Post Class Review

Question 1

What are the countermeasures against MAC Flood and MAC Spoofing attacks?

Answer 1

Port Security
Binding
IP Source Guard
DAI (Dynamic Arp Inspection)
ARP Watch
ARP Wall

Question 2

Describe DHCP Starvation attack

Answer 2

Exhausting the pool of IP addresses on a DHCP server

Question 3

DHCP Starvation attack countermeasure

Answer 3

Port Security

Question 4

Describe Rogue DHCP Attack

Answer 4

Unauthorized DHCP server

Question 5

Rogue DHCP Attack countermeasure

Answer 5

DHCP snooping

Question 6

How do you evade IDS Signature Detection

Answer 6

Encryption
IP Fragmentation (IP Fragment Scanning)

Question 7

How do you evade IDS Anomaly Detection?

Answer 7

Session splicing

Question 8

Nmap setting for session splicing

Answer 8

Timing template / timing channel
T0-slowest
T5-fastest

Question 9

Application proxies provide privacy (security through obscurity) and:

Answer 9

content filtering (data+commands)

Question 10

How to defend against Spoofing, ARP poisoining?

Answer 10

ARPWALL
ARPWatch
Private VLANS
Using Static ARP entries for servers&routers

Question 11

Full Open Scan

Answer 11

–>

–>

nmap -sT

TCP Connect scan completes the 3 way handshake

Question 12

Half open scan

Answer 12

–>

nmap -sS

Stealth scan, syn scan

Scan spoof IP, bypass firewall rules (anti spoof)

Question 13

XMas scan

Answer 13

nmap -sX

FIN, URG, PSH

Question 14

Shared traits of XMAS, Null, FIN scans

Answer 14

No response = port open
RST = port closed
always RST = Windows

Question 15

nmap switch:

TCP Connect/Full Open Scan

Answer 15

nmap -sT

Completes 3 way handshake

Question 16

nmap switch:

Stealth Scan/Half Open Scan/Syn scan

Answer 16

nmap -sS

Can spoof IP, bypasses firewall rules (anti spoof)

Question 17

nmap switch:

XMas scan

Answer 17

nmap -sX

FIN, URG, PSH

Question 18

nmap switch:

FIN scan

Answer 18

-sF

Question 19

nmap switch:

Null scan

Answer 19

no flags -sN

Question 20

nmap switch:

Idle scan

Answer 20

nmap -sI

You need a zombie to determine if port is open/closed

Question 21

Idle scan

Answer 21

IPID + 2 = port open
IPID + 1 = port closed
zombie must be idle

Question 22

Nmap switch:

OS

Answer 22

nmap -O

Question 23

Nmap switch:

output

Answer 23

nmap -o

Question 24

Nmap syntax:

Network scan of the entire subnet 192.168.10.0

Answer 24

nmap -sn 192.168.10.0/24

Question 25

Nmap syntax: | Network scan of all hosts from 192.168.10.200 to 192.168.10.250

Answer 25

nmap -sn 192.168.10.200-250

Question 26

Nmap switch: | network scan

Answer 26

nmap -sn

Question 27

ICMP Message Type | Request

Answer 27

8

Question 28

ICMP Message Type | Response

Answer 28

0

Question 29

ICMP Message Type | Unreachable

Answer 29

3

Question 30

ICMP Message Type | TTP Expired

Answer 30

11

Question 31

ICMP Message Type 3 Code 1

Answer 31

Host

Question 32

ICMP Message Type 3 Code 0

Answer 32

Network

Question 33

ICMP Message Type 3 Code 2

Answer 33

Protocol

Question 34

ICMP Message Type 3 Code 3

Answer 34

Port

Question 35

ICMP Message Type 3 Code 13

Answer 35

Admin Prohibited

Question 36

MultiFactor Authentication | K- Know

Answer 36

Passwords, PINS

Question 37

MultiFactor Authentication | A - Are

Answer 37

Biometric

Question 38

MultiFactor Authentication | H - Have

Answer 38

Token, Card

Question 39

A token is which combination of multi factors?

Answer 39

Know + Have

Question 40

Best combination of multi factor authentication?

