Practice Exam Sept 2023 Flashcards by kaze kyo

Module 01 Introduction to Ethical Hacking

Which set of regulations is concerned with protecting a patient’s medical records?

A. ISO 2002
B. PCI DSS
C. PII
D. HIPAA/PHI

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

In which phase of the Cyber Kill Chain would an attacker exfiltrate data from your organization?

A. Weaponization
B. Delivery
C. Actions on Objectives
D. Command and Control
E. Exploitation

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

Which security strategy requires using several, varying methods to protect IT systems against attacks?

A. Three-way handshake
B. Exponential backoff algorithm
C. Covert channels
D. Defense in depth

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

During a pen-test, you’ve obtained several employee e-mail addresses from their company website. At which phase of the Cyber Kill Chain would you then create a client-side backdoor in order to send it to the victims via e-mail?

A. Reconnaissance
B. Weaponization
C. Delivery
D. Exploitation
E. Installation
F. Command and Control
G. Actions on Objectives

In this scenario, the penetration tester has already completed the first stage of reconnaissance by harvesting the employees’ email addresses from public sources. They are now in the second stage of weaponization, where they are creating a client-side backdoor and attaching it to an email in order to deliver it to the employees.

The next stages of the kill chain would be delivery, where the email is sent to the employees, followed by exploitation, installation, and command and control, where the attacker gains access to the target system and establishes a channel for ongoing communication.

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

In which phase of Incident Handling & Response (IH&R) do you analyze the compromised device to find details like type of attack, severity, target, impact, method of propagation, and vulnerabilities exploited?

A. Preparation
B. Incident Recording and Assignment
C. Incident Triage
D. Notification
E. Containment
F. Evidence Gathering and Forensic Analysis
G. Eradication
H. Recovery
I. Post-Incident Activities

In this phase, the identified security incidents are analyzed, validated, categorized, and prioritized. The IH&R team further analyzes the compromised device to find incident details such as the type of attack, its severity, target, impact, and method of propagation, and any vulnerabilities it exploited

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

Which of these best describes step 3, Delivery, in the Cyber Kill Chain methodology?

A. An intruder creates malware to be used as a malicious attachment to an email.
B. An intruder sends a malicious attachment via email to a target.
C. An intruder’s malware is installed on a target’s machine.
D. An intruder’s malware is triggered when a target opens a malicious email attachment.

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

What is the process called that can record, log, and resolve events that happen in your company?

A. Metrics
B. Incident management process
C. Internal procedure
D. Security policy

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

Which best describes white-box testing?

A. The internal operation of a system is only partly accessible to the tester
B. The internal operation of a system is completely known to the tester
C. Only the internal operation of a system is known to the tester
D. Only the external operation of a system is accessible to the tester

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

Which of these laws was designed to improve the accuracy and accountability of corporate disclosures, and to protect the public from accounting errors and fraudulent activities?

A. SOX
B. HIPAA
C. FedRAMP
D. PCI DSS

The Sarbanes-Oxley Act (SOX) was passed by the Congress of the United States in 2002 and is designed to protect members of the public from being defrauded or falling victim to financial errors on the part of businesses or financial entities. SOX compliance is both a matter of staying in line with the law and making sure your organization engages in sound business principles that benefit both the company and its customers.

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

Which phase of ethical hacking involves infecting a system with malware, and using phishing to gain access to a system or website?

A. Reconnaissance
B. Scanning
C. Gaining access
D. Maintaining access

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

You just got an e-mail from someone you’ve never met, claiming that your public website has a zero day vulnerability. The e-mail describes the problem and what you can do to protect yourself from this vulnerability. The e-mail has also been carbon-copied to Microsoft, informing them of the problem that their systems are exposed to. Which type of hacker sent you this e-mail?

A. Black hat
B. Red hat
C. Grey hat
D. White hat

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

Which best describes gray-box testing?

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

After finding and mitigating the vulnerabilities on your network, some small amount of risk still remains. What is this called?

A. Impact risk
B. Deferred risk
C. Residual risk
D. Inherent risk

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

Which type of hacker sometimes works offensively, and sometimes works defensively?

A. Suicide hacker
B. Black hat
C. Gray hat
D. White hat

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

Before a penetration tester can start any hacking activities, it’s most important for her to do which of these?

A. Creating action plan
B. Finding new exploits which can be used during the pentest
C. Preparing a list of targeted systems
D. Ensuring that her activity will be authorized and she will have proper agreement with owners of the targeted system

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

There has been data-leakage on a workstation, so you go to that station, turn off the power, then remove the keyboard, mouse, and ethernet cable. Which incident-handling step would these activities fall under?

A. Discovery
B. Eradication
C. Containment
D. Recovery

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

Which type of hacker has no training and only uses basic techniques or tools they found on the internet?

A. White-Hat Hackers
B. Gray-Hat Hackers
C. Black-Hat Hackers
D. Script Kiddies

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

What makes a penetration test more thorough than a vulnerability scan?

A. A penetration test actively exploits the vulnerabilities in the targeted infrastructure, while a vulnerability scan does not typically involve active exploitation.
B. The tools used by penetration testers tend to have much more comprehensive vulnerability databases.
C. Vulnerability scans only do host discovery and port scanning by default.
D. It is not; a penetration test is often performed by an automated tool, while a vulnerability scan requires active engagement.

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

Which best describes black-box testing?

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

After assessing the risk of a breach in your web application, you find there is a 40% chance of breach. You implement some controls and now find that the risk of a breach is down to 15%, while your risk threshold for the web application is at 25%. Which of these risk strategies will you most likely employ to continue operations with the most business profit?

A. Avoid the risk
B. Mitigate the risk
C. Accept the risk
D. Introduce more controls to bring the risk to 0%

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

Federal information systems should have security controls in place, as defined by which of these regulations?

A. PCI-DSS
B. HIPAA
C. NIST-800-53
D. EU Safe Harbor

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

A risk assessment includes which of these components?

A. Physical security
B. Administrative safeguards
C. DMZ
D. Logical interface

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

The chance of a hard drive failure is once every four years. The cost to buy a new hard drive is $400. It will require 5 hours to restore the OS and software to the new hard disk. It will require another 5 hours to restore the user data from the last backup to the new hard disk. The recovery tech earns $10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%).

What is the closest approximate cost of this replacement and recovery operation per year?

A. $100
B. $125
C. $500
D. $1500

single loss expectancy (SLE)
value of the asset (AV)
exposure factor (EF)
SLE = AV x EF

Annualized rate of occurrence (ARO)
annualized loss expectancy (ALE)
ALE = SLE x ARO

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking

After being hired to do a pen-test, you and the customer fill out a document that describes all the details of the test. This document protects both the customer as well as your legal liabilities as the tester. Which document is being described?

A. Project Scope
B. Service Level Agreement
C. Rules of Engagement
D. Non-Disclosure Agreement

C. The ROE is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions.

B. A service-level agreement (SLA) sets the expectations between the service provider and the customer and describes the products or services to be delivered, the single point of contact for end-user problems, and the metrics by which the effectiveness of the process is monitored and approved.

How well did you know this?

Not at all

Perfectly

Module 01 Introduction to Ethical Hacking Which of these is a security standard for protecting credit-card information? A. FISMA B. PCI-DSS C. HITECH D. SOX

Module 01 Introduction to Ethical Hacking In which phase of incident-handling do you define processes/procedures/rules, and create and test back-up and response plans? A. Preparation phase B. Identification phase C. Containment phase D. Recovery phase

Module 01 Introduction to Ethical Hacking What is the role of test automation in security testing? A. It is an option but it tends to be very expensive. B. Test automation is not usable in security due to the complexity of the tests. C. It can accelerate benchmark tests and repeat them with a consistent setup. But it cannot replace manual testing completely. D. It should be used exclusively. Manual testing is outdated because of low speed and possible test setup inconsistencies.

Module 01 Introduction to Ethical Hacking All of these are PCI compliance recommendations EXCEPT for which? A. Use a firewall between the public network and the payment card data. B. Limit access to card holder data to as few employees as possible. C. Use encryption to protect all transmission of card holder data over any public network. D. Rotate employees handling credit card transactions on a yearly basis to different departments.

Module 01 Introduction to Ethical Hacking What should you do if during a pen-test you discover information on the network that implies the client is involved with human trafficking? A. Copy the data to removable media and keep it in case you need it B. Ignore the data and continue the assessment until completed as agreed C. Confront the client in a respectful manner and ask her about the data D. Immediately stop work and contact the proper legal authorities E. Go all “Rambo” on the client and free the prisoners immediately.

Module 01 Introduction to Ethical Hacking In order to protect your network from imminent threats, you feed threat intelligence into your security devices in a digital format, in order to identify and block malicious traffic. Which type of threat intelligence are you using here? A. Tactical threat intelligence B. Operational threat intelligence C. Strategic threat intelligence D. Technical threat intelligence

D Strategic Cyber Intelligence: The audience does not need technical knowledge. High-level information on changing risks. High-level information on risk-based intelligence is used by high-level decision-makers (Executives and management). Whitepapers, policy documents, and publications are examples of strategic cyber intelligence. Operational Cyber Intelligence: Actionable information about specific incoming attacks. It is infiltrating hacker chat rooms to anticipate the incoming attacks. Tactical Cyber Intelligence: Details of threat actor tactics, techniques, and procedures (TTPs). Technical Cyber Intelligence: It means technical threat indicators such as specific IOC for SOC Staff.

Module 01 Introduction to Ethical Hacking Alice gathers info about specific threats to your company. She collected this info from humans, social media, chat rooms, as well as from events that resulted in cyberattacks. She created a report that outlined the malicious activities, warnings for emerging attacks, and a recommended course of action. Which type of threat intelligence is this? A. Tactical threat intelligence B. Operational threat intelligence C. Strategic threat intelligence D. Technical threat intelligence

Module 02 Footprinting and Reconnaissance Which of these is an open-source framework for doing automated recon and info-gathering activities to learn about a target organization? A. OSINT Framework B. SpeedPhish Framework C. WebSploit Framework D. Browser Exploitation Framework

A The OSINT framework is a methodology that integrates data, processes, methods, tools and techniques to help the security team identify information about an adversary or their actions quickly and accurately. An OSINT framework can be used to: Establish the digital footprint of a known threat. WebSploit is an open source project which is used to scan and analysis remote system in order to find various type of vulnerabilites. This tool is very powerful and supports multiple vulnerabilities.

