practice 1- 40 câu đầu

Question 1

Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system?

A. Fingerprint and retinal scan

B. Password and security question

C. Smartcard and PIN

D. Username and password

Answer 1

C. Smartcard and PIN
Explanation
OBJ-1.1: Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.

Question 2

A network technician is responsible for the basic security of the network. Management has asked if there is a way to improve the level of access users have to the company file server. Right now, any employee can upload and download files with basic system authentication (username and password). What should he configure to increase security?

A. Kerberos authentication

B. MDS authentication

C. Multi-factor authentication

D. Single sign-on authentication

Answer 2

C. Multi-factor authentication
Explanation
OBJ-1.1: This security approach provides a defense layer that makes it difficult for unauthorized users to break into a system. It provides multiple factors that a user must know to obtain access. For instance, if one factor is successfully broken, there will be few others that the individual attempting to enter the system must overcome.

Question 3

You have just concluded a two-month engagement that targeted Dion Training’s network. You have a detailed list of findings and have prepared your report for the company. Which of the following reasons explains why you must keep your report confidential and secure?

A. The findings included may contain company intellectual property

B. The findings contain privileged information about their customers

C. The findings could be used by attackers to exploit the client’s systems

D. The findings could hurt the company’s reputation if disclosed

Answer 3

C. The findings could be used by attackers to exploit the client’s systems
Explanation
OBJ-1.1: To further reinforce the SOW, NDA, and any other legal documentation in effect, the client is likely to include confidentiality provisions within the engagement plan. This ensures that the information discovered during the penetration test is shared only with the appropriate entities. For example, if a penetration tester finds a major code injection vulnerability in the company’s public-facing website, the organization may require them to keep this information confidential to minimize the risk of it being exploited by an attacker.

Question 4

Which of the following will an adversary do during the reconnaissance phase of the Lockheed Martin kill chain? (SELECT THREE)

A. Harvest email addresses

B. Identify employees on Social Media networks

C. Release of malware on USB drives

D. Acquire or develop zero-day exploits

E. Select backdoor implants and appropriate command and control mechanisms

F. Discover servers facing the public internet

Answer 4

A. Harvest email addresses
B. Identify employees on Social Media networks
F. Discover servers facing the public internet
Explanation
OBJ-1.1: Passively harvesting information from a target is the main purpose of the reconnaissance phase. Harvesting email addresses from the public internet, identifying employees on social media (particularly LinkedIn profiles), discovering public-facing servers, and gathering other publicly available information can allow an attacker to develop a more thorough understanding of a targeted organization. Acquiring or developing zero-day exploits, selecting backdoor implants, and choosing command and control (C2) mechanisms will require the information gathered during reconnaissance to be effective. Still, these activities will actually occur during the weaponization phase.

Question 5

Edward’s bank recently suffered an attack where an employee made an unauthorized modification to a customer’s bank balance. Which tenant of cybersecurity was violated by this employee’s actions?

A. Confidentiality

B. Authentication

C. Integrity

D. Availability

Answer 5

C. Integrity
Explanation
OBJ-1.1: The CIA Triad is a security model that helps people think about various parts of IT security. Integrity ensures that no unauthorized modifications are made to the information. The attack described here violates the integrity of the customer’s bank account balance. Confidentiality is concerned with unauthorized people seeing the contents of the data. In this scenario, the employee is authorized to see the bank balance but not change its value. Availability is concerned with the data being accessible when and where it is needed. Again, this wasn’t affected by the employee’s actions. Authentication is concerned with only authorized people accessing the data. Again, this employee was authorized to see the balance.

Question 6

What is not an example of a type of support resource that a pentester might receive as part of a white box assessment?

A. Network diagrams

B. SOAP project files

C. XSD

D. PII of employees

Answer 6

D. PII of employees
Explanation
OBJ-1.1: White box support resources include architectural diagrams, sample application requests, SDK documentation, SOAP project files, Swagger documents, WSDL/WADL, and XML Scheme Definitions (XSD). The PII of employees should not be given to a penetration tester as this could violate laws and regulations regarding maintaining employee data confidentiality and privacy. White-box testing falls on the opposite end of the spectrum from black-box testing, and penetration testers are given full access to source code, architecture documentation, and so forth.