Answer 40

Know + Have + Are (Token + Biometric)

Question 41

Polymorphic (XOR'd) Shellcode

Answer 41

Signature changes, XOR is encrypted

Question 42

Metamorphic Virus

Answer 42

Both algorithm and signature changes

Question 43

Describe Vulnerability scanning

Answer 43

Identify weaknesses

Question 44

Limitations on vulnerability scanning

Answer 44

Can only discover known vulnerabilities

Question 45

Auditing vs Vulnerability Scanning vs Pen Testing

Answer 45

Auditing- testing for compliance Vulnerability scanning- Passive Pen testing - active

Question 46

SQL Injection: | '

Answer 46

' tests if database is susceptible to SQLi

Question 47

SQL injection: | --

Answer 47

-- is end of line/single line commands

Question 48

SQL Injection: | +, ||

Answer 48

+, || are concatenation operators

Question 49

SQL Injection: | UNION

Answer 49

UNION joins multiple queries

Question 50

SQL Injection: | UPDATE

Answer 50

Update table or database

Question 51

SQL injection: | DROPTABLE

Answer 51

Deletes table

Question 52

SQL injection: | Xp_cmdshell

Answer 52

Invokes command shell

Question 53

SQL injection: | OPENROWSET

Answer 53

Makes an offline copy of the database contents

Question 54

Typical SQL injection syntax

Answer 54

blah' or 1=1--

Question 55

1=1 is what

Answer 55

tautology, an assertion of truth

Question 56

Outcome of SQL injection in a login context

Answer 56

Logs in as first user in table

Question 57

Outcome of SQL injection in a database search context

Answer 57

Dumps all records in a table

Question 58

Spoofing vs Session Hijacking

Answer 58

Spoofing - all responses go to spoofed address | Hijacking - attacker takes over an active session

Question 59

Steganography

Answer 59

Manipulating least significant bits within image files to hide information

Question 60

Sparse infector virus

Answer 60

Time trigger activated virus (Friday 13th)

Question 61

Stealth virus

Answer 61

Places itself between kernel & user programs to intercept system calls/IO operations

Question 62

Macro virus

Answer 62

targets MSOffice applications

Question 63

Trojans

Answer 63

Require a host file | Cannot self replicate or self propagate

Question 64

Virus

Answer 64

Require a host file CAN self replicate CANNOT self propagate

Question 65

Worm

Answer 65

NOT require a host file CAN self replicate CAN self propagate

Question 66

Phishing

Answer 66

Sending to a broad audience

Question 67

Spear phishing

Answer 67

targeting individuals

Question 68

Whaling

Answer 68

targeting upper hierarchy/C-Levels

Question 69

How does "tracert" work and what is its purpose

Answer 69

Uses ICMP & manipulates the TTL to discover hops

Question 70

Describe Firewalking

Answer 70

Fingerprinting a firewall

Question 71

Firewalking | Traceroute

Answer 71

Discover IPs of routers & firewalls

Question 72

Firewalking | ACK scan

Answer 72

Determine if firewall is stateful or non-stateful No response -> Stateful RST -> not stateful

Question 73

Firewalking | IKE scan

Answer 73

Determine if the firewall is using IPSEC

Question 74

Firewalking Techniques

Answer 74

1. Traceroute 2. ACK scan 3. IKE scan 4. Scan vor vendor specific parts 5. Banner grabbing

Question 75

Session Fixation attack

Answer 75

taking advantage of fixed session IDs (link in password reset email)

Question 76

Ways to browse the internet anonymously

Answer 76

Proxy VPN Anonymizer HTTP tunneling

Question 77

Switch sniffing techniques

Answer 77

1. SPAN port/ Port Spanning 2. MAC flood 3. ARP poisoning 4. DNS poisoning 5. Rogue DHCP server 6. Manipulating proxy server setting

Question 78

What is the default RID for a Windows Administrator account

Answer 78

500

Question 79

Bits for MD4

Answer 79

128

Question 80

Bits for MD5

Answer 80

128

Question 81

Bits for SHA-1

Answer 81

160

Question 82

Bits for SHA2

Answer 82

256+

Question 83

What is Syskey used for

Answer 83

Encrypt SAM file

Question 84

Type of encryption used for Syskey

Answer 84

128 bit RC4 encryption

Question 85

Port: | FTP

Answer 85

20,21

Question 86

Port: | TFTP

Answer 86

69

Question 87

Port: | Syslog

Answer 87

514

Question 88

Port: | RDP

Answer 88

3389

Question 89

Port: | LDAP

Answer 89

389

Question 90

Port: | LDAPS

Answer 90

636

Question 91

Port: | SSH

Answer 91

22

Question 92

Port: | SSL

Answer 92

443

Question 93

Port: | SMB over NetBIOS

Answer 93

139

Question 94

Port: | SMB over TCP/IP

Answer 94

445

Question 95

Port: | Kerberos

Answer 95

88

Question 96

Port: | DNS Zone Transfer

Answer 96

TCP 53

Question 97

Port: | DNS lookup

Answer 97

UDP 53

Question 98

Port: | Network Printing

Answer 98

515, 631, 9100

Question 99

Port: | SMTP

Answer 99

25

Question 100

Port: | SNMP

Answer 100

161, 162

Question 101

Port: | NTP

Answer 101

123

Question 102

Port: | IKE

Answer 102

500

Question 103

Port: | DHCP

Answer 103

67, 68

Question 104

Port: | POP3

Answer 104

110

Question 105

Port: | IMAP

Answer 105

143

Question 106

What does the following command do: type trojan.exe > c:\windows\system32\ping.exe:trojan.exe

