an IT infrastructure, which improves the security posture of an organization to defend against malicious attacks or potential vulnerabilities?
A. Security through obscurity
B. Host-Based Intrusion Detection System
C. Defense in depth
D. Network-Based Intrusion Detection System
C. Defense in depth
45
An attacker attaches a rogue router in a network. He wants to redirect traffic to a LAN attached to his router as part of a man-in-the-middle attack. What measure on behalf of the legitimate admin can mitigate this attack?
A. Only using OSPFv3 will mitigate this risk.
B. Make sure that legitimate network routers are configured to run routing protocols with authentication.
C. Redirection of the traffic cannot happen unless the admin allows it explicitly.
D. Disable all routing protocols and only use static routes.
B. Make sure that legitimate network routers are configured to run routing protocols with authentication.
46
Which of the following is an advantage of utilizing security testing methodologies to conduct a security audit?
A. They provide a repeatable framework.
B. Anyone can run the command line scripts.
C. They are available at low cost.
D. They are subject to government regulation.
A. They provide a repeatable framework.
47
Darius is analysing logs from IDS. He want to understand what have triggered one alert and verify if it's true positive or false positive. Looking at the logs he copy and paste basic details like below:
source IP: 192.168.21.100
source port: 80
destination IP: 192.168.10.23
destination port: 63221
What is the most proper answer.
A. This is most probably true negative.
B. This is most probably true positive which triggered on secure communication between client and server.
C. This is most probably false-positive, because an alert triggered on reversed traffic.
D. This is most probably false-positive because IDS is monitoring one direction traffic.
A. This is most probably true negative.
48
You are tasked to perform a penetration test. While you are performing information
gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email( boss@company ). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network.
What testing method did you use?
A. Social engineering
B. Tailgating
C. Piggybacking
D. Eavesdropping
A. Social engineering
49
SNMP is a protocol used to query hosts, servers, and devices about performance or health status data. This protocol has long been used by hackers to gather great amount of information about remote hosts. Which of the following features makes this possible? (Choose two.)
A. It used TCP as the underlying protocol.
B. It uses community string that is transmitted in clear text.
C. It is susceptible to sniffing.
D. It is used by all network devices on the market.
B. It uses community string that is transmitted in clear text.
D. It is used by all network devices on the market.
50
Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below.
TCP port 21 - no response
TCP port 22 - no response
TCP port 23 - Time-to-live exceeded
What conclusions can be drawn based on these scan results?
A. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host.
B. The lack of response from ports 21 and 22 indicate that those services are not running on the destination server.
C. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall.
D. The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond with a TTL error.
C. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall.
51
```
Which of the following is a component of a risk assessment?
A. Physical security
B. Administrative safeguards
C. DMZ
D. Logical interface
```
B. Administrative safeguards
52
```
Which cipher encrypts the plain text digit (bit or byte) one by one?
A. Classical cipher
B. Block cipher
C. Modern cipher
D. Stream cipher
```
D. Stream cipher
53
```
hich type of access control is used on a router or firewall to limit network activity?
A. Mandatory
B. Discretionary
C. Rule-based
D. Role-based
```
C. Rule-based
54
```
If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?
A. Birthday
B. Brute force
C. Man-in-the-middle
D. Smurf
```
B. Brute force
55
```
Which of the following is designed to identify malicious attempts to penetrate systems?
A. Intrusion Detection System
B. Firewall
C. Proxy
D. Router
```
A. Intrusion Detection System
56
```
Which of the following is assured by the use of a hash?
A. Integrity
B. Confidentiality
C. Authentication
D. Availability
```
A. Integrity
57
```
What is the minimum number of network connections in a multi homed firewall?
A. 3
B. 5
C. 4
D. 2
```
A. 3
58
How does the Address Resolution Protocol (ARP) work?
A. It sends a request packet to all the network elements, asking for the MAC address from a specific IP.
B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP.
C. It sends a reply packet for a specific IP, asking for the MAC address.
D. It sends a request packet to all the network elements, asking for the domain name from a specific IP.
A. It sends a request packet to all the network elements, asking for the MAC address from a specific IP.
59
```
Which security strategy requires using several, varying methods to protect IT systems against attacks?