Question 7

Which of the following would trigger the penetration test to stop and contact the system owners during an engagement?

A. A production server is successfully exploited

B. Discovery of a production server with its log files deleted

C. A production server is unresponsive to ping requests

D. Discovery of encrytped credit card data being stored in their database

Answer 7

B. Discovery of a production server with its log files deleted
Explanation
OBJ-1.1: The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. Suppose the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation. In that case, the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance. Deleted log files should be considered an indicator of compromise and should be investigated by the company’s security team before you continue with your engagement.

Question 8

What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system?

A. You should continue to apply additional controls until there is zero risk

B. You should ignore any remaining risk

C. You should accept the risk if the residual risk is low enough

D. You should remove the current controls since they are not completely effective

Answer 8

C. You should accept the risk if the residual risk is low enough
Explanation
OBJ-1.1: In most cases, you will be unable to remove all risk. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk. Removing the controls would add to the risk, which is a bad course of action to select. Ignoring the remaining risk is unacceptable; instead, you should acknowledge what risk remains and accept it if it is low enough. If it is not low enough, you should continue to mitigate the risk by adding additional control measures. It is unlikely you will ever be able to get all risk down to zero, but mitigating to a lower level and then accepting the residual risk is a common industry practice.

Question 9

Which of the following Nmap commands would scan DionTraining.com and probe any open ports to determine the versions of the running services on those ports?

A. nmap -sS DionTraining.com

B. nmap -sT DionTraining.com

C. nmap -sV DionTraining.com

D. nmap -sL DionTraining.com

Answer 9

C. nmap -sV DionTraining.com
Explanation
OBJ-2.2: The -sV option will scan the target by probing all the open ports to determine the service version they are running. The -sS option will scan the target using a TCP SYN packet and conduct a half-open scan. The -sT option will scan the target by conducting a full TCP 3-way handshake. The -sU option will scan the target by conducting a UDP scan.

Question 10

You are troubleshooting an issue with a Windows desktop and need to display the machine’s active TCP connections. Which of the following commands should you use?

A. net use

B. netstat

C. ipconfig

D. ping

Answer 10

B. netstat
Explanation
OBJ-2.3: The netstat command is used to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols) on a Windows machine. This is a useful command when determining if any malware has been installed on the system and maybe maintaining a remote connection with a command and control server.

Question 11

Dion Training has just installed a brand new email server. Which of the following DNS records would need to be created to allow the new server to receive email on behalf of diontraining.com?

A. CNAME

B. MX

C. PTR

D. A

Answer 11

B. MX
Explanation
OBJ-2.1: An MX record is required in the DNS for a domain for the email server to accept emails on behalf of a registered domain name.

Question 12

Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name?

A. SPF

B. DKIM

C. SMTP

D. DMARC

Answer 12

B. DKIM
Explanation
OBJ-2.1: DomainKeys Identified Mail (DKIM) provides a cryptographic authentication mechanism. This can replace or supplement SPF. To configure DKIM, the organization uploads a public key as a TXT record in the DNS server. Sender Policy Framework (SPF) uses a DNS record published by an organization hosting an email service. The SPF record identifies the hosts authorized to send email from that domain, and there must be only one per domain. SPF does not provide a cryptographic authentication mechanism like DKIM does, though. The Domain-Based Message Authentication, Reporting, and Conformance (DMARC) framework ensures that SPF and DKIM are being utilized effectively. DMARC relies on DKMI for the cryptographic authentication mechanism, making it the incorrect option for this question. The simple mail transfer protocol (SMTP) is a communication protocol for electronic mail transmission, which does not utilize cryptographic authentication mechanisms by default.

Question 13

You have received a laptop from a user who recently left the company. You went to the terminal in the operating system and typed ‘history’ into the prompt and see the following:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> for i in seq 255; ping -c 1 10.1.0.$i; done
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following best describes what actions were performed by this line of code?