Module 02 Footprinting and Reconnaissance Which of these Google Dork (Google hacking) operators would you use to show certain file extensions on a website? A. ext B. filetype C. inurl D. allinurl E. site F. location

Module 02 Footprinting and Reconnaissance Passive reconnaissance involves collecting information through which of the following? A. Social engineering B. Network traffic sniffing C. Man in the middle attacks D. Publicly accessible sources

Module 02 Footprinting and Reconnaissance Which type of footprinting involves gathering domain information, such as domain name, contact details of the owner, and creation & expiration dates? A. VoIP footprinting B. Whois footprinting C. VPN footprinting D. Email footprining

Module 02 Footprinting and Reconnaissance In order to make convincing phishing e-mails, it helps to know about the company you are going to impersonate. The time you spend on researching this information is called what? A. Exploration B. Reconnaissance C. Investigation D. Enumeration

Module 02 Footprinting and Reconnaissance You need to monitor your corporate website to analyze the traffic and learn things such as the geographical location of people visiting the site. Which tool would be best suited for this? A. Webroot B. Web-Stat C. WAFW00F D. WebSite-Watcher

Module 02 Footprinting and Reconnaissance What is the collection of overt and publicly available information known as? A. Real intelligence B. Human intelligence C. Open-source intelligence D. Social intelligence

Module 02 Footprinting and Reconnaissance Which of these would be the best choice to surf the internet anonymously? A. Use shared WiFi B. Use public VPN C. Use SSL sites when entering personal information D. Use Tor network with multi-node

Module 02 Footprinting and Reconnaissance Which of these tools can perform DNS lookups and find info such as DNS domain names, computer names, IP addresses, DNS records, and network Whois records? A. Bluto B. zANTI C. Knative D. Towelroot

A - Bluto is a Python-based tool for DNS recon, DNS zone transfer testing, DNS wild card checks, DNS brute forcing, e-mail enumeration and more. zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using your mobile device for free download. Knative enables serverless workloads to run on Kubernetes clusters, and makes building and orchestrating containers with Kubernetes faster and easier. Towelroot allows most Android smartphones users to root their Android device with one click only, as long as it has an unpatched version of the Linux kernel

Module 02 Footprinting and Reconnaissance You have been sent a suspicious e-mail message and want to see who sent it. After looking at the header you see that it was received from an unknown sender at the IP address 145.146.50.60. What web site will allow you to find out more information about an IP address, including who owns that IP? A. http://www.tucowsdomains.com/whois B. https://whois.arin.net C. https://www.networksolutions.com/whois D. https://www.godaddy.com/whois

B - ARIN’s Whois service is a public resource that allows a user to retrieve information about IP number resources, organizations, POCs, customers, and other entities. GoDaddy WHOIS search is designed to help you by diving into the WHOIS database for information on domain registration and availability.

Module 02 Footprinting and Reconnaissance Where can you go to see past versions and pages of a website? A. Samspade.org B. Search.com C. Archive.org D. AddressPast.com

Module 02 Footprinting and Reconnaissance During which hacking process do you surf the internet looking for information about your target company? A. Scanning B. Enumerating C. Footprinting D. System Hacking

Module 02 Footprinting and Reconnaissance Which Google search operator would limit searches to one domain? A. [location:] B. [site:] C. [allinurl:] D. [link:]

B allinurl - Searches for multiple words in the url of the search result.

Module 02 Footprinting and Reconnaissance Which regional internet registry should you use to get detailed info about an IP address in France? A. ARIN B. APNIC C. LACNIC D. RIPE

D The major RIRs include: ARIN (American Registry for Internet Numbers) (https://www.arin.net) AFRINIC (African Network Information Center) (https://www.afrinic.net) APNIC (Asia Pacific Network Information Center) (https://www.apnic.net) RIPE (Réseaux IP Européens Network Coordination Centre) (https://www.ripe.net) LACNIC (Latin American and Caribbean Network Information Center) (https://www.lacnic.net)

Module 02 Footprinting and Reconnaissance Your network has been breached. You review your logs and discover that an unknown IP address has accessed the network through a high-level port that was not closed. You trace the IP to a proxy server in Argentina. After calling the company that owns the server, they trace it to another proxy in Germany. You call them and they trace it to another proxy in China. What proxy tool has the attacker used to cover his tracks? A. ISA proxy B. IAS proxy C. TOR proxy D. Cheops proxy

Module 02 Footprinting and Reconnaissance Hacker Joe is using specialized tools and search engines that encrypt his web traffic and allows him to anonymously gather information on the internet. After gathering information, he performs attacks on target organizations without being traced. Which technique was used here? A. VoIP footprinting B. VPN footprinting C. Website footprinting D. Dark web footprinting

D Deep Web: Consists of web pages and contents that are hidden and unindexed and cannot be located using traditional web browsers and search engines Dark Web Darknet: The subset of deep web that enables anyone to navigate anonymously without being traced Tools: Tor Browser ExoneraTor

Module 02 Footprinting and Reconnaissance You find job listings for network administrators at your competitor’s company. How can reviewing this listing help you footprint their company? A. To learn about the IP range used by the target network B. To identify the number of employees working for the company C. To test the limits of the corporate security policy enforced in the company D. To learn about the operating systems, services and applications used on the network

Module 02 Footprinting and Reconnaissance Which of these tools can track e-mails and provide info such as sender identities, mail servers, sender IP address, and sender location? A. Infoga B. Netcraft C. Zoominfo D. Factiva

A - Infoga is used for scanning email addresses using different websites and search engines for information gathering and finding information about leaked information on websites and web apps. Netcraft is an Internet services company based in London, England. The company provides cybercrime disruption services across a range of industries. ZoomInfo is sales intelligence software that provides a database of business and professional contact information. Factiva is a business intelligence platform that includes content from 33,000 news, data and information sources from 200 countries and 32 languages. The platform contains millions of corporate profiles, as well as research tools to analyze media coverage.

Module 02 Footprinting and Reconnaissance Which of these online tools would allow you gather a competitor’s server’s IP address using Whois footprinting, then using that IP, can tell you info such as the network range and topology? A. AOL B. Baidu C. DuckDuckGo D. ARIN

D Doing a Whois search on ARIN will tell you a company’s IP range (the IP addresses that have been assigned to them). Using that info, you can scan their IP’s go gain more info. For example, if you find that one of those IP’s is a DNS server, that’s an opportunity to get even more info. If that DNS server is improperly configured, you might be able to get the IP’s of even their internal devices.

Module 02 Footprinting and Reconnaissance Using an image as a search query, which footprinting technique would you use to find information about the image, such as the original source and details, photographs, profile pictures, and memes? A. Advanced image search B. Reverse image search C. Google advanced search D. Meta search engines

Module 02 Footprinting and Reconnaissance Which of these is a tool to gather a list of words from a target website? A. Psiphon B. Shadowsocks C. Orbot D. CeWL

D Orbot and Psiphon are anonymizer tools. Shadowsocks is a proxy tool for mobile. CeWL is an automated tool to “crawl” through a target website to make a list of words or terms. This is very handy if you want to crawl a site to find all the listed e-mail addresses for example. The syntax is easy. For example: #cewl www.moviescope.com

Module 02 Footprinting and Reconnaissance Which of these Google Advanced Search Operators would help you gather info about websites that are similar to a specific URL that you type in? A. info: B. related: C. site: D. inurl: E. filetype:

Module 02 Footprinting and Reconnaissance Which tool can scan social media sites for information about a target, including finding their geolocation by using location tags in their photographs? A. Hootsuite B. VisualRoute C. HULK D. ophcrack

Module 02 Footprinting and Reconnaissance What would you get from this Google query? site:amazon.com -site:books.amazon.com iphone A. Results matching all words in the query B. Results matching “iphone” in domain amazon.com but not on the site books.amazon.com C. Results from matches on the site books.amazon.com that are in the domain amazon.com but do not include the word iphone D. Results for matches on amazon.com and books.amazon.com that include the word “iphone”

Module 02 Footprinting and Reconnaissance Which of these is an anonymizer site that would mask and protect your identity as you surf the web? A. www.baidu.com B. www.karmadecay.com C. www.guardster.com D. www.wolframalpha.com

C Baidu and Wolfram Alpha are search engines. Karmadecay is an image search engine for Reddit. On this list, only Guardster is a proxy surfing site to hide your IP address and identity as you surf the web.

Module 03 Scanning Networks Which type of message would begin a TCP 3-way handshake? A. SYN-ACK B. SYN C. ACK D. RST

Module 03 Scanning Networks Which one of these activities would allow an attacker to create a map or outline of the network infrastructure to learn about the environment before attempting to hack it? A. Enumeration B. Vulnerability analysis C. Scanning networks D. Malware analysis

Module 03 Scanning Networks If you want to check if a host is up and running on your network using nmap, you can perform a “ping scan”. There are several methods for doing this, such as an ARP ping, an ACK ping, etc. Which command below will tell nmap to perform a TCP SYN ping scan? A. nmap -sn -PO B. nmap -sn -PA C. nmap -sn -PS D. nmap -sn -PP

C -PS/PA/PU/PY[portlist] TCP SYN/ACK, UDP or SCTP discovery to given ports. Allows you to specify a specific port nmap uses to verify a host is up e.g., -PS22 (by default nmap sends to a bunch of common ports, this allows you to be specific)

Module 03 Scanning Networks Which scanning technique will use a spoofed IP address and a SYN flag to generate port responses? A. FIN B. SYN C. IDLE (side-channel) D. XMAS

Module 03 Scanning Networks What type of scan is this? Open port: SYN-> <-SYN + ACK RST-> Closed port: SYN-> <-RST A. Stealth Scan B. Full Scan C. XMAS Scan D. FIN Scan

Module 03 Scanning Networks You are scanning a network to ensure it is as secure as possible. You send a TCP probe packet to a host with a FIN flag and you receive a RST/ACK response. What does this mean about the port you are scanning? A. This response means the port is open. B. The RST/ACK response means the port is disabled. C. This means the port is half open. D. This means that the port is closed.

Module 03 Scanning Networks TCP SYN Flood attack abuses the three-way handshake mechanism. An attacker at system A sends a SYN packet to victim at system B. System B sends a SYN/ACK packet to A. Normally, A should send an ACK packet to system B, however, system A does not send an ACK packet to system B. In this case client B is waiting for an ACK packet from client A. This status of client B is called _________________ A. "half-closed" B. "half open" C. "full-open" D. "xmas-open"

Module 03 Scanning Networks The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106: Time:Mar 13 17:30:15 Port:20 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:17 Port:21 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:19 Port:22 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:21 Port:23 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:22 Port:25 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:23 Port:80 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:30 Port:443 Source:192.168.1.103 Destination:192.168.1.106 Protocol:TCP What type of activity has been logged? A. Port scan targeting 192.168.1.103 B. Teardrop attack targeting 192.168.1.106 C. Denial of service attack targeting 192.168.1.103 D. Port scan targeting 192.168.1.106

Module 03 Scanning Networks Which Nmap option would let you do a very fast scan, even though it might increase the chances of your activities being detected? A. -O B. -A C. -T0 D. -T5

Module 03 Scanning Networks What is typically the default TTL value for a Windows system? A. 64 B. 128 C. 142 D. 255

Module 03 Scanning Networks While trying to evade the IDS, which command would scan common ports with the least amount of “noise”? A. Nmap –sT –O –T0 B. Nmap –A –Pn C. Nmap –A –host-timeout 99 –T1 D. Nmap –sT –p -65535 –T5

A -sT TCP Connect Scan -O reveal further operating system information -A discover the operating system information

Module 03 Scanning Networks After doing an nmap scan you see some open ports on your webserver, including port 80. Which nmap switch would also include the type and version number of the server? A. -V B. -sV C. -Pn D. -sS

B -sV nmap 192.168.1.1 -sV Attempts to determine the version of the service running on port -sS nmap 192.168.1.1 -sS TCP SYN port scan (Default) -v nmap 192.168.1.1 -v Increase the verbosity level (use -vv or more for greater effect) -Pn nmap 192.168.1.1-5 -Pn Disable host discovery. Port scan only.