A. Defense in depth
B. Three-way handshake
C. Covert channels
D. Exponential backoff algorithm
```
A. Defense in depth
60
```
Which of the following techniques does a vulnerability scanner use in order to detect a vulnerability on a target service?
A. Port scanning
B. Banner grabbing
C. Injecting arbitrary data
D. Analyzing service response
```
D. Analyzing service response
61
How can you determine if an LM hash you extracted contains a password that is less than 8 characters long?
A. There is no way to tell because a hash cannot be reversed
B. The right most portion of the hash is always the same
C. The hash always starts with AB923D
D. The left most portion of the hash is always the same
E. A portion of the hash will be all 0's
B. The right most portion of the hash is always the same
62
Which of the following guidelines or standards is associated with the credit card industry?
A. Control Objectives for Information and Related Technology (COBIT)
B. Sarbanes-Oxley Act (SOX)
C. Health Insurance Portability and Accountability Act (HIPAA)
D. Payment Card Industry Data Security Standards (PCI DSS)
D. Payment Card Industry Data Security Standards (PCI DSS)
63
Identify the correct terminology that defines the above statement.
“Testing the network using the same methodologies and tools deployed by attackers”
A. Vulnerability Scanning
B. Penetration Testing
C. Security Policy Implementation
D. Designing Network Security
B. Penetration Testing
64
An attacker tries to do banner grabbing on a remote web server and executes the following command. Service detection performed. Please report any incorrect results at http://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds
What did the hacker accomplish?
A. nmap can't retrieve the version number of any running remote service.
B. The hacker successfully completed the banner grabbing.
C. The hacker should've used nmap -O host.domain.com.
D. The hacker failed to do banner grabbing as he didn't get the version of the Apache web server.
B. The hacker successfully completed the banner grabbing.
65
What is the main difference between a "Normal" SQL Injection and a "Blind" SQL Injection vulnerability?
A. The request to the web server is not visible to the administrator of the vulnerable application.
B. The attack is called "Blind" because, although the application properly filters user input, it is still vulnerable to code injection.
C. The successful attack does not show an error message to the administrator of the affected
application.
D. The vulnerable application does not display errors with information about the injection results to the attacker.
D. The vulnerable application does not display errors with information about the injection results to the attacker.
66
Fingerprinting an Operating System helps a cracker because:
A. It defines exactly what software you have installed
B. It opens a security-delayed window based on the port being scanned
C. It doesn't depend on the patches that have been applied to fix existing security holes
D. It informs the cracker of which vulnerabilities he may be able to exploit on your system
D. It informs the cracker of which vulnerabilities he may be able to exploit on your system
67
```
You are attempting to man-in-the-middle a session. Which protocol will allow you to guess a sequence number?
A. TCP
B. UPD
C. ICMP
D. UPX
```
You are attempting to man-in-the-middle a session. Which protocol will allow you to guess a sequence number?
68
First thing you do every office day is to check your email inbox. One morning, you received an email from your best friend and the subject line is quite strange. What should you do?
A. Delete the email and pretend nothing happened.
B. Forward the message to your supervisor and ask for her opinion on how to handle the situation.
C. Forward the message to your company's security response team and permanently delete the message from your computer.
D. Reply to the sender and ask them for more information about the message contents.
C. Forward the message to your company's security response team and permanently delete the message from your computer.
69
```
During a blackbox pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?
A. Application
B. Circuit
C. Stateful
D. Packet Filtering
```
A. Application
70
Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan?
A. It is a network fault and the originating machine is in a network loop
B. It is a worm that is malfunctioning or hardcoded to scan on port 500
C. The attacker is trying to detect machines on the network which have SSL enabled
D. The attacker is trying to determine the type of VPN implementation and checking for IPSec
D. The attacker is trying to determine the type of VPN implementation and checking for IPSec
71
Take a look at the following attack on a Web Server using obstructed URL:
How would you protect from these attacks?
A. Configure the Web Server to deny requests involving "hex encoded" characters
B. Create rules in IDS to alert on strange Unicode requests
C. Use SSL authentication on Web Servers
D. Enable Active Scripts Detection at the firewall and routers
B. Create rules in IDS to alert on strange Unicode requests
72
Which of the following does proper basic configuration of snort as a network intrusion
detection system require?