A. Attempted to conduct a SYN scan on the network

B. Conducted a ping sweep of the subnet

C. Conducted a sequential ICMP echo reply to the subnet

D. Sequentially sent 255 ping packets to every host on the subnet

Answer 13

B. Conducted a ping sweep of the subnet
Explanation
OBJ-2.2: This code is performing a ping sweep of the subnet 10.1.0.0/24. The code states that for every number in the sequence from 1 to 255, conduct a ping to 10.1.0.x, where x is the number from 1 to 255. When it completes this sequence, it is to return to the terminal prompt (done). The ping command uses an echo request and then receives an echo reply from the ping’s target. A ping sweep does not use an SYN scan, which would require the use of a tool like nmap or hping.

Question 14

What nmap switch would you use to perform operating system detection?

A. -OS

B. -s0

C. -sP

D. -O

Answer 14

D. -O
Explanation
OBJ-2.2: The –O switch is used to tell nmap to conduct fingerprinting of the operating system based on the responses received during scanning. Nmap will then report on the suspected operating system of the scanned host. If you use –O –v, you will get additional details, as this runs the operating system scan in verbose mode. The -OS flag is made up and not supported by nmap. The -s0 flag conducts an IP protocol scan of the target. The -sP flag conducts a simple ping scan against the target.

Question 15

A penetration tester is emulating an insider threat during an engagement. The penetration tester was given access to a regular user account and a basic Windows 10 client on the network. The penetration tester did not receive any network diagrams, maps, or target IP address. Their goal is to identify any possible Windows domain controllers on the intranet.diontaining.com domain. Which of the following commands should they use from the command prompt to achieve their goal?

A. nslookup -type=any _lanman._tcp.intranet.diontraining.com

B. nslookup -type=any _ntlm._tcp.intranet.diontraining.com

C. nslookup -type=any _ldap._tcp.intranet.diontraining.com

D. nslookup -type=any _smtp._tcp.intranet.diontraining.com

E. nslookup -type=any _kerberos._tcp.intranet.diontraining.com

Answer 15

C. nslookup -type=any _ldap._tcp.intranet.diontraining.com
E. nslookup -type=any _kerberos._tcp.intranet.diontraining.com
Explanation
OBJ-2.1: There are several methods for locating Domain Controllers, depending on what you know about the environment you are using. If you are using a Windows client, you can use the nslookup command. You need to specify which protocol you are searching for in the name. Since we are trying to identify domain controllers, we need to look for Kerberos and LDAP based protocols on the intranet.diontraining.com domain. If you were using a Linux client, you could run a similar command syntax using dig.

Question 16

You are working as part of a penetration testing team conducting engagement against Dion Training’s network. You have been given a list of targets to scan in nmap in a text file called servers.txt. Which of the following Nmap commands should you use to find all the servers from the list with ports 80 and 443 enabled and save the results in an XML formatted file called results.txt for importing into your team’s report generation software?

A. nmap -p80,443 -sL servers.txt -oX results.txt

B. nmap -p80,443 -iL servers.txt -oX results.txt

C. nmap -p80,443 -iL servers.txt -oG results.txt

D. nmap -p80,443 -sL servers.txt -oG results.txt

Answer 16

B. nmap -p80,443 -iL servers.txt -oX results.txt
Explanation
OBJ-2.2: The command (nmap -p80,443 -iL servers.txt -oG results.txt) will only perform a nmap scan against ports 80 and 443. The -iL option will scan each of the listed server’s IP addresses. The -oX option will save the results in an XML format to the file results.txt while still displaying the normal results to the shell. The option of -sL will only list the servers to scan, and it will not actually scan them. The option of -oG is for outputting the results to a file in a greppable format.

Question 17

Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:24 Port:135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What type of activity occurred based on the output above?