Module 03 Scanning Networks What results will the following command yield: ‘NMAP –sS –O –p 123-153 192.168.100.3? A. A stealth scan, checking open ports 123 to 153 B. A stealth scan, checking all open ports excluding ports 123 to 153 C. A stealth scan, opening port 123 and 153 D. A stealth scan, determine operating system, and scanning ports 123 to 153

D -O nmap 192.168.1.1 -O Remote OS detection using TCP/IP stack fingerprinting -sS nmap 192.168.1.1 -sS TCP SYN port scan (Default)

Module 03 Scanning Networks After scanning a network, you find that a machine has port 80 open, indicating that it’s a web server. You want more information about the service and its version number, so you run an nmap scan with the -sV switch. It returns the following information: 80/tcp open http-proxy Apache Server 2.4.43 What’s the name of this method of information-gathering? A. Banner grabbing B. WHOIS lookup C. Brute forcing D. Dictionary attack

A A Whois domain lookup allows you to trace the ownership and tenure of a domain name.

Module 03 Scanning Networks While performing an Xmas scan, which of these would indicate that the target’s port is closed? A. SYN B. ACK C. RST D. No return response

Module 03 Scanning Networks What does this command do? > NMAP -sn 192.168.11.200-215 A. Port scan B. Ping scan C. Trace sweep D. Operating system detection

B Disable Port Scan (-sn) This option tells Nmap not to run a port scan after host discovery. When used by itself, it makes Nmap do host discovery, then print out the available hosts that responded to the scan. This is often called a “ping scan”.

Module 03 Scanning Networks Which OS uses a default TTL value of 64 and a default TCP Window size of 5840? A. Solaris OS B. Windows OS C. Linux OS D. Mac OS

Module 03 Scanning Networks How would you classify an operating-system fingerprinting method where you send traffic to the remote device and analyze the responses? A. Passive B. Reflective C. Active D. Distributive

Module 03 Scanning Networks Which scanning technique uses a zombie system that has low network activity, and utilizes fragment identification numbers to help with the scan? A. Decoy scanning B. Packet fragmentation scanning C. Spoof source address scanning D. Idle scanning

Module 03 Scanning Networks What does FIN in TCP flag define? A. Used to abort a TCP connection abruptly B. Used to close a TCP connection C. Used to acknowledge receipt of a previous packet or transmission D. Used to indicate the beginning of a TCP connection

Module 03 Scanning Networks Which of these is a way for a hacker on the outside of a network to target a host on the inside of the network, and to see which ports are open and if the packets can pass through the packet-filtering of the firewall? A. Network sniffing B. Session hijacking C. Firewalking D. Man-in-the-middle

C Fire walking is the method of determining the movement of a data packet from an untrusted external host to a protected internal host through a firewall.

Module 03 Scanning Networks Which nmap option scans fewer ports than the default? A. -P B. -r C. -T0 D. -sP E. -F

E -F Fast port scan (100 ports)

Module 03 Scanning Networks Which NMAP switch does operating system detection? A. -OS B. -sO C. -sP D. -O

Module 03 Scanning Networks Your IP address is 192.168.1.10. Which nmap command will let you enumerate all machines on the same network quickly? A. Nmap –T4 –q 192.168.1.0/24 B. Nmap –T4 –O 192.168.1.0/24 C. Nmap –T4 –F 192.168.1.0/24 D. Nmap –T4 –r 192.168.0.0/24

C -O nmap 192.168.1.1 -O Remote OS detection using TCP/IP stack fingerprinting

Module 03 Scanning Networks Which nmap option would you use to determine if a firewall was Stateful or Stateless? A. -sA B. -sF C. -sT D. -sX

A -sA TCP ACK port scan -sT nmap 192.168.1.1 -sT TCP connect port scan (Default without root privilege) -sX XMAS scan -sF FIN scan

Module 03 Scanning Networks Which nmap switch will scan a target using a set of spoofed source IP addresses in order to evade the IDS or firewalls? A. The -A flag B. The -D flag C. The -f flag D. The -g flag

B -D Send scans from spoofed IPs -g Use given source port number -A nmap 192.168.1.1 -A Enables OS detection, version detection, script scanning, and traceroute -f nmap 192.168.1.1 -f Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters

Module 03 Scanning Networks Which Zenmap option will perform an ICMP timestamp ping scan? A. -Pn B. -PU C. -PY D. -PP

D -Pn (No ping) -PU (UDP Ping) -PY (SCTP INIT Ping) -PE; -PP; -PM (ICMP Ping Types) An ICMP timestamp ping is a good option if the admin has blocked ICMP ECHO pings. The ICMP timestamp feature is used to synchronize clocks. If you send a timestamp packet, and get a reply, you know the host is up!

Module 03 Scanning Networks Which type of port scan should you not attempt if an IDS is in-use on the network? A. Idle scan B. TCP Connect scan C. TCP SYN D. Spoof scan

C An Idle scan is very stealthy and helps evade an IDS. A Connect scan mimics normal network traffic and is unlikely to be flagged as suspicious. There’s no such thing as a “spoof scan”. A TCP SYN scan, also called a Stealth scan or a Half-Open scan, “attempts” to be stealthy, but it’s an old trick, and is very likely to be flagged by an Intrusion Detection System (IDS).

Module 03 Scanning Networks Nmap reports that one of your hosts at 10.10.10.20 has an IP ID sequence of “incremental”. Because of this finding, you run this command: nmap -Pn -p 80 -sI 10.10.10.20 10.10.10.50 What does the “-sI” (that’s a capital “i” ) switch do with Nmap? A. Conducts an ICMP scan B. Conducts an IDLE scan C. Conducts a stealth scan D. Conducts a silent scan

Module 03 Scanning Networks During an Idle-Scan of a port on a target computer, an attacker receives an IPID of 24333 from a zombie. If the target’s port is closed, what will be the final response from the zombie? A. The zombie computer will respond with an IPID of 24334. B. The zombie computer will respond with an IPID of 24333. C. The zombie computer will not send a response. D. The zombie computer will respond with an IPID of 24335.

Module 03 Scanning Networks Which technique can reveal the OS of your target system? A. UDP scanning B. IDLE/IPID scanning C. Banner grabbing D. SSDP scanning

Module 03 Scanning Networks From an outside IP, you perform an XMAS scan against your company using Nmap. Almost every port scanned does not generate a response. What can you infer from this kind of response? A. These ports are open because they do not send a response. B. These ports are in stealth mode. C. If a port does not respond to an XMAS scan using NMAP, that port is closed. D. The scan was not performed correctly using NMAP since all ports, no matter what their state, will send some sort of response from an XMAS scan.

Module 03 Scanning Networks Which flags are set in an XMAS scan? A. FIN, RST, URG B. PSH, ACK, RST C. FIN, URG, PSH D. URG, PSH, RST

Module 03 Scanning Networks Which type of port scan sends FIN/ACK probes, and if a RST comes back, it means the port is closed? A. Xmas scan B. TCP Maimon scan C. IDLE/IPID header scan D. ACK flag probe scan

Module 03 Scanning Networks ICMP ping and ping sweeps are used to check for active systems and to check A. if ICMP ping traverses a firewall. B. the route that the ICMP ping took. C. the location of the switchport in relation to the ICMP ping. D. the number of hops an ICMP ping takes to reach a destination.

Module 03 Scanning Networks Which type of scan would you run to find all the active devices hidden by a restrictive firewall in the IPv4 range on your LAN? A. UDP scan B. ACK flag probe scan C. ARP ping scan D. TCP Maimon scan

C ACK scan packets wouldn’t make it to the devices if ports are filtered on that firewall. Nor would a UDP scan. A Maimon scan is an older version of an XMAS, Fin, or Null scan, and also wouldn’t make it through a restrictive firewall. The ARP protocol, on the other hand, would not typically be blocked on a firewall or your network wouldn’t function properly. As long as the target systems are on your same subnet, an ARP ping scan is a great way to discover running hosts.

Module 03 Scanning Networks Attackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this? A. RST flag scanning B. FIN flag scanning C. SYN flag scanning D. ACK flag scanning

Module 03 Scanning Networks An attacker is attempting to telnet into a corporation's system in the DMZ. The attacker doesn't want to get caught and is spoofing his IP address. After numerous tries he remains unsuccessful in connecting to the system. The attacker rechecks that the target system is actually listening on Port 23 and he verifies it with both nmap and hping3. He is still unable to connect to the target system. What could be the reason? A. The firewall is blocking port 23 to that system B. He needs to use an automated tool to telnet in C. He cannot spoof his IP and successfully use TCP D. He is attacking an operating system that does not reply to telnet even when open

Module 03 Scanning Networks If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP? A. Hping B. Traceroute C. TCP ping D. Broadcast ping

A Hping is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de-facto tools for security auditing and testing of firewalls and networks, and was used to exploit the Idle Scan scanning technique now implemented in the Nmap port scanner.

Module 03 Scanning Networks During an Idle-Scan of a port on a target computer, an attacker receives an IPID of 31400 from a zombie. If the target’s port is open, what will be the final response from the zombie? A. 31400 B. 31402 C. The zombie will not send a response D. 31401

Module 03 Scanning Networks Which nmap script will scan a web server to let you know which HTTP Methods are available, like GET, POST, HEAD, PUT, DELETE, etc? A. http-headers B. http-methods C. http enum D. http-git

B https://nmap.org/nsedoc/scripts/http-methods.html

Module 03 Scanning Networks What does the Nmap -oX flag do? A. Performs an eXpress scan B. Outputs the results in XML format to a file C. Outputs the results in truncated format to the screen D. Performs an Xmas scan

B D - Wrong Xmas Scan (-sX)

Module 04 Enumeration Which protocol can secure an LDAP service against anonymous queries? A. RADIUS B. SSO C. NTLM D. WPA

C NTLM (Windows NT LAN Manager) is a suite of protocols used to authenticate a client to a resource in an Active Directory domain. This suite includes NTLMv1, NTLMv2, and NTLM2 Session protocols.