Answer 106

Places malicious file within the ADS/Alternate Data Stream of a good file NTFS data stream. Type and Copy are interchangeable

Question 107

What does the following command do: copy trojan.exe > c:\windows\system32\ping.exe:trojan.exe

Answer 107

Places malicious file within the ADS/Alternate Data Stream of a good file NTFS data stream. Type and copy are interchangeable

Question 108

Simple SQL Injection

Answer 108

attacker sees responses

Question 109

Blind SQL injection

Answer 109

attacker does not see responses, uses YES or NO responses with WAITFORDELAY command

Question 110

Attack that uses YES or NO responses with WAITFORDELAY command

Answer 110

Blind SQL injection

Question 111

Difference between sniffing on a Hub network vs a Switch network

Answer 111

Hub - passive | Switch - active

Question 112

What is the Snow tool

Answer 112

used for Whitespace Steganography

Question 113

What type of encryption does Snow use

Answer 113

Ice

Question 114

6 techniques of Anti-spoofing

Answer 114

1. Packets from outside have inside/private IP as source IP 2. Packets from inside have outside IP as source IP 3. Packets from a new network send test packets 4. TTL mismatch 5. IPID mismatch 6. Exceeding window size

Question 115

Wireshark filter syntax: | ip.addr==10.10.1.1

Answer 115

All packets going to and from 10.10.1.1

Question 116

Wireshark filter syntax: | ip.src==10.10.1.1

Answer 116

All packets coming from 10.10.1.1

Question 117

Wireshark filter syntax: | ip.dest==10.10.1.1 && tcp.dstport=80

Answer 117

All packets going to 10.10.1.1 destination port 80 && = OR

Question 118

Wireshark filter syntax: | tcp.flagsreset==1

Answer 118

All packets with a Reset flag set

Question 119

Wireshark filter syntax: | tcp contains wireshark

Answer 119

Search http text "wireshark"

Question 120

Substituting non-alphanumeric characters with alphanumeric to prevent XSS attack is called: _____ < < > &gt

Answer 120

HTML entities

Question 121

Example of HTML entities

Answer 121

< < | > gt

Question 122

How does IPS/IDS work?

Answer 122

IDS - passive IPS - active Uses signature & anomaly detection

Question 123

Name of server used to provide Blackberry services

Answer 123

BES - Blackberry Enterprise Services

Question 124

Two types of Input validation

Answer 124

Data boundary, length, size | Data type

Question 125

Risk of data boundary input validation

Answer 125

Buffer overflow

Question 126

Risk of data type input validation

Answer 126

Injection

Question 127

What is Overwriting the EIP (Extended Instruction Pointer)?

Answer 127

Buffer overflow attack

Question 128

Buffer overflow attack

Answer 128

- Overwriting the EIP/Extended Instruction Pointer | - Overwriting return pointer/ instruction pointer/ return address/ return register

Question 129

What detects attempted buffer overflow attacks?

Answer 129

Canary word

Question 130

What does robots.txt do?

Answer 130

Prevents Google, Yahoo, & Bing from accessing certain pages on the webserver

Question 131

Uses for Cain & Abel

Answer 131

1. ARP Poisoning 2. Sniffing 3. Password cracking 4. WiFi encryption cracking (aircrack-ng, korecs algorith)

Question 132

What tools use the korecs algorithm?

Answer 132

Cain & Abel | Aircrack-ng

Question 133

Hybrid password attacks include

Answer 133

Brute force + dictionary

Question 134

Key length of | Diffie Hellman

Answer 134

1536 bits

Question 135

Key length of: | RSA

Answer 135

Variable, minimum 2048

Question 136

Key length of: | DES

Answer 136

Total: 64 Actual: 56

Question 137

Key length of: | 3DES

Answer 137

Actual: 168 Effective: 112

Question 138

Key length of: | AES

Answer 138

Minimum- 128, 192, 256

Question 139

AES encryption:

Answer 139

Protocop: CCMP Algorithm: Rijndael Minimum key length: 128, 192, 256

Question 140

Tools that - Verify Integrity - of system and data files?