A. Limit the packets captured to the snort configuration file.
B. Capture every packet on the network segment.
C. Limit the packets captured to a single segment.
D. Limit the packets captured to the /var/log/snort directory.
A. Limit the packets captured to the snort configuration file.
73
```
Defining rules, collaborating human workforce, creating a backup plan, and testing the plans are within what phase of the Incident Handling Process?
A. Preparation phase
B. Containment phase
C. Recovery phase
D. Identification phase
```
A. Preparation phase
74
Which of the following BEST describes how Address Resolution Protocol (ARP) works?
A. It sends a reply packet for a specific IP, asking for the MAC address
B. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP
C. It sends a request packet to all the network elements, asking for the domain name from a specific IP
D. It sends a request packet to all the network elements, asking for the MAC address from a specific IP
D. It sends a request packet to all the network elements, asking for the MAC address from a specific IP
75
It is a short-range wireless communication technology that allows mobile phones,
computers and other devices to connect and communicate. This technology intends to replace cables connecting portable devices with high regards to security.
A. Bluetooth
B. Radio-Frequency Identification
C. WLAN
D. InfraRed
A. Bluetooth
76
What is the benefit of performing an unannounced Penetration Testing?
A. The tester will have an actual security posture visibility of the target network.
B. Network security would be in a "best state" posture.
C. It is best to catch critical infrastructure unpatched.
D. The tester could not provide an honest analysis.
A. The tester will have an actual security posture visibility of the target network.
77
```
A hacker was able to easily gain access to a website. He was able to log in via the frontend user login form of the website using default or commonly used credentials. This exploitation is an example of what Software design flaw?
A. Insufficient security management
B. Insufficient database hardening
C. Insufficient input validation
D. Insufficient exception handling
```
B. Insufficient database hardening
78
When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following?
A. Drops the packet and moves on to the next one
B. Continues to evaluate the packet until all rules are checked
C. Stops checking rules, sends an alert, and lets the packet continue
D. Blocks the connection with the source IP address in the packet
B. Continues to evaluate the packet until all rules are checked
79
```
If there is an Intrusion Detection System (IDS) in intranet, which port scanning technique cannot be used?
A. Spoof Scan
B. TCP Connect scan
C. TCP SYN
D. Idle Scan
```
C. TCP SYN
80
```
You are performing information gathering for an important penetration test. You have found pdf, doc, and images in your objective. You decide to extract metadata from these files and analyze it.
What tool will help you with the task?
A. Metagoofil
B. Armitage
C. Dimitry
D. cdpsnarf
```
A. Metagoofil
81
The network administrator contacts you and tells you that she noticed the temperature on the internal wireless router increases by more than 20% during weekend hours when the office was closed. She asks you to investigate the issue because she is busy dealing with a big conference and she doesn't have time to perform the task.
What tool can you use to view the network traffic being sent and received by the wireless router?
A. Wireshark
B. Nessus
C. Netcat
D. Netstat
A. Wireshark
82
This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools.
Which of the following tools is being described?
A. Aircrack-ng
B. Airguard
C. WLAN-crack
D. wificracker
A. Aircrack-ng
83
An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to "www.MyPersonalBank.com", that the user is directed to a phishing site.
Which file does the attacker need to modify?
A. Hosts
B. Sudoers
C. Boot.ini
D. Networks
A. Hosts
84
```
Bob is going to perform an active session hijack against Brownies Inc. He has found a target that allows session oriented connections (Telnet) and performs the sequence prediction on the target operating system. He manages to find an active session due to the high level of traffic on the network. What is Bob supposed to do next?
A. Take over the session
B. Reverse sequence prediction
C. Guess the sequence numbers
D. Take one of the parties offline
```
C. Guess the sequence numbers
85
```
The security concept of "separation of duties" is most similar to the operation of which type of security device?
A. Firewall
B. Bastion host
C. Intrusion Detection System
D. Honeypot
```
A. Firewall
86
```
From the following table, identify the wrong answer in terms of Range (ft).
A. 802.11b
B. 802.11g
C. 802.16(WiMax)
D. 802.11a
```
D. 802.11a
87
You've just been hired to perform a pen test on an organization that has been subjected to a large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk. What is one of the first things you should do when given the job?
A. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to
acceptable levels.
B. Interview all employees in the company to rule out possible insider threats.
C. Establish attribution to suspected attackers.
D. Start the wireshark application to start sniffing network traffic.
A. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to
88
Why containers are less secure that virtual machines?