Module 04 Enumeration SNMP uses a databases called MIB’s (Management Information Base) to list all the devices that can be managed by SNMP. Which type of MIB contains object types for workstations and server services? A. DHCP.MIB B. LNMIB2.MIB C. MIB_II.MIB D. WINS.MIB

B *DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts *HOSTMIB.MIB: Monitors and manages host resources *LNMIB2.MIB: Contains object types for workstation and server services *MIB_II.MIB: Manages TCP/IP-based Internet using a simple architecture and system *WINS.MIB: For the Windows Internet Name Service (WINS)

Module 04 Enumeration Which Windows command lists all the shares you have access to? A. NET CONFIG B. NET VIEW C. NET USE D. NET FILE

B Try running this command from a Windows machine! If nothing shows up, then you don’t have access to any shares at the moment.

Module 04 Enumeration Which of these commands would you use to enumerate the user accounts on an SMTP server? A. EXPN B. CHK C. RCPT D. VRFY

D VRFY: It is used to validate the user on the server. EXPN: It is used to find the delivery address of mail aliases RCPT TO: It points to the recipient’s address.

Module 04 Enumeration NetBIOS enumeration can get you valuable information such as the names of computers, groups, services, shares, and more. Which of these NetBIOS codes would show you the messenger service running for a logged-in user? A. <00> B. <1B> C. <20> D. <03>

D NetBIOS Suffixes ================== 00: Workstation Service (workstation name) 03: Windows Messenger service. 06: Remote Access Service. 20: File Service (also called Host Record) 21: Remote Access Service client. 1B: Domain Master Browser – Primary Domain Controller for a domain. 1D: Master Browser.

Module 04 Enumeration Which tool would you use to query LDAP services for sensitive info like user and computer names? A. Zabasearch B. Ike-scan C. Jxplorer D. EarthExplorer

C JXplorer is a cross platform LDAP browser and editor. It is a standards compliant general purpose LDAP client that can be used to search, read and edit any standard LDAP directory, or any directory service with an LDAP or DSML interface. It is highly flexible and can be extended and customised in a number of ways.

Module 04 Enumeration If you were doing a pen-test for BigCorp and wanted to enumerate the network, you’d first attempt a zone transfer. If you were on a Windows machine, you’d use the nslookup command. Assuming the DNS server is at 10.10.10.10 and the domain name is bigcorp.local, what command would you type in the nslookup shell to achieve the zone transfer? A. lserver 10.10.10.10 -t all B. ls -d bigcorp.local C. list server=10.10.10.10 type=all D. list domain=bigcorp.local type=zone

B In NSLOOKUP, the -d switch “dumps” all the records for requested zone (domain).

Module 04 Enumeration Which of these commands would tell you if there is already a specific DNS entry in your DNS cache? For example, you want to see if the cache has already queried for update.adobe.com. A. dnsnooping -rt update.adobe.com B. dns --snoop update.adobe.com C. nslookup -norecursive update.adobe.com D. nslookup -fullrecursive update.adobe.com

C The -norecursive switch tells nslookup to look for the entry in the cache without going out to the internet to ask other servers for the answer. If the specified entry is present in the cache, then the user must have queried for that information earlier.

Module 04 Enumeration Which of these Linux commands will resolve the domain amazon.com to an IP address? A. host -t soa amazon.com B. host -t AXFR amazon.com C. host -t ns amazon.com D. host -t a amazon.com

D ns: name server SOA (start of authority) The -a (all) option is equivalent to setting the -v option and asking host to make a query of type ANY.

Module 04 Enumeration What info can you gain via SMTP enumeration? A. The two internal commands VRFY and EXPN provide a confirmation of valid users, email addresses, aliases, and mailing lists. B. The internal command RCPT provides a list of ports open to message traffic. C. A list of all mail proxy server addresses used by the targeted host D. Reveals the daily outgoing message limits before mailboxes are locked

Module 04 Enumeration The SNMP Read-Only Community String is like a password. The string is sent along with each SNMP Get-Request and allows (or denies) access to a device. Most network vendors ship their equipment with a default password of "public". This is the so-called "default public community string". How would you keep intruders from getting sensitive information regarding the network devices using SNMP? (Select 2 answers) A. Enable SNMPv3 which encrypts username/password authentication B. Use your company name as the public community string replacing the default 'public' C. Enable IP filtering to limit access to SNMP device D. The default configuration provided by device vendors is highly secure and you don't need to change anything

Module 04 Enumeration What is the name of the technique where you can find out the sites visited by the employees of an organization by querying the DNS server for specific cached DNS records? A. DNSSEC zone walking B. DNS cache snooping C. DNS cache poisoning D. DNS zone walking

B DNS cache snooping is when someone queries a DNS server in order to find out (snoop) if the DNS server has a specific DNS record cached, and thereby deduce if the DNS server's owner (or its users) have recently visited a specific site Zone Walking is a technique that is used by attackers to enumerate the full content of DNSSEC-signed DNS zones.

Module 05 Vulnerability Analysis While scanning a network, which step comes immediately before using a Vulnerability Scanner? A. Firewall detection B. OS detection C. Check to see if the remote host is alive D. TCP / UDP port scanning

B The order of scanning would be: 1. Check for live systems (ping sweeps, etc) 2. Check for open ports (this tells you the likely services listening on the target) 3. Banner grabbing (tells you the OS) 4. Vulnerability scanning (looks for vulns & flaws on the target) It helps to know the OS before doing a vulnerability scan because entering the target’s Operating System will help tune the vuln scanner so it can find more information and run scans relevant to that particular OS.

Module 05 Vulnerability Analysis What’s the range for a medium vulnerability in the CVSS v3 scoring system? A. 3.0-6.9 B. 3.9-6.9 C. 4.0-6.0 D. 4.0-6.9

D CVSS v3.0 Ratings None 0.0 Low 01.-3.9 Medium 4.0-6.9 High 7.0-8.9 Critical 9.0-10.0

Module 05 Vulnerability Analysis These are the steps in the Vulnerability Management Life Cycle, but they are out of order. Arrange them in the proper order below. 1. Risk assessment 2. Monitor 3. Identify assets and create a baseline 4. Remediation 5. Vulnerability scan 6. Verification A. 2, 4, 5, 3, 6, 1 B. 1, 2, 3, 4, 5, 6 C. 3, 5, 1, 4, 6, 2 D. 3, 1, 2, 6, 5, 4

Module 05 Vulnerability Analysis An employee left the company, and now you want to give his laptop to another employee. Before you do, however, you assess it for vulnerabilities. You find vulnerabilities such as native configurations, incorrect registry settings and file permissions, and software configuration errors. What type of vulnerability assessment did you perform here? A. Host-based assessment B. Database assessment C. Credentialed assessment D. Distributed assessment

Module 05 Vulnerability Analysis Which of the following statements about vulnerability scanners is NOT correct? A. Vulnerability scanners attempt to identify vulnerabilities in the hosts scanned. B. Vulnerability scanners can help identify out-of-date software versions, missing patches, or system upgrades C. They can validate compliance with or deviations from the organization's security policy D. Vulnerability scanners can identify weakness and automatically fix and patch the vulnerabilities without user intervention

Module 05 Vulnerability Analysis Which of the following business challenges could be solved by using a vulnerability scanner? A. Auditors want to discover if all systems are following a standard naming convention B. There is an emergency need to remove administrator access from multiple machines for an employee that quit C. A Web server was compromised and management needs to know if any further systems were compromised D. There is a monthly requirement to test corporate compliance with host application usage and security policies

Module 05 Vulnerability Analysis Which of the following tools will scan a network to perform vulnerability checks and compliance auditing? A. NMAP B. Metasploit C. Nessus D. BeEF

Module 05 Vulnerability Analysis Analyst Alice is doing a vulnerability test on your network. She starts by building an inventory of protocols running on your machines. Using that, she detects which ports are attached to services like web, mail, and database services. After identifying these services and ports, she then selects vulnerabilities on each service, and runs only the relevant tests for each. Which type of vulnerability assessment is she performing here? A. Product-Based assessment B. Service-Based assessment C. Tree-Based assessment D. Inference-Based assessment

Module 05 Vulnerability Analysis Which is the best way to find vulnerabilities on a Windows-based computer? A. Check MITRE.org for the latest list of CVE findings B. Use the built-in Windows Update tool C. Create a disk image of a clean Windows installation D. Use a scan tool like Nessus

Module 05 Vulnerability Analysis In which phase of the Vulnerability Management Life Cycle would you apply fixes to vulnerable systems? A. Identify Assets and Create a Baseline B. Vulnerability Scan C. Risk Assessment D. Remediation E. Verification F. Monitor

Module 05 Vulnerability Analysis Nessus found a vulnerability on your server. You investigated, but you find that the vulnerability does not actually exist on the server. Which type of alert did Nessus really give you then? A. True Positive B. True Negative C. False Positive D. False Negative

Module 05 Vulnerability Analysis Which type of vulnerability assessment can find things like active systems, network services, applications, vulnerabilities, and users, merely by sniffing network traffic? A. Passive assessment B. Credentialed assessment C. Internal assessment D. External assessment

Module 05 Vulnerability Analysis Which type of vulnerability assessment analyzes the network from a hacker’s perspective to discover exploits and vulnerabilities that are accessible to the outside world? A. Host-based assessment B. Passive assessment C. Database assessment D. Application assessment E. External assessment F. Internal assessment

Module 05 Vulnerability Analysis Which severity level for a vulnerability would a CVSS score of a 7.2 be? CVSS v3.0 Ratings None 0.0 Low 01.-3.9 Medium 4.0-6.9 High 7.0-8.9 Critical 9.0-10.0 A. None B. Low C. Medium D. High E. Critical

Module 05 Vulnerability Analysis Hacker Joe is back at it again, and this time he installed a rogue access point in the company perimeter in order to gain internal access. Analyst Alice detects traffic inside the company that is attempting to crack the authentication. She turned off the network and tested for any old security mechanisms that are prone to being attacked. What type of vulnerability assessment did she perform? A. Host-based assessment B. Distributed assessment C. Wireless network assessment D. Application assessment

C Wireless network assessment determines the vulnerabilities in an organization’s wireless networks. In the past, wireless networks used weak and defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks still use weak and outdated security mechanisms and are open to attack. Wireless network assessments try to attack wireless authentication mechanisms and gain unauthorized access. This type of assessment tests wireless networks and identifies rogue networks that may exist within an organization’s perimeter. These assessments audit client-specified sites with a wireless network. They sniff wireless network traffic and try to crack encryption keys. Auditors test other network access if they gain access to the wireless network.