A. Port scan targeting 10.10.3.2

B. Fragmentation attack targeting 10.10.3.6

C. Denial of service attack targeting 10.10.3.6

D. Port scan targeting 10.10.3.6

Answer 17

D. Port scan targeting 10.10.3.6
Explanation
OBJ-2.2: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making “Port scan targeting 10.10.3.6” the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions.

Question 18

Which of the following is usually not considered when evaluating the attack surface of an organization?

A. External and internal users

B. Websites and cloud entities

C. Software applications

D. Software development lifecycle model

Answer 18

D. Software development lifecycle model
Explanation
OBJ-2.1: The software development lifecycle model used by a company is purely an internal function relevant only to the development of custom software within the organization. Regardless of whether a waterfall or agile methodology is chosen, it does not directly affect the organization’s attack surface. The attack surface represents the set of things that could be attacked by an adversary. External and internal users, websites, cloud entities, and software applications used by an organization are all possible entry points that an adversary could attempt an attack upon.

Question 19

You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don’t have raw socket privileges on your workstation. Which of the following commands should you use to conduct the SYN scan from your workstation?

A. nmap -sS

B. nmap -O

C. nmap -sT

D. nmap -sX

Answer 19

C. nmap -sT
Explanation
OBJ-2.2: The nmap TCP connect scan (-sT) is used when the SYN scan (-sS) is not an option. You should use the -sT flag when you d not have raw packet privileges on your workstation or if you are scanning an IPv6 network. This flag tells nmap to establish a connection with the target machine by issuing the connect system call instead of directly using an SYN scan. Normally, a fast scan using the -sS (SYN scan) flag is more often conducted, but it requires raw socket access on the scanning workstation. The -sX flag would conduct a Xmas scan where the FIN, PSH, and URG flags are used in the scan. The -O flag would conduct an operating system detection scan of the target system.

Question 20

Which type of method is used to collect information during the passive reconnaissance?

A. Social engineering

B. Network traffic sniffing

C. Man in the middle attacks

D. Publicly accessible sources

Answer 20

D. Publicly accessible sources
Explanation
OBJ-2.1: Passive reconnaissance focuses on collecting information that is widely and openly available from publicly accessible sources. While network traffic sniffing is considered passive, gaining access to the network to place a sniffer in a good network tap location would not be considered passive. Of the choices provided, publicly accessible sources are the best answer to choose. Man-in-the-middle attacks would involve a penetration tester coming in between the traffic source and destination, which would allow its active inception and possible modification. Social engineering is also an active reconnaissance technique that uses deception to trick a user into providing information to an attacker or penetration tester.

Question 21

Which of the following ports is used by the Service Location Protocol when organizing and locating printers, databases, and other resources in a network?

A. 443

B. 427

C. 445

D. 389

Answer 21

B. 427
Explanation
OBJ-2.3: Port 427 is used by SLP. The Service Location Protocol (SLP) is a protocol or method of organizing and locating the resources (such as printers, disk drives, databases, e-mail directories, and schedulers) in a network. This is an alternative protocol to LDAP in newer networks. While you may not have this port memorized, you should have memorized ports 389, 443, and 445 and identified that they were not associated with printers.

Question 22

You want to conduct OSINT against an organization in preparation for an upcoming engagement. Which of the following tools should you utilize?

A. OpenVAS

B. Social Engineer Toolkit (SET)

C. Shodan

D. Aircrack-NG

Answer 22

C. Shodan
Explanation
OBJ-2.1: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company’s public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company’s network. OpenVas, SET, and Aircrak-NG are not considered OSINT tools. OpenVas is a vulnerability scanner. SET is a social engineering tool. Aircrack-NG is a wireless hacking tool.

Question 23

What technique is an attacker using if they review data and publicly available information to gather intelligence about the target organization without scanning or other technical information-gathering activities?