A. Host OS on containers has a larger surface attack.
B. Containers may full fill disk space of the host.
C. A compromise container may cause a CPU starvation of the host.
D. Containers are attached to the same virtual network.
A. Host OS on containers has a larger surface attack.
89
```
To maintain compliance with regulatory requirements, a security audit of the systems on a network must be performed to determine their compliance with security policies. Which one of the following tools would most likely be used in such an audit?
A. Vulnerability scanner
B. Protocol analyzer
C. Port scanner
D. Intrusion Detection System
```
A. Vulnerability scanner
90
You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories:
lower case letters, capital letters, numbers and special characters. With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results?
A. Online Attack
B. Dictionary Attack
C. Brute Force Attack
D. Hybrid Attack
D. Hybrid Attack
91
When you are collecting information to perform a data analysis, Google commands are very useful to find sensitive information and files. These files may contain information about passwords, system functions, or documentation.
What command will help you to search files using Google as a search engine?
A. site: target.com filetype:xls username password email
B. inurl: target.com filename:xls username password email
C. domain: target.com archive:xls username password email
D. site: target.com file:xls username password email
A. site: target.com filetype:xls username password email
92
```
Which Metasploit Framework tool can help penetration tester for evading Anti-virus
Systems?
A. msfpayload
B. msfcli
C. msfencode
D. msfd
```
C. msfencode
93
Sandra has been actively scanning the client network on which she is doing a vulnerability assessment test. While conducting a port scan she notices open ports in the range of 135 to 139.
What protocol is most likely to be listening on those ports?
A. Finger
B. FTP
C. Samba
D. SMB
D. SMB
94
```
At a Windows Server command prompt, which command could be used to list the running services?
A. Sc query type= running
B. Sc query \\servername
C. Sc query
D. Sc config
```
C. Sc query
95
The fundamental difference between symmetric and asymmetric key cryptographic systems is that symmetric key cryptography uses which of the following?
A. Multiple keys for non-repudiation of bulk data
B. Different keys on both ends of the transport medium
C. Bulk encryption for data transmission over fiber
D. The same key on each end of the transmission medium
D. The same key on each end of the transmission medium
96
What mechanism in Windows prevents a user from accidentally executing a potentially malicious batch (.bat) or PowerShell (.ps1) script?
A. User Access Control (UAC)
B. Data Execution Prevention (DEP)
C. Address Space Layout Randomization (ASLR)
D. Windows firewall
B. Data Execution Prevention (DEP)
97
Knowing the nature of backup tapes, which of the following is the MOST RECOMMENDED way of storing backup tapes?
A. In a cool dry environment
B. Inside the data center for faster retrieval in a fireproof safe
C. In a climate controlled facility offsite
D. On a different floor in the same building
C. In a climate controlled facility offsite
98
```
Which of the following tools would MOST LIKELY be used to perform security audit on various of forms of network systems?
A. Intrusion Detection System
B. Vulnerability scanner
C. Port scanner
D. Protocol analyzer
```
B. Vulnerability scanner
99
A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set:
Untrust (Internet) - (Remote network = 217.77.88.0/24)
DMZ (DMZ) - (11.12.13.0/24)
Trust (Internet) - (192.168.0.0/24)
The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ. Which rule would best fit this requirement?
A. Permit 217.77.88.0/24 11.12.13.0/24 RDP 3389
B. Permit 217.77.88.12 11.12.13.50 RDP 3389
C. Permit 217.77.88.12 11.12.13.0/24 RDP 3389
D. Permit 217.77.88.0/24 11.12.13.50 RDP 3389
B. Permit 217.77.88.12 11.12.13.50 RDP 3389
100
A consultant has been hired by the V.P. of a large financial organization to assess the company's security posture. During the security testing, the consultant comes across child pornography on the V.P.'s computer.
What is the consultant's obligation to the financial organization?
A. Say nothing and continue with the security testing.
B. Stop work immediately and contact the authorities.
C. Delete the pornography, say nothing, and continue security testing.
D. Bring the discovery to the financial organization's human resource department.
B. Stop work immediately and contact the authorities.
101
Tess King is using the nslookup command to craft queries to list all DNS information (such as Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain.