Module 05 Vulnerability Analysis Which tool can scan web servers for problems like potentially dangerous files and vulnerable CGI’s? A. Snort B. Dsniff C. Nikto D. John the Ripper

C Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. SNORT is a powerful open-source intrusion detection system (IDS) and intrusion prevention system (IPS) that provides real-time network traffic analysis and data packet logging. SNORT uses a rule-based language that combines anomaly, protocol, and signature inspection methods to detect potentially malicious activity. dSniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.).

Module 05 Vulnerability Analysis Which is a common vulnerability that commonly exposes sensitive information on Windows file servers? A. Cross-site scripting B. SQL injection C. Missing patches D. CRLF injection

C When considering vulnerabilities that could expose sensitive files, databases, and passwords on a Windows file server, the most common issue is often missing patches. Attackers exploit known security flaws that haven't been patched to gain unauthorized access. In contrast, SQL injection, Cross-site scripting, and CRLF injection are vulnerabilities more commonly associated with web applications rather than file servers.

Module 06 System Hacking How does an operating system protect the passwords used for account logins? A. The operating system performs a one-way hash of the passwords B. The operating system encrypts the passwords, and decrypts them when needed C. The operating system stores all passwords in a protected segment of nonvolatile memory D. The operating system stores the passwords in a secret file that users cannot find

Module 06 System Hacking Which of these cracks passwords by utilizing a pre-computed table of password hashes? A. Dictionary attack B. Brute Force attack C. Hybrid attack D. Rainbow Table attack

D A rainbow table uses these pre-computed hash values as a means to crack password databases that do not store their information as plaintext. These tables allow attackers to access secure systems without guessing a password

Module 06 System Hacking Which of these is a technique to use DNS to sneak data or malware past your corporate firewall, which could then be used for communication from a victim’s machine to a C&C server? A. DNS tunneling method B. DNS cache snooping C. DNSSEC zone walking D. DNS enumeration

Module 06 System Hacking Consider this output from a hacker's machine targeting another machine with the IP address of 192.168.3.10: [ATTEMPT] target 192.168.3.10 – login “root” – pass “a” 1 of 20 [ATTEMPT] target 192.168.3.10 – login “root” – pass “123” 2 of 20 [ATTEMPT] target 192.168.3.10 – login “admin” – pass “a” 3 of 20 [ATTEMPT] target 192.168.3.10 – login “admin” – pass “123” 4 of 20 [ATTEMPT] target 192.168.3.10 – login “guest” – pass “a” 5 of 20 [ATTEMPT] target 192.168.3.10 – login “guest” – pass “123” 6 of 20 [ATTEMPT] target 192.168.3.10 – login “” – pass “a” 7 of 20 [ATTEMPT] target 192.168.3.10 – login “” – pass “123” 8 of 20 Which is most likely taking place here? A. Ping sweep of the 192.168.3.10 network B. Remote service brute force attempt C. Port scan of 192.168.3.10 D. Denial of service attack on 192.168.3.10

Module 06 System Hacking To attack her hapless victim, Hacker Heather had to have a terminal window open to perform her hacking. While typing at the command-line, she had to enter several of her own passwords in plaintext in order to access some of her tools. When she was done doing her dirty deeds, which file should she clean in order to clear her passwords? A. .xsession-log B. .bashrc C. .bash_history D. .profile

Module 06 System Hacking Which type of rootkit sits undetected in the core of an operating system? A. Firmware rootkit B. Kernel rootkit C. Hardware rootkit D. Hypervisor rootkit

B Kernel rootkits is particularly tough to observe and take away as a result of they operate at a similar security level because the software itself, and square measure therefore able to intercept or subvert the foremost sure software operations.

Module 06 System Hacking Which password cracking technique takes the longest time and most effort? A. Dictionary attack B. Shoulder surfing C. Brute force D. Rainbow tables

Module 06 System Hacking Which type of password cracking technique would feed a list of common passwords into a cracking application in an attempt to gain access to a user’s account? A. Known plaintext B. Brute force C. Password spraying D. Dictionary

Module 06 System Hacking On a Linux system you can hide files by starting the file’s name with which of these characters? A. Tilde (~) B. Period (.) C. Underscore (_) D. Exclamation mark (!)

Module 06 System Hacking Which technique provides 'security through obscurity‘ by hiding secret messages within ordinary messages? A. Encryption B. RSA algorithm C. Steganography D. Public-Key cryptography

Module 06 System Hacking Which of these programming languages is commonly vulnerable to buffer overflows? A. C# B. C++ C. Python D. Java

B C and C++ are two languages that are highly susceptible to buffer overflow attacks, as they don't have built-in safeguards against overwriting or accessing data in their memory.

Module 06 System Hacking You breached a system and got the password hashes. You need to use these passwords to log on to systems, but you don’t have time to crack the hashes to find the passwords. Which type of attack could you use instead? A. Pass the hash B. Pass the ticket C. LLMNR/NBT-NS poisoning D. Internal monologue attack

A If you get someone’s hash, you don’t even need to crack it to log-on to a Windows network. You can just transmit (pass) the hash to the server you want to log-on to. Metasploit (and other tools) has a pass-the-hash module for doing this. Defenses for this include 1) *not* letting an attacker get your hashes in the first place, 2) Multi-factor authentication, 3) Network segmentation, etc.

Module 06 System Hacking If you boot a Windows machine with an Ubuntu Live CD, which Linux command-line tool can change user passwords and activate disabled accounts in the SAM file of the Windows machine? A. SET B. CHNTPW C. Cain & Abel D. John the Ripper

B Chntpw is a utility to view some information and reset user passwords in a Windows NT/2000 SAM user database file used by Microsoft Windows Operating System, specifically in NT3.x and later versions.

Module 06 System Hacking After gaining control to a user account, how can you gain access to another user account’s confidential files and data? A. Port scanning B. Hacking Active Directory C. Shoulder-surfing D. Privilege Escalation

D Once you gain access to a user account, a successful privilege escalation attack could allow you to gain the rights of another user or admin.

Module 06 System Hacking As an admin, how can you protect your password files against rainbow tables? A. Password salting B. Use of non-dictionary words C. All uppercase character passwords D. Lockout accounts under brute force password cracking attempts

Module 06 System Hacking Which of these is the correct syntax to use MSFvenom to create a reverse TCP shellcode exploit for Windows? A. msfvenom -p windows/meterpreter/reverse_tcp RHOST=192.168.5.10 LPORT=3456 -f exe>shell.exe B. msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.5.10 LPORT=3456 -f exe>shell.exe C. msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.5.10 LPORT=3456 -f c D. msfvenom -p windows/meterpreter/reverse_tcp RHOST=192.168.5.10 LPORT=3456 -f c

B The correct MSFvenom syntax for generating a Windows reverse TCP shellcode is option (b), with the appropriate LHOST and LPORT values set, format specified as exe, and output redirected to a file named shell.exe. The parameters LHOST and LPORT should be replaced with your local IP address and the port you wish to use for the reverse connection. The f flag specifies the output format, which in this case is an executable (exe). The '>' operator is used to redirect the generated shellcode into a file named shellcode.exe. The -p flag specifies the payload to generate. In this case, we are using the windows/shell_reverse_tcp payload, which creates a reverse TCP shell. The LHOST and LPORT options are used to specify the IP address and port on which the shell will connect back to.

Module 06 System Hacking Your web-page asks users to enter their mailing address, but you’re worried about possible buffer overflow attacks. Which bit of pseudo-code would correctly limit the Address1 field to 40 characters and avoid a buffer overflow? A. if (Address1 = 40) {update field} else exit B. if (Address1 != 40) {update field} else exit C. if (Address1 >= 40) {update field} else exit D. if (Address1 <= 40) {update field} else exit

Module 06 System Hacking Which of these is an exploitation framework that can automate attacks on unpatched systems? A. Nessus B. Wireshark C. Maltego D. Metasploit

Module 06 System Hacking Which type of password attack pulls passwords from a list of commonly used passwords until the correct password is found or the list is exhausted? A. Man-in-the-middle attack B. Brute-force attack C. Dictionary attack D. Session hijacking

Module 06 System Hacking Which of these tools would NOT be used for cracking password hashes? A. Netcat B. John the Ripper C. TCH-Hydra D. Hashcat

A Netcat is a tool for reading from, and writing to TCP and UDP network connections. It has nothing to do with cracking passwords, however the other 3 listed tools do.

Module 06 System Hacking You want to steal a file from work and send it to your home computer. If your company monitors outbound traffic, how can you transfer the file without raising any suspicion? A. Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account B. Package the Sales.xls using Trojan wrappers and telnet them back your home computer C. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques D. Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account

Module 06 System Hacking Which OS did the Shellshock vulnerability NOT directly affect? A. Windows B. Linux C. OS X D. Unix

A Shellshock, also known as the Bash or Bashdoor vulnerability, was a major security flaw discovered in September 2014. It affected the Bash shell, which is commonly found in Unix-based operating systems, such as Linux, Unix, and OS X (now macOS). Windows, on the other hand, does not use the Bash shell by default and was not directly affected by the Shellshock vulnerability.

Module 06 System Hacking Which bit of pseudo-code in a programming module would limit input to less than 300 characters, and if there are 300 characters, the module should stop because it can’t hold any more data? A. If (I > 300) then exit B. If (I < 300) then exit C. If (I <= 300) then exit D. If (I >= 300) then exit

Module 06 System Hacking Which of these can be probed for weakness with John the Ripper? A. Firewall rulesets B. Usernames C. Passwords D. File permissions

Module 06 System Hacking Before you turn on auditing on a production server, what should you do first? A. Perform a vulnerability scan of the system. B. Determine the impact of enabling the audit feature. C. Perform a cost/benefit analysis of the audit feature. D. Allocate funds for staffing of audit log review.

Module 06 System Hacking Which of these Metasploit post-exploitation modules can be used to escalate privileges on a Windows server? A. getsystem B. keylogrecorder C. getuid D. autoroute

A After exploiting a vulnerability on a Windows system and getting a Meterpreter command prompt back from the victim, the getsystem command will automatically perform several privilege escalation attacks to get “system” privileges, which is basically administrator-level privileges. The getuid command shows the currently logged-in user’s ID. The autoroute command will allow you to pivot through the victim’s machine to attack yet other machines. There is no keylogrecorder command.

Module 06 System Hacking env x=`(){ :;};echo exploit` bash -c 'cat /etc/passwd' What is the Shellshock bash vulnerability attempting to do on an vulnerable Linux host? A. Changes all passwords in passwd B. Display passwd content to prompt C. Removes the passwd file D. Add new user to the passwd file

Module 06 System Hacking Which of these would be considered “clearing tracks”? A. An attacker gains access to a server through an exploitable vulnerability. B. After a system is breached, a hacker creates a backdoor to allow re-entry into a system. C. During a cyberattack, a hacker injects a rootkit into a server. D. During a cyberattack, a hacker corrupts the event logs on all machines.