A. Passive reconnaissance

B. Active scanning

C. Vulnerability scanning

D. Patch management

Answer 23

A. Passive reconnaissance
Explanation
OBJ-2.1: Passive reconnaissance combines publicly available data from various sources about an organization and does not use active scanning or data gathering methods. Vulnerability scanning is an inspection of the potential points of exploitation on a computer or network to identify security holes. A vulnerability scan is usually conducted to detect and classify system weaknesses in computers, networks, and communications equipment and predict the effectiveness of countermeasures. Patch management is the process that helps acquire, test, and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

Question 24

You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack’s target?

A. 389

B. 3389

C. 443

D. 21

Answer 24

C. 443
Explanation
OBJ-2.2: Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).

Question 25

You just completed an nmap scan against a workstation and received the following output: ``` -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- # nmap diontraining012 Starting Nmap ( http://nmap.org ) ``` Nmap scan report for diontraining012 (192.168.14.61) Not shown: 997 filtered ports PORT STATE 135/tcp open 139/tcp open 445/tcp open Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- Based on these results, which of the following operating system is most likely being run by this workstation? A. Ubuntu B. macOS C. CentOS D. Windows

Answer 25

D. Windows Explanation OBJ-2.2: The workstation is most likely running a version of the Windows operating system. Port 139 and port 445 are associated with the SMB file and printer sharing service run by Windows. Since Windows 2000, the NetBIOS file and print sharing has been running over these ports on all Windows systems by default.

Question 26

Which of the following nmap commands should be utilized by a penetration tester that wants to scan every TCP registered port with fingerprinting, service, and operating system detection on a Class B network that is blocking ICMP? A. nmap -Pn -A --sS –p 1-1024 -sS 172.16.1.0/16 B. nmap -Pn -A -O –p 1-1024 -sS 172.16.1.0/16 C. nmap -Pn -A -sT –p 0-65535 172.16.1.0/24 D. nmap -Pn -O -sS -p 1-65535 172.16.1.0/8

Answer 26

B. nmap -Pn -A -O –p 1-1024 -sS 172.16.1.0/16 Explanation OBJ-2.2: There are several ways to answer this question, even if you don’t remember ever piece of the NMAP syntax. First, the question asks you to scan a Class B network, and if we want to scan the entire Class B, we would have to scan a /16. This removed two of our four choices. Now, considering the last two choices, we have a major differences: only one of these options would provide operating system detection (-O).

Question 27

You are trying to open your company's internal shared drive from your Windows 10 laptop but cannot reach it. You open your web browser and can connect to DionTraining.com without any issues. Which of the following commands should you use to determine if the internal shared drive is mapped to your computer properly? A. ping B. tracert C. chkdsk D. net use

Answer 27

D. net use Explanation OBJ-2.3: There are several net command utilities that you can use to view and configure shared resources on a Windows network. The net use command will connect to a network resource, such as a shared drive, folder, or printer. For example, "net use S: \\SERVER\DATA /persistent:yes" would map the DATA folder on the SERVER to your local S: drive on a Windows computer.

Question 28

You are a cybersecurity analyst who has been given the output from a system administrator's Linux terminal. Based on the output provided, which of the following statements is correct? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- BEGIN OUTPUT ———————--------- # nmap win2k16.local Nmap scan report for win2k16 (192.168.2.15) Host is up (0.132452s latency) Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http nc win2k16.local 80 220 win2k16.local DionTraining SMTP Server (Postfix/2.4.1) ``` # nc win2k16.local 22 SSH-2.0-OpenSSH_7.2 Debian-2 # ———————--------- END OUTPUT -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ``` A. Your email server is running on a non-standard port B. Your email server has been compromised C. Your organization has a vulnerable version of the SSH server software installed D. Your web server has been compromised

Answer 28

A. Your email server is running on a non-standard port Explanation OBJ-2.2: As shown in the nmap scans' output, only two standard ports being utilized: 22 (SSH) and 80 (HTTP). But, when netcat is run against port 80, the banner provided shows the SMTP server is running on port 80. SMTP is normally run on port 25 by default, so running it on port 80 means your email server (SMTP) runs on a non-standard port.