What do you think Tess King is trying to accomplish? Select the best answer.
A. A zone harvesting
B. A zone transfer
C. A zone update
D. A zone estimate
B. A zone transfer
102
```
Which of the following is a protocol specifically designed for transporting event messages?
A. SYSLOG
B. SMS
C. SNMP
D. ICMP
```
A. SYSLOG
103
Alice encrypts her data using her public key PK and stores the encrypted data in the cloud. Which of the following attack scenarios will compromise the privacy of her data?
A. None of these scenarios compromise the privacy of Alice's data
B. Agent Andrew subpoenas Alice, forcing her to reveal her private key. However, the cloud server successfully resists Andrew's attempt to access the stored data
C. Hacker Harry breaks into the cloud server and steals the encrypted data
D. Alice also stores her private key in the cloud, and Harry breaks into the cloud server as before
D. Alice also stores her private key in the cloud, and Harry breaks into the cloud server as before
104
The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below:
You are hired to conduct security testing on their network. You successfully brute-force the SNMP community string using a SNMP crack tool.
The access-list configured at the router prevents you from establishing a successful connection.
You want to retrieve the Cisco configuration from the router. How would you proceed?
A. Use the Cisco's TFTP default password to connect and download the configuration file
B. Run a network sniffer and capture the returned traffic with the configuration file from the router
C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address
D. Send a customized SNMP set request with a spoofed source IP address in the range -192.168.1.0
B. Run a network sniffer and capture the returned traffic with the configuration file from the router
D. Send a customized SNMP set request with a spoofed source IP address in the range -192.168.1.0
105
In order to prevent particular ports and applications from getting packets into an organization, what does a firewall check?
A. Network layer headers and the session layer port numbers
B. Presentation layer headers and the session layer port numbers
C. Application layer port numbers and the transport layer headers
D. Transport layer port numbers and application layer headers
D. Transport layer port numbers and application layer headers
106
```
You have successfully gained access to your client's internal network and successfully comprised a Linux server which is part of the internal IP network. You want to know which Microsoft Windows workstations have file sharing enabled. Which port would you see listening on these Windows machines in the network?
A. 445
B. 3389
C. 161
D. 1433
```
A. 445
107
```
The following are types of Bluetooth attack EXCEPT_____?
A. Bluejacking
B. Bluesmaking
C. Bluesnarfing
D. Bluedriving
```
D. Bluedriving
108
Destination unreachable administratively prohibited messages can inform the hacker to what?
A. That a circuit level proxy has been installed and is filtering traffic
B. That his/her scans are being blocked by a honeypot or jail
C. That the packets are being malformed by the scanning software
D. That a router or other packet-filtering device is blocking traffic
E. That the network is functioning normally
D. That a router or other packet-filtering device is blocking traffic
109
```
A possibly malicious sequence of packets that were sent to a web server has been captured by an Intrusion Detection System (IDS) and was saved to a PCAP file. As a network administrator, you need to determine whether this packets are indeed malicious. What tool are you going to use?
A. Intrusion Prevention System (IPS)
B. Vulnerability scanner
C. Protocol analyzer
D. Network sniffer
```
C. Protocol analyzer
110
```
A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS?
A. The host is likely a Windows machine.
B. The host is likely a Linux machine.
C. The host is likely a router.
D. The host is likely a printer.
```
D. The host is likely a printer.
111
Which results will be returned with the following Google search query? site:target.com -site:Marketing.target.com accounting
A. Results matching all words in the query
B. Results matching "accounting" in domain target.com but not on the site Marketing.target.com
C. Results from matches on the site marketing.target.com that are in the domain target.com but do not include the word accounting
D. Results for matches on target.com and Marketing.target.com that include the word "accounting"
B. Results matching "accounting" in domain target.com but not on the site Marketing.target.com
112
What is the most common method to exploit the "Bash Bug" or "ShellShock" vulnerability?
A. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment variable to a vulnerable Web server
B. Manipulate format strings in text fields
C. SSH
D. SYN Flood
A. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment variable to a vulnerable Web server
113
```
It is an entity or event with the potential to adversely impact a system through unauthorized access, destruction, disclosure, denial of service or modification of data. Which of the following terms best matches the definition?
A. Threat
B. Attack
C. Vulnerability
D. Risk
```
A. Threat
114
```
Which of the following cryptography attack methods is usually performed without the use of a computer?