Module 07 Malware Threats Which type of malware requires a “host” application to replicate? A. Micro B. Worm C. Trojan D. Virus

Module 07 Malware Threats Which of these programs could infect both your boot sector and your executable files at the same time? A. Macro virus B. Stealth virus C. Multipartite virus D. Polymorphic virus E. Metamorphic virus

C The multipartite virus has the ability to attack both the boot sector and program files at the same time, causing greater harm than any other virus.

Module 07 Malware Threats Which of these listed virus types can change its own code, and then when it replicates it can cipher itself many times? A. Tunneling virus B. Encryption virus C. Stealth virus D. Cavity virus

Module 07 Malware Threats Bob downloaded and executed a file from an ex-employee. The file didn’t seem to do anything, and now he’s worried that it might have been a trojan. What test should you do to determine if Bob’s computer is infected? A. Upload the file to VirusTotal B. Do not check; rather, immediately restore a previous snapshot of the operating system C. Use ExifTool and check for malicious content D. Use netstat and check for outgoing connections to strange IP addresses or domains

Module 07 Malware Threats Which type of malware causes pop-ups with advertisements every time you attempt to go to a website? A. Trojan B. Spyware C. Adware D. Virus E. Crypter F. Worm

Module 07 Malware Threats Which type of malware cannot be detected by AV or IDPS, and cannot be blocked by application whitelisting? A. File-less malware B. Zero-day malware C. Logic bomb malware D. Phishing malware

A Fileless malware uses pre-existing, legitimate tools built into an OS to perform malicious actions. Since these are valid tools, they won’t be flagged by AV or IDPS, and won’t be blocked by whitelisting software.

Module 07 Malware Threats Which of these often targets Microsoft Office products? A. Polymorphic virus B. Multipart virus C. Macro virus D. Stealth virus

Module 07 Malware Threats When discussing trojans, what is a wrapper? A. An encryption tool to protect the Trojan B. A tool used to bind the Trojan with a legitimate file C. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan D. A tool used to encapsulate packets within a new header and footer

Module 07 Malware Threats You boot your computer up to find a pop-up message saying that illegal activity was detected, and your computer is now locked. The message also states that you must pay a fine to have your computer unlocked. You find that you cannot bypass this message and you are unable to use your computer at all. Which of these threats is this describing? A. Riskware B. Spyware C. Adware D. Ransomware

Module 07 Malware Threats Hacker Joe has gained unauthorized access to Evilcorp’s network, and stays there for six months without being detected. During this time he obtains some sensitive information, but he never causes any damage to the network. Which type of attack is this? A. Insider Threat B. Advanced Persistent Threat C. Diversion Theft D. Spear-phishing sites

Module 07 Malware Threats What’s the best defense against ransomware that encrypts your files? A. Pay the ransom B. Analyze the ransomware to get the decryption key of encrypted data C. Keep some generation of off-line backup D. Use multiple antivirus software programs

Module 07 Malware Threats What is the name of a type of virus that tries to install itself inside the file it’s infecting? A. Polymorphic virus B. Tunneling virus C. Cavity virus D. Stealth virus

C A Cavity Virus attempts to install itself inside of the file it is infecting, rather than appending itself to the end of the file like most viruses do. This is a stealth technique that tries to keep the size of the file the same to avoid detection. This is hard to do though, so it's rare.

Module 07 Malware Threats Which of these describes the way in which a Boot Sector Virus works? A. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR B. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR C. Modifies directory table entries so that directory entries point to the virus code instead of the actual program D. Overwrites the original MBR and only executes the new virus code

Module 07 Malware Threats An attacker infected your web server with a trojan. He can now use your server send spam mail, and can also use it to join in coordinated attacks against targets he chooses. Which type of trojan would this be? A. Turtle trojans B. Botnet trojan C. Banking trojan D. Ransomware trojan

Module 07 Malware Threats Which type of malware causes damage similar to a virus, but automatically spreads from one system to another, or from one network to another? A. Rootkit B. Trojan C. Worm D. Adware

Module 07 Malware Threats Which of these virus types is *least* likely to be detected by antivirus software? A. Macro virus B. Cavity virus C. Stealth virus D. File-extension virus

C Both the Stealth virus and Cavity virus try to avoid detection using various techniques. A Stealth virus, however, actively and purposefully performs several techniques to hide from your antivirus program. A Cavity virus merely hides inside an executable without changing the original file size. This may trick an end-user, but can still be discovered by antivirus programs.

Module 07 Malware Threats In which stage of the Advanced Persistent Threat lifecycle will an attacker deploy malware in a target to establish an outbound connection? A. Preparation B. Initial Intrusion C. Expansion D. Persistence E. Search and Exfiltration F. Cleanup

Module 07 Malware Threats Some types of antivirus software identifies malware by gathering data across many protected hosts, then sends that data to a provider’s environment instead of analyzing files locally. Which type of detection technique is this? A. Cloud based B. Honeypot based C. Behavioral based D. Heuristics based

Module 07 Malware Threats Which of these would be considered scareware? A. A banner appears stating “Your account has been locked. Click here to reset your password and unlock your account.” B. A banner appears stating “Your Amazon order has been delayed. Click here to find out your new delivery date.” C. A pop-up appears to a user stating “You have won a free cruise! Click here to claim your prize!” D. A banner appears stating “Your computer may have been infected with spyware. Click here to install an anti-spyware tool to resolve this issue.”

Module 07 Malware Threats Which of these is the best way to secure backup tapes while taking them to an off-site location? A. Degauss the backup tapes and transport them in a lock box B. Encrypt the backup tapes and transport them in a lock box. C. Hash the backup tapes and transport them in a lock box. D. Encrypt the backup tapes and use a courier to transport them.

Module 07 Malware Threats Which type of virus hides from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run? A. Macro virus B. Polymorphic virus C. Stealth/Tunneling virus D. Cavity virus

Module 08 Sniffing You’re experiencing slow network traffic, so you’ve decided to start monitoring all internet traffic. Legally speaking, what could cause a problem here? A. Not informing the employees that they are going to be monitored could be an invasion of privacy. B. The network could still experience traffic slowdowns. C. You would be telling employees who the boss is. D. All of the employees would stop normal work activities.

Module 08 Sniffing Which type of MiTM attack uses a rogue switch with the lowest “priority” on the network, which would then become the root bridge and allow traffic sniffing? A. VLAN hopping attack B. ARP spoofing attack C. STP attack D. DNS poisoning attack

C Spanning Tree Protocol (STP) is a networking protocol that prevents loops in network topology by disabling redundant paths and determining the shortest path to the root bridge. This is done by electing a root bridge and calculating the shortest path to it, using factors such as port cost and priority. Spanning Tree Protocol is a critical protocol in network infrastructure, but it also has vulnerabilities that can be exploited by attackers. It is essential to configure STP correctly and implement security measures to prevent STP attacks, such as disabling unused switch ports, enabling port security, and using BPDU guard and root guard. Is it a spanning Tree Protocol attack? Spanning Tree Protocol (STP) attacks exploit vulnerabilities in the protocol to create network loops or bring down the network. Attackers can use a variety of methods, such as sending malicious Bridge Protocol Data Units (BPDU), to interfere with the STP calculations and force the network to use a sub-optimal path or even create a loop. STP attacks can cause network congestion, broadcast storms, and even network failures, which can have severe consequences for organizations. To prevent STP attacks, network administrators should disable unused switch ports, enable port security, and use BPDU guards and root guards.

Module 08 Sniffing Which of these is the most solid example of IP spoofing? A. SQL injections B. Man-in-the-middle C. Cross-site scripting D. ARP poisoning

Module 08 Sniffing Choose the BEST way to protect against network traffic sniffing. A. Use static IP addresses. B. Use encryption protocols to secure network communications. C. Register all machine’s MAC addresses into a centralized database. D. Restrict physical access to server rooms hosting critical servers.

Module 08 Sniffing You need to set up Wireshark on a Windows laptop. What driver and library are needed to allow your NIC to go into promiscuous mode? A. Winpcap B. Winprom C. Winpsw D. Libpcap

Module 08 Sniffing At which layer of the OSI model do sniffers operate? A. Layer 1 B. Layer 2 C. Both layer 2 & Layer 3 D. Layer 3

B Sniffers usually work at layer 2 of the OSI model. Your NIC grabs frames off the wire. While it's true that you can then see all the upper layer protocols, the "grabbing" of packets works via your NIC, which is layer 2.

Module 08 Sniffing Determined to hack you, Crafty Cathy got a job at your company. While at work one day, she secretly launched a STP manipulation attack. What will her next action be? A. She will repeat this action so that it escalates to a DoS attack. B. She will create a SPAN entry on the spoofed root bridge and redirect all traffic to her computer. C. She will repeat the same attack against all L2 switches of the network. D. She will activate OSPF on the spoofed root bridge.

B In an STP manipulation attack, an attacker connects to a switch port and either directly themselves, or through the use of a rogue switch, attempts to manipulate Spanning Tree Protocol (STP) parameters to become the root bridge. Because the root bridge is responsible for calculating the spanning tree from topology changes advertised by non-root bridges, attackers see a variety of frames that they would

Module 08 Sniffing You type www.amazon.com into your browser, the site comes up, but wants you to enter your username and password to log-in from scratch, even though you’ve selected the “keep me logged in” option. When you examine the URL, it says www.amozon.com, and your browser says the site is not secure. What type of attack happened to you here? A. DHCP spoofing B. DoS attack C. DNS hijacking D. ARP cache poisoning

Module 08 Sniffing Which of the following countermeasures can specifically protect against both the MAC Flood and MAC Spoofing attacks? A. Configure Port Security on the switch B. Configure Port Recon on the switch C. Configure Switch Mapping D. Configure Multiple Recognition on the switch

A Configuring Port Security on the switch is an effective countermeasure against both MAC flood and MAC spoofing attacks. Port Security allows the switch to limit the number of MAC addresses that can be learned on a specific port. This prevents MAC flooding attacks where an attacker floods the switch with fake MAC addresses, overwhelming its memory. Additionally, Port Security can also detect and prevent MAC spoofing attacks by only allowing specific MAC addresses to communicate on a port, blocking any unauthorized MAC addresses. This helps to ensure the integrity and security of the network.

Module 08 Sniffing A hacker gained entry into a building and was able to install a sniffer program in a switched environment network. Which attack could the hacker use to sniff all of the packets in the network? A. Fraggle B. MAC Flood C. Smurf D. Tear Drop

Module 08 Sniffing Which of these allows your NIC to send all traffic it receives to the CPU, instead of only sending traffic the NIC was intended to receive? A. WEM B. Multi-cast mode C. Promiscuous mode D. Port forwarding

Module 08 Sniffing Which of the following is a protocol that is prone to a man-in-the-middle (MITM) attack and maps a 32-bit address to a 48-bit address? A. ICPM B. ARP C. RARP D. ICMP

Module 08 Sniffing Passive network sniffing can achieve all of the following except which? A. Capturing network traffic for analysis B. Collecting unencrypted information about usernames and passwords C. Modifying and replaying captured network traffic D. Identifying operating systems, services, protocols, and devices

C When you modify and then re-play the traffic back onto the wire, you’ve moved past passive sniffing and now you are doing “active” actions. Passive is merely “watching” and recording, and does not involve sending any traffic.