Question 29

As a newly hired cybersecurity analyst, you are attempting to determine your organization's current public-facing attack surface. Which of the following methodologies or tools generates a current and historical view of the company's public-facing IP space? A. nmap B. shodan.io C. Google hacking D. Review network diagrams

Answer 29

B. shodan.io Explanation OBJ-2.1: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company's public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company's network. The nmap scanning tool can provide an analysis of the current state of public exposure but has no mechanism to determine the history, nor will it give the same depth of information that shodan.io provides. Google Hacking can determine if a public exposure occurred over public-facing protocols, but it cannot conclusively reveal all the exposures present. Google hacking relies on using advanced Google searches with advanced syntax to search for information across the internet. Network diagrams can show how a network was initially configured. Unless the diagrams are up-to-date, which they usually aren't, they cannot show the current "as is" configuration. If you can only select one tool to find your attack surface's current and historical view, shodan is your best choice.

Question 30

Which command-line entry would be used on a Windows system to test if your system can reach diontraining.com? A. ping diontraining.com B. sfc diontraining.com C. net use diontraining.com D. ipconfig diontraining.com

Answer 30

A. ping diontraining.com Explanation OBJ-2.3: The ping command is used to test a host's reachability on an Internet Protocol network. Type "ping diontraining.com" to send a series of ICMP packets will be sent to the Dion Training server. If they are received successfully, your system will receive an echo reply. Your system will then report if the call and response were successful and how long it took in milliseconds.

Question 31

As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve information about an organization’s network infrastructure without causing an IPS alert. Which of the following is his best course of action? A. Perform a DNS brute-force attack B. Use a nmap ping sweep C. Perform a DNS zone transfer D. Use a nmap stealth scan

Answer 31

A. Perform a DNS brute-force attack Explanation OBJ-2.1: The best course of action is to perform a DNS brute-force attack. The DNS brute-force attack queries a list of IPs and typically bypasses IDS/IPS systems that do not alert on DNS queries. A ping sweep or a stealth scan can be easily detected by the IPS, depending on the signatures and settings being used. A DNS zone transfer is also something that often has a signature search for it and will be alerted upon since it is a common attack technique.

Question 32

David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal? A. MySQL B. RDP C. LDAP D. IMAP

Answer 32

B. RDP Explanation OBJ-2.2: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn’t supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.

Question 33

Which of the following commands can be used to resolve a DNS name to an IP address? A. dns B. query C. nslookup D. iplookup

Answer 33

C. nslookup Explanation OBJ-2.1: The nslookup command is used for DNS (Domain Name System) lookup operations. It is used to find the IP address of a particular domain name or the domain name of a particular IP address. Host and dig are also commands that can be used to lookup a domain name and convert it to an IP address within a Linux system.

Question 34

You are assisting a member of your organization's security team during an incident response. The team member asks you to determine if any strange TCP connections are occurring on a given workstation. You open the command prompt on the workstation. Which of the following tools would provide you with information on any TCP connections currently on the workstation? A. tracert B. netstat C. arp D. route

Answer 34

B. netstat Explanation OBJ-2.3: Netstat (network statistics) is a command-line network utility tool that displays network connections for the Transmission Control Protocol (incoming and outgoing), routing tables, and several network interface and network protocol statistics. It is useful when determining if a workstation is attempting outbound connections due to malware (beaconing activity) or has ports open and listening for inbound connections.

Question 35

Your organization’s primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Which of the following might be the reason that the scan report still showing the servers as vulnerable? (SELECT ALL THAT APPLY) A. The vulnerability assessment scan is returning a false positive B. This critical patch did not remediate the vulnerability C. You conducted the vulnerability scan without waiting long enough after the patch was installed D. The wrong IP address range was scanned during your vulnerability assessment