A. Ciphertext-only attack
B. Chosen key attack
C. Rubber hose attack
D. Rainbow table attack
```
C. Rubber hose attack
115
Which statement best describes a server type under an N-tier architecture?
A. A group of servers at a specific layer
B. A single server with a specific role
C. A group of servers with a unique role
D. A single server at a specific layer
C. A group of servers with a unique role
116
```
When utilizing technical assessment methods to assess the security posture of a network, which of the following techniques would be most effective in determining whether end-user security training would be beneficial?
A. Vulnerability scanning
B. Social engineering
C. Application security testing
D. Network sniffing
```
B. Social engineering
117
Which statement is TRUE regarding network firewalls preventing Web Application attacks?
A. Network firewalls can prevent attacks because they can detect malicious HTTP traffic.
B. Network firewalls cannot prevent attacks because ports 80 and 443 must be opened.
C. Network firewalls can prevent attacks if they are properly configured.
D. Network firewalls cannot prevent attacks because they are too complex to configure.
B. Network firewalls cannot prevent attacks because ports 80 and 443 must be opened.
118
```
You work as a Security Analyst for a retail organization. In securing the company's network, you set up a firewall and an IDS. However, hackers are able to attack the network. After investigating, you discover that your IDS is not configured properly and therefore is unable to trigger alarms when needed. What type of alert is the IDS giving?
A. False Negative
B. False Positive
C. True Negative
D. True Positive
```
A. False Negative
119
The intrusion detection system at a software development company suddenly generates multiple alerts regarding attacks against the company's external webserver, VPN concentrator, and DNS servers. What should the security team do to determine which alerts to check first?
A. Investigate based on the maintenance schedule of the affected systems.
B. Investigate based on the service level agreements of the systems.
C. Investigate based on the potential effect of the incident.
D. Investigate based on the order that the alerts arrived in.
C. Investigate based on the potential effect of the incident.
120
```
What type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response?
A. Passive
B. Reflective
C. Active
D. Distributive
```
C. Active
121
```
During a penetration test, a tester finds a target that is running MS SQL 2000 with default credentials. The tester assumes that the service is running with Local System account. How can this weakness be exploited to access the system?
A. Using the Metasploit psexec module setting the SA / Admin credential
B. Invoking the stored procedure xp_shell to spawn a Windows command shell
C. Invoking the stored procedure cmd_shell to spawn a Windows command shell
D. Invoking the stored procedure xp_cmdshell to spawn a Windows command shell
```
D. Invoking the stored procedure xp_cmdshell to spawn a Windows command shell
122
What is the primary drawback to using advanced encryption standard (AES) algorithm with a 256 bit key to share sensitive data?
A. Due to the key size, the time it will take to encrypt and decrypt the message hinders efficient
communication.
B. To get messaging programs to function with this algorithm requires complex configurations.
C. It has been proven to be a weak cipher; therefore, should not be trusted to protect sensitive data.
D. It is a symmetric key algorithm, meaning each recipient must receive the key through a different channel than the message.
D. It is a symmetric key algorithm, meaning each recipient must receive the key through a different channel than the message.
123
Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of these switches. If these switches' ARP cache is successfully flooded, what will be the result?
A. The switches will drop into hub mode if the ARP cache is successfully flooded.
B. If the ARP cache is flooded, the switches will drop into pix mode making it less susceptible to
attacks.
C. Depending on the switch manufacturer, the device will either delete every entry in its ARP cache or reroute packets to the nearest switch.
D. The switches will route all traffic to the broadcast address created collisions.
A. The switches will drop into hub mode if the ARP cache is successfully flooded.
124
```
This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data.
What is this attack?
A. Cross-site-scripting attack
B. SQL Injection
C. URL Traversal attack
D. Buffer Overflow attack
```
A. Cross-site-scripting attack
125
When setting up a wireless network, an administrator enters a pre-shared key for security.
Which of the following is true?
A. The key entered is a symmetric key used to encrypt the wireless data.
B. The key entered is a hash that is used to prove the integrity of the wireless data.
C. The key entered is based on the Diffie-Hellman method.
D. The key is an RSA key used to encrypt the wireless data.
A. The key entered is a symmetric key used to encrypt the wireless data.