Module 08 Sniffing Which is the best description for how ARP (Address Resolution Protocol) works? A. It sends request packets to all the network elements, asking for the MAC address from a specific IP B. It sends a reply packet for a specific IP, asking for the MAC address C. It sends a request packet to all the network elements, asking for the domain name from a specific IP D. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP

Module 08 Sniffing Which is a command-line based packet sniffer? A. Nessus B. Ethereal C. TCPDump D. Jack the Ripper

Module 08 Sniffing Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch. In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to physical ports. What happens when the CAM table becomes full? A. Switch then acts as hub by broadcasting packets to all machines on the network B. The CAM overflow table will cause the switch to crash causing Denial of Service C. The switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF D. Every packet is dropped and the switch sends out SNMP alerts to the IDS port

Module 08 Sniffing Which of these would you use as a Wireshark display filter to find unencrypted file transfers? A. tcp.port == 21 || tcp.port == 22 B. tcp.port != 21 C. tcp.port == 21 D. tcp.port = 23

C 21 File Transfer Protocol (FTP) Command Control / session control 22 Secure Shell (SSH) / Secure Copy (SCP) 23 Telnet - Remote login service, unencrypted text messages

Module 08 Sniffing Which type of attack would you use to attack a switch to overflow its CAM table (Content-Addressable Memory)? A. DDos attack B. Evil Twin attack C. DNS cache flooding D. ARP poisoning E. MAC flooding

Module 08 Sniffing Hacker Joe gains access to your DNS server and redirects queries for www.amazon.com to his own IP address. Now when your employees try to visit Amazon’s website they are redirected to Hacker Joe’s machine. What is the name for this attack? A. ARP poisoning B. Smurf attack C. MAC flooding D. DNS spoofing

Module 08 Sniffing Which of the following problems can be solved by using Wireshark? A. Tracking version changes of source code B. Checking creation dates on all webpages on a server C. Resetting the administrator password on multiple systems D. Troubleshooting communication resets between two systems

Module 08 Sniffing What is a sniffing performed on a switched network called? A. Spoofed sniffing B. Passive sniffing C. Direct sniffing D. Active sniffing

D Because it switches segment traffic and knows which particular port to send traffic to

Module 08 Sniffing Which of these are a set of DNS add-ons that can provide digitally signed DNS replies to your queries, so that you know the returned answers are authentic? This is in order to prevent things like DNS poisoning and spoofing. A. Zone transfer B. Resource records C. Split-DNS D. DNSSEC

Module 08 Sniffing Wireshark uses which format as the default view for data in the currently selected packet? A. ASCII B. Binary C. Decimal D. Hexadecimal

Module 08 Sniffing Neil is a network administrator working in Istanbul. Neil wants to setup a protocol analyzer on his network that will receive a copy of every packet that passes through the main office switch. What type of port will Neil need to setup in order to accomplish this? A. Neil will have to configure a Bridged port that will copy all packets to the protocol analyzer. B. Neil will need to setup SPAN port that will copy all network traffic to the protocol analyzer. C. He will have to setup an Ether channel port to get a copy of all network traffic to the analyzer. D. He should setup a MODS port which will copy all network traffic.

Module 08 Sniffing Which type of DoS attack forges many DHCP requests to use up all the valid IP addresses, which then leads to employees not being able to access the network? A. STP attack B. Rogue DHCP server attack C. DHCP starvation D. VLAN hopping

Module 08 Sniffing How do you defend against DHCP Starvation attack? A. Enable ARP-Block on the switch B. Enable DHCP snooping on the switch C. Configure DHCP-BLOCK to 1 on the switch D. Install DHCP filters on the switch to block this attack

B DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities: * Validates DHCP messages received from untrusted sources and filters out invalid messages.

Module 08 Sniffing Which of these is a wireless packet analyzer that runs on Linux systems? A. Abel B. Nessus C. Netstumbler D. OpenVAS E. Kismet

Module 08 Sniffing Your IDS captured some traffic that is possibly malicious. Which type of tool can help you determine if it really was malicious, or if it was just a false positive? A. Vulnerability scanner B. Network sniffer C. Intrusion Prevention System D. Protocol analyzer

Module 08 Sniffing Which of these security features found on switches works with the DHCP snooping database to prevent man-in-the-middle (MiTM) attacks? A. Port security B. Layer 2 Attack Prevention Protocol (LAPP) C. Spanning Tree D. Dynamic ARP Inspection (DAI)

D Dynamic ARP Inspection (DAI) is a security feature in MS switches that protects networks against man-in-the-middle ARP spoofing attacks. DAI inspects Address Resolution Protocol (ARP) packets on the LAN and uses the information in the DHCP snooping table on the switch to validate ARP packets.

Module 08 Sniffing Wireshark, tcpdump, WinDump and EtherPeek can all capture packets and save them to a file. Which of these is a tool that can analyze these files? A. OpenVAS B. Nessus C. Traceroute D. Tcptrace

D After a packet trace is captured between hosts participating in a performance test, tools such as tcptrace can be used to analyze the behavior of the flow. In addition to printing a summary of behavior, tcptrace can output files suitable for use with the xplot tool.

Module 08 Sniffing Which tool could be used for passive operating-system fingerprinting? A. nmap B. ping C. tcpdump D. tracert

C While nmap can certainly do OS fingerprinting, it is considered active because you send traffic to the target. Tcpdump, on the other hand, is a sniffer, and by observing differences in the traffic you capture, you can determine the OS that sent the traffic. Tcpdump is passive as it does not send traffic to the target.

Module 08 Sniffing You have two machines. Snort is installed on 192.168.0.99. The next machine is a Syslog server with the IP 192.168.0.150. You do a syn scan on the network, but the Syslog server isn’t getting the alert message from snort. You run Wireshark to see if the messages are being sent to the Syslog server. Which Wireshark filter will show the messages from the snort machine to the Syslog machine? A. tcp.srcport==514 && ip.src==192.168.0.99 B. Tcp.srcport==514 && ip.src==192.168.150 C. Tcp.dstport==514 && ip.dst==192.168.0.0/16 D. Tcp.dstport==514 && ip.dst==192.168.0.150

Module 08 Sniffing Which file would you modify on your victim’s machine if you wanted to send them to a malicious phishing site every time they typed “www.paypal.com” into their browser? A. Sudoers B. Hosts C. Networks D. Boot.ini

Module 08 Sniffing Attacker Alice attached a rogue router to your network, and now she is redirecting your LAN traffic to her own router as part of her MiTM attack. Which of these defensive techniques would be BEST to prevent this type of attack? A. Make sure that legitimate network routers are configured to run routing protocols with authentication. B. Only using OSPFv3 will mitigate this risk. C. Disable all routing protocols and use only static routes. D. Redirection of traffic cannot happen unless the admin allows it explicitly.

Module 09 Social Engineering Hacker Joe sends fraudulent e-mails with malicious links to his victims. When the victims click the link, they are sent to a fraudulent website that automatically loads Flash and triggers a fileless malware exploit. Which technique did Hacker Joe use to launch the fileless malware on victims’ systems? A. In-memory exploits B. Script-based injection C. Phishing D. Legitimate applications

Module 09 Social Engineering Which type of social engineering involves luring the victim to an online dating site to create a fake relationship, in order to obtain confidential information about the target’s company? A. Baiting B. Honey Trap C. Diversion theft D. Piggybacking

Module 09 Social Engineering While doing a pen-test, you send the boss’s secretary an e-mail, changing the source to look like it came from the boss. You ask her for some links to relevant websites. She sends you the links via e-mail. You change them to links containing malware and send them back, telling her the links didn’t work. She tries the links herself and her machine gets infected, giving you access to it. Which testing method was used? A. Piggybacking B. Social engineering C. Tailgating D. Eavesdropping

Module 09 Social Engineering Victim Veronica recently purchased a new phone system from PhoneX. Hacker Joe knows this, so he contacts Veronica masquerading as a legitimate PhoneX customer support executive. He tells Veronica that her phone system needs updates, and that they will send a technician to make the updates, free of charge. Veronica schedules the appointment, and Hacker Joe enters the company. While he’s there, he gathers sensitive information by scanning terminals for passwords, looking for sensitive documents in desks, and rummaging bins. Which attack is Hacker Joe performing here? A. Eavesdropping B. Dumpster diving C. Shoulder surfing D. Impersonation

Module 09 Social Engineering You have a fake ID badge and company shirt. You wait by an entrance and follow an employee into the office after they swipe their access card to open the door. Which type of social engineering attack is this? A. You have used a tailgating social engineering attack to gain access to the offices B. You have used a piggybacking technique to gain unauthorized access C. This type of social engineering attack is called man trapping D. You are using the technique of reverse social engineering to gain access to the offices

Module 09 Social Engineering Hacker Joe targeted your company to steal your employee cloud-service credentials. He posed as a legitimate employee and made some fake calls and sent phishing e-mails to steal your employee’s credentials and account info. What technique was he using here? A. Social engineering B. Insider threat C. Password reuse D. Reverse engineering

Module 09 Social Engineering What is the difference between phishing and pharming attacks? A. Both pharming and phishing attacks are identical. B. Both pharming and phishing attacks are purely technical and are not considered forms of social engineering. C. In a phishing attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a pharming attack an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual website domain name. D. In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual website domain name.

Module 09 Social Engineering Hacker Joe poisoned your DNS cache and redirected your traffic to a malicious, fake website. Which identity theft technique is he using? A. Skimming B. Keylogging C. Pretexting D. Wardriving E. Pharming

Module 09 Social Engineering Which of these tools would you use to create a malicious phishing link, perform a MiTM attack, and steal a victim’s credentials? A. Slowloris B. PyLoris C. PLCinject D. Evilginx

D Slowloris and PyLoris are DoS attack tools. PLCinject is for attacking PLC’s (Programmable Logic Controller) and OT networks. Evilginx, on the other hand, is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service.