Answer 140

Tripwire | FCIV (microsoft tool)

Question 141

Tools that - Verify Authenticity - of program files?

Answer 141

Sigverif (microsoft) | Bit9

Question 142

Command switch: | Manipulates TTL Value

Answer 142

-i

Question 143

Command switch: | Specifies # of ping packets in Windows

Answer 143

-n

Question 144

Command switch: | Specifies # of ping packets in Linux

Answer 144

-c

Question 145

Hardware disk encryption

Answer 145

TPM, HSM Full disk encryption MBR encrypted

Question 146

Software disk encryption

Answer 146

MBR not encrypted Partial disk encryption EFS-microsoft

Question 147

Attacker sends ping/icmp packets to a broadcast address with spoofed src IP as victim's IP

Answer 147

SMURF

Question 148

Attack that's the same as a SMURF attack but uses UDP

Answer 148

Fraggle

Question 149

Attack which takes advantage of TCP 3-way handshake, sends SYN packets to victim with the source & dest IPs pointing to the victim IP

Answer 149

Land attack

Question 150

Attack which takes advantage of TCP 3-way handshake, attacker sends SYN packets to victim with src IP spoofed to be a nonexistent/random IP, results in a large number of half open connections.

Answer 150

SYN flood, half open scan

Question 151

Windows 32, Linux 64 | Attacker sends oversized ping packetse to victim

Answer 151

P.O.D. Ping of death

Question 152

Trinoo, TFN2k, LOIC, HOIC

Answer 152

DDoS tools

Question 153

Embedding malicious scripts within webpages, emails, etc

Answer 153

XSS cross site scripting

Question 154

Similar to XSS, however attacker targets an already authenticated/trusted session and forces the victim to do something they never intended to do

Answer 154

CSRF/XSRF cross site request forgery

Question 155

If the second half of an LM hash contains a hash value of - AAD3B435B51404EE, it indicates that_______

Answer 155

The password length is less than 7 characters.

Question 156

If the following value is on both sides of an LM hash: - AAD3B435B51404EE, ______

Answer 156

It means LM hash is not being stored

Question 157

Factorization of 2 large prime numbers describes which agorithm?

Answer 157

RSA encryption

Question 158

Symmetric encryption provides which of the following Cryptographic objectives: Confidentiality Integrity Authentication (HMAC) Non-Repudiation

Answer 158

Confidentiality Integrity Authentication (HMAC only)

Question 159

Asymmetric encryption provides which of the following Cryptographic objectives: Confidentiality Integrity Authentication Non-Repudiation

Answer 159

All 4

Question 160

Digital Signature provides which of the following Cryptographic objectives: Confidentiality Integrity Authentication Non-Repudiation

Answer 160

Integrity Authentication Non-repudiation

Question 161

Integrity Authentication Non-repudiation

Answer 161

Digital Signature

Question 162

Confidentiality Integrity Authentication Non-Repudiation

Answer 162

Asymmetric encryption

Question 163

Confidentiality Integrity Authentication (HMAC only)

Answer 163

Symmetric encryption

Question 164

With a digital signature, the hash is encrypted with ____

Answer 164

sender's private key

Question 165

A digital signature hash being encrypted with a senders' private key results in ____

Answer 165

Authenticity

Question 166

For Authentication, the hash/message is encrypted with _____

Answer 166

sender's private key

Question 167

Symmetric encryption is most suited for ____ because of speed

Answer 167

Bulk data

Question 168

Disadvantages of symmetric encryption?

Answer 168

1. No non-repudiation 2. Key management (not scalable) 3. Key distribution (relies on out of band OOB key distribution)

Question 169

WIFI encryption: | 48 bit IV and 128 bit AES encryption

Answer 169

WPA2

Question 170

WIFI encryption: | 48 bit IV and 128 bit TKIP-RC4 encryption

Answer 170

WPA

Question 171

Why is WEP considered to be an inherently weak wi-fi encryption standard?

Answer 171

IV is too short (24 bits) | Lacks randomization resulting in frequency patterns

Question 172

Hashing algorithm: | LMHash

Answer 172

DES

Question 173

Hashing algorithm: | NTLMv1

Answer 173

MD4

Question 174

Hashing algorithm: | NTLMv2

Answer 174

MD5

Question 175

What happens to a switch when the CAM table is flooded?

Answer 175

It breaks down into a hub

Question 176

What is the broadcast address for 180.160.172.0/22?