Answer 35

A. The vulnerability assessment scan is returning a false positive B. This critical patch did not remediate the vulnerability Explanation OBJ-3.1: There are two reasonable choices presented: (1) the vulnerability assessment scan is returning a false positive, or (2) this critical patch did not remediate the vulnerability. It is impossible to know which is based on the description in the question. If the patch was installed successfully, as the question states, then it is possible that the critical patch was coded incorrectly and did not actually remediate the vulnerability. While most operating system vendors test their patches before release to prevent this, they are sometimes rushed into production with extremely critical patches. The patch does not actually remediate the vulnerability on all systems. When this occurs, the vendor will issue a subsequent patch to fix it and supersede the original patch. The other option is that the vulnerability assessment tool is incorrectly configured and is returning a false positive. This can occur when the signature used to detect the vulnerability is too specific or too generic to actually detect whether the system was patched for the vulnerability or not. The other options are incorrect, as you do not have to wait a certain period of time after installation before scanning. It is assumed that you are scanning the same IP range both times as you have verified your scan configuration.

Question 36

What tool can be used to scan a network to perform vulnerability checks and compliance auditing? A. Nmap B. Metasploit C. Nessus D. BeEF

Answer 36

C. Nessus Explanation OBJ-3.1: Nessus is a popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Question 37

A military defense contracting company has hired your company to conduct a penetration test against their networks. Their company has a strong vulnerability management program in place, but they are concerned that they may still be subject to remote hackers' intrusion. They have asked your company to create a red team with their most skilled hackers and conduct a long-term engagement over 6-12 months. The goal of this assessment is to emulate an attacking group that uses stealth while infiltrating the network, quietly maintaining persistence, and slowly exfiltrating data out of the network over time to determine if their cybersecurity analysts could detect this type of threat. Which of the following type of threat actors will your red team need to emulate? A. Hacktivists B. APT C. Script kiddies D. Insider threat

Answer 37

B. APT Explanation OBJ-3.3: An advanced persistent threat (APT) is a type of attacker that keeps a low profile while infiltrating a remote network. Once inside the network, they maintain their patience while gathering intelligence and slowly exfiltrating data out of the network. Many APTs work for a nation-state and focus on intelligence operations. Some APTs also perform corporate espionage to steal highly guarded trade secrets from competitors. APTs commonly use several attack vectors to ensure their success in gaining unauthorized access to information.

Question 38

An attacker is using a precomputed table of values to attempt to crack your Windows password. What type of password attack is this? A. Rainbow table B. Dictionary C. Hybrid D. Brute-force

Answer 38

A. Rainbow table Explanation OBJ-3.2: A rainbow table is a tool for speeding up attacks against Windows passwords by precomputing possible hashes. A rainbow table is used to authenticate users by comparing the hash value of the entered password against the one stored in the rainbow table. Using a rainbow table makes password cracking a lot faster and easier for an attacker.

Question 39

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=- [443] [https-get-form] host: diontraining.com login: jason password: password [443] [https-get-form] host: diontraining.com login: jason password: CompTIACySA+ [443] [https-get-form] host: diontraining.com login: jason password: 123456 [443] [https-get-form] host: diontraining.com login: jason password: qwerty [443] [https-get-form] host: diontraining.com login: jason password: abc123 [443] [https-get-form] host: diontraining.com login: jason password: password1 [443] [https-get-form] host: diontraining.com login: jason password: P@$$w0rd! [443] [https-get-form] host: diontraining.com login: jason password: C0mpT1@P@$$w0rd -=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=--=-=-=-=- What type of attack was most likely being attempted by the attacker? A. Password spraying B. Impersonation C. Credential stuffing D. Brute force

Answer 39

D. Brute force Explanation OBJ-3.2: This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user's password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using several different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraudulent purposes. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack for their own purposes.

Question 40

What type of technique does exploit chaining often implement? A. Injecting parameters into a connection string using semicolons as a separator B. Inserting malicious JavaScript code into input parameters C. Setting a user's session identifier (SID) to an explicit known value D. Adding multiple parameters with the same name in HTTP requests

Answer 40

A. Injecting parameters into a connection string using semicolons as a separator Explanation OBJ-3.2: Connection String Parameter Pollution (CSPP) exploits specifically the semicolon-delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high-risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact). Exploit chaining involves multiple commands and exploits being conducted in a series to fully attack or exploit a given target.