Answer 176

180.160.175.255

Question 177

How do you secure SNMP

Answer 177

1. Use SNMP v3 | 2. Change default passwords/"community string"

Question 178

2 Methods of banner grabbing using telnet?

Answer 178

1. GET /HTTP/1.0 | 2. HEAD /HTTP/1.0

Question 179

Is it possible to block all reconnaissance traffic completely? (ping, tracert, DNS, etc)

Answer 179

No

Question 180

``` 1+1 = 0 1+0 = 1 0+1 = 1 0+0 = 0 ```

Answer 180

Truth table for XOR

Question 181

Computer security incident response team

Answer 181

CSIRT

Question 182

Provides guidance & solutions on how to secure and test systems

Answer 182

OSSTMM

Question 183

Provides information on common web application flaws and solutions, OWASP top 10, injection, webgoat

Answer 183

OWASP

Question 184

SOX

Answer 184

Sarbanes Oxley - Regulation to enforce financial accountability

Question 185

PCI-DSS

Answer 185

Standard to protect PII

Question 186

Types of rootkits

Answer 186

1. Application 2. Hypervisor 3. Bootloader 4. DLL 5. Kernel 6. BIOS

Question 187

Key escrow

Answer 187

private key is split into 2 or more parts and each part is given to different CA's for safekeeping

Question 188

Recovery agent

Answer 188

designated account used to recover from lost or stolen keys (similar to a master key)

Question 189

N-Tier architecture: | Infrastructure

Answer 189

The servers are logically grouped by function within individual VLAN segments

Question 190

N-Tier architecture: | Application architecture

Answer 190

Applications are designed in a modular fashion where changes to one module does not impact other modules

Question 191

What do these tools have in common? ``` Brutus John the Ripper Cain & Abel Kerbcrack Hydra ```

Answer 191

password crackers

Question 192

Limiting the # of MACs on a switch port

Answer 192

Port security

Question 193

Network access control, Network access protection

Answer 193

NAC/NAP Sets & enforces baselines/policies on devices connected to the network

Question 194

NAC/NAP

Answer 194

Network access control/protection Sets & enforces baselines/policies on devices connected to the network

Question 195

EAP/802.1x

Answer 195

``` RADIUS Kerberos Active directory PKI Secure token ```

Question 196

How to disable LMHashes

Answer 196

1. Modify registry 2. Use GPOs 3. Make passwords greater than 14 characters with a minimum of 15 characters

Question 197

Name trust models

Answer 197

Web of Trust Hierarchical Bridge

Question 198

Trust models: | Web of trust

Answer 198

PGP, GPG

Question 199

Trust models: | HIerarchical

Answer 199

PKI

Question 200

Trust models: | Bridge

Answer 200

Trust between 2 different PKI hierarchies

Question 201

Take advantage of the lack of input validation within cgi scripts to gain shell access

Answer 201

Shellshock

Question 202

An openSSL vulnerability which gave attackers access to private keys in RAM

Answer 202

Heartbleed

Question 203

2 different pieces of text produce the same hash value

Answer 203

Collision

Question 204

Hashing algorithms are collision-resistant. True or false?

Answer 204

True

Question 205

Risk management: SLE

Answer 205

Single loss expectancy Asset value x Exposure factor

Question 206

Risk management: Risk

Answer 206

Threat x vulnerability x asset/impact

Question 207

Risk management: ALE

Answer 207

Annual loss expectancy Asset value x exposure x annualized rate of occurrence (ARO)

Question 208

Risk management: ARO

Answer 208

Annualized rate of occurrence

Question 209

Google search: insite:www.cisco.com filetype.pdf

Answer 209

Locating .pdf files on www.cisco.com

Question 210

HTTPMETHODS

Answer 210

Nmap script that tests which methods are allowed on an HTTP server: GET, PUT, POST, TRACE, etc...

Question 211

Tool equivalent to Netcat that can be used to have an encrypted netcatlike session?

Answer 211

Cryptcat

Question 212

Provides multilayer inspection, stateful inspection, maintains state table, enforces 3-way handshake

Answer 212

Stateful inspection firewall

Question 213

Does deep packet inspection to prevent web application attacks

Answer 213

Web application firewall

Question 214

Repository of revoked public keys

Answer 214

CRL, certificate revocation list

Question 215

Online Certificate Status Protocol, used to check CRL in real time

Answer 215

OSCP

Question 216

Linux tool used to change Windows passwords

Answer 216

CHNTPN

Question 217

Used to gather metadata of public documents

Answer 217

Metagoofil

Question 218

Radius 2.0, enhanced version of RADIUS, uses TCP for reliability & provides mobility options

Answer 218

DIAMETER