Module 09 Social Engineering Which of these would be best for determining if your company would benefit from user-awareness training? A. Vulnerability scanning B. Social engineering C. Application security testing D. Network sniffing

Module 09 Social Engineering Your sister just got an e-mail from PayPal stating that funds have been transferred out of her account. The e-mail contained a link to report fraud. She clicked the link, but the link itself was fraudulent, and sent her to a malicious web page, allowing an attacker to steal her data. Which type of attack happened to her? A. Spoofing B. DDoS C. Vishing D. Phishing

Module 09 Social Engineering Which type of phishing attack targets high-level executives such as the CEO or COO? A. Vishing B. Phishing C. Spear-phishing D. Whaling

Module 09 Social Engineering Bob is doing a pen-test for BigCorp. He sends a specially crafted e-mail to an employee at BigCorp. The e-mail header looks like this: From: fred_smith@bigcorp.com To: sally_thompson@bigcorp.com Subject: Test test test Date: 2/14/2016 11:15 Sally Thompson at BigCorp receives the e-mail, which must mean their e-mail gateway doesn’t prevent which of these? A. Email spoofing B. Email harvesting C. Email masquerading D. Email phishing

C The proper term here is masquerading. Yes, it is a form of spoofing, but masquerading is the official term for spoofing the source address to make it appear that the email came from an internal source.

Module 09 Social Engineering Which of these is the most “low-tech” method of accessing a system? A. Scanning B. Eavesdropping C. Sniffing D. Social engineering

Module 10 Denial-of-Service A large and well-organized hacking group will discover vulnerabilities but keep them quiet and hold on to them for later use. If one of these groups was to exploit and utilize several different vulnerabilities against you at once, what would this be considered? A. no-day B. Zero-sum C. Zero-day D. Zero-hour

C A Zero-Day attack exploits a previously unknown vulnerability.

Module 10 Denial-of-Service Which attack is being described here: -DDoS attack at layer 7 to take down a web server -Sends many partial HTTP requests -Server opens multiple connections, and keeps waiting for the requests to complete -Requests never complete, and server’s connection pool maxxes out, denying incoming requests from legitimate users A. Session splicing B. Phlashing C. Slowloris attack D. Desynchronization attack

C Slowloris is a denial-of-service attack program which allows an attacker to overwhelm a targeted server by opening and maintaining many simultaneous HTTP connections between the attacker and the target.

Module 10 Denial-of-Service Your company has many private IP’s and a range of public IP’s. Mary in the IT department monitors network traffic and finds that a large number of both IP ranges are sending traffic to a single IP address on the internet that is blacklisted. It turns out that these company machines have been compromised. Which type of attack is taking place here? A. Advanced Persistent Threat B. Rootkit attack C. Botnet attack D. Spear Phishing attack

Module 10 Denial-of-Service While logging traffic on your network you notice a number of packets being directed to an internal IP from an outside IP where the packets are ICMP and their size is around 65,536 bytes. What is going on? A. The ICMP packets are being sent in a manner that is attempting IP spoofing. B. This is a Smurf attack. C. This is not unusual; ICMP packets can be of any size. D. This is a Ping Of Death attack.

D A Ping of death (PoD) attack is a denial-of-service (DoS) attack, in which the attacker aims to disrupt a targeted machine by sending a packet larger than the maximum allowable size, causing the target machine to freeze or crash.

Module 10 Denial-of-Service A newly discovered flaw in a software application would be considered which kind of security vulnerability? A. Input validation flaw B. HTTP header injection vulnerability C. Time to check to time to use flaw D. 0-day vulnerability

Module 10 Denial-of-Service A SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature of attack for SYN Flood contains: A. The source and destination address having the same value. B. A large number of SYN packets appearing on a network without the corresponding final reply packets. C. The source and destination port numbers having the same value. D. A large number of SYN packets appearing on a network with the corresponding reply packets.

Module 10 Denial-of-Service What does this command do? hping3 --flood -S -p 80 --rand-source www.bigcorp.com A. Ping Of Death B. Idle scan of TCP port 80 C. Port scan of all UDP ports D. SYN flood

Module 10 Denial-of-Service While doing a penetration test, you bypass the network protection devices and firewalls by forging TCP sessions by sending multiple SYN, ACK, and RST or FIN packets. This allows you to execute DoS attacks and exhaust network resources. Which attack is being described here? A. Peer-to-peer attack B. Ping-of-death attack C. UDP flood attack D. Spoofed session flood attack

D Process of elimination helps with this one! Peer-to-peer attacks use file-sharing hubs, but that’s not mentioned. Ping-of-death uses malformed or oversized packets, but that’s not mentioned in this question either. UDP has no flags, so that’s right out. TCP uses the flags listed above, and is used in creating sessions, thus answer D is the best using process of elimination alone!

Module 10 Denial-of-Service There are several techniques for discovering vulnerable machines to create a botnet. In one method, the attacker first makes a list of potentially vulnerable machines, then he/she scans them to find which ones are actually vulnerable. Once he or she has found some that are vulnerable, he/she compromises them to gain control. Once the attacker can control those first few machines, he/she can use them to scan the remaining machines, thus speeding up the scan. Which technique is this? A. Random scanning B. Hit-List scanning C. Topological scanning D. Local Subnet scanning E. Permutation scanning

Module 10 Denial-of-Service How can an attacker perform a DOS with a TCP SYN attack against a victim? A. Attacker generates TCP SYN packets with random destination addresses towards a victim host B. Attacker floods TCP SYN packets with random source addresses towards a victim host C. Attacker generates TCP ACK packets with random source addresses towards a victim host D. Attacker generates TCP RST packets with random source addresses towards a victim host

Module 10 Denial-of-Service Which of these would be the proper defense against signal jamming and scrambling attacks? A. Disable TCP SYN cookie protection B. Allow the usage of functions such as gets and strcpy C. Allow the transmission of all types of addressed packets at the ISP level D. Implement cognitive radios in the physical layer

D Cognitive radio (CR) is a form of wireless communication in which a transceiver can intelligently detect which communication channels are in use and which are not. It instantly moves into vacant channels while avoiding occupied ones. Thus, if some channels are being jammed or scrambled, the CR can automatically move your communications to an unused (un-attacked) channel.

Module 11 Session Hijacking You find an image in your company’s forum that has some hidden code behind it. Users who click the image will execute this code: What is this code trying to do? A. The code redirects the user to another site. B. This php file silently executes the code and grabs the user’s session cookie and session ID. C. The code injects a new cookie to the browser. D. The code is a virus that is attempting to gather the user’s username and passwords.

Module 11 Session Hijacking Hacker Heather intercepted traffic between Victim Veronica and a server in order to predict Veronica’s next ISN (Initial Sequence Number). Using this ISN, she spoofed Veronica’s IP address and sent packets to the server. The server responded back with a packet that incremented the ISN. In the meantime, Veronica’s connection got hung, and Heather was able to communicate with the server on behalf of Veronica. Which type of hijack attack did Hacker Heather have happen to Victim Veronica? A. UDP hijacking B. TCP hijacking C. Forbidden attack D. Blind hijacking

B TCP/IP hijacking involves the following processes. *The hacker sniffs the communication between the victim and host to obtain the victim’s ISN. *By using this ISN, the attacker sends a spoofed packet from the victim’s IP address to the host system. *The host machine responds to the victim, assuming that the packet arrived from it. This increments the sequence number.

Module 11 Session Hijacking Hacker Joe logs into an online e-commerce website and gets a session ID. He then targets a victim using the same site. Using a MiTM technique, he changes the victim’s session ID to Joe’s own session ID, quietly linking the victim to Hacker Joe’s own account. When the victim clicks a link to pay for items on the website, all the sensitive payment details in the form are now linked to Joe’s account. Which type of attack was performed? A. Forbidden attack B. CRIME attack C. Session fixation attack D. Session donation attack

D The session fixation attack “fixes” an established session on the victim's browser, so the attack starts before the user logs in. Session fixation attacks are designed to exploit authentication and session management flaws.

Module 11 Session Hijacking Which of these is the newer replacement for SSL? A. TLS B. IPSec C. GRE D. RSA

Module 11 Session Hijacking Which protocol would let you guess a sequence number to become a man-in-the-middle and then hijack a session? A. UPX B. TCP C. ICMP D. UDP

B Transmission Control Protocol Session Hijacking If a would-be hijacker were to correctly guess the sequence number of TCP segments between the two nodes, then it is quite possible that the hijacker could hijack the session before that session gets established between the original TCP client and the server.

Module 11 Session Hijacking Bob has obtained a session ID from another user’s website session. Bob spoofs his IP address and re-plays the session ID trying to impersonate the other user. Why is Bob not able to get an interactive session here? A. Bob cannot spoof his IP address over TCP network B. The scenario is incorrect as Bob can spoof his IP and get responses C. The server will send replies back to the spoofed IP address D. Bob can establish an interactive session only if he uses a NAT

Module 11 Session Hijacking Which of these describes a “counter-based” authentication system? A. An authentication system that uses passphrases that are converted into virtual passwords B. An authentication system that creates one-time passwords that are encrypted with secret keys C. A biometric system that bases authentication decisions on physical attributes D. A biometric system that bases authentication decisions on behavioral attributes

B In this context, the “counter” is the One-Time-Password that the user must have in order to log-in to the system.

Module 11 Session Hijacking You’ve configured your web browser to automatically delete browser cookies when you close the browser. Which attack attempt are you trying to mitigate here? A. ..to access the user and password information stored in the company SQL database B. ..to determine the user’s web browser usage patterns, including when sites were visited and for how long C. ..to access passwords stored on the user’s computer without the user’s knowledge D. ..to access web sites that trust the web browser’s user by stealing the user’s authentication credentials

Module 11 Session Hijacking You want to send various traffic to a remote host, but you’re worried that someone might monitor the link and capture the traffic. You want to tunnel the data but you do not have VPN capabilities. Which of the following tools can you use to protect the link? A. MD5 B. PGP C. RSA D. SSH

D SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be used to add encryption to legacy applications. It can also be used to implement VPNs (Virtual Private Networks) and access intranet services across firewalls.

Module 11 Session Hijacking Normally SMTP is not encrypted when it sends mail between servers, however, you can upgrade the connection to use a TLS certificate to keep the e-mail secure and encrypted. What is the command to make SMTP transmit email over TLS? A. FORCETLS B. STARTTLS C. UPGRADETLS D. OPPORTUNISTICTLS

B StartTLS is a protocol command used to inform the email server that the email client wants to upgrade from an insecure connection to a secure one using TLS or SSL. StartTLS is used with SMTP and IMAP, while POP3 uses the slightly different command for encryption, STLS.

Module 11 Session Hijacking You visit a vendor’s site and they give you a tour of their facility. To access their data center, they must type a phrase using a keyboard. The system identifies individual employees by the way they actually type on the keyboard. After this, the user must also swipe their RFID badge. To open the data center, both identifications are required. What could you say about this method? A. Biological motion cannot be used to identify people. B. Although the approach has two phases, it actually implements just one authentication factor. C. The solution implements the two authentication factors: physical object and physical characteristic. D. The solution will have a high level of false positives

Module 11 Session Hijacking While doing research on biometric access-control systems, you see information about processing speed. What does the term “processing” mean in this context? A. The amount of time it takes to be either accepted or rejected from when an individual provides identification and authentication information B. The amount of time it takes to convert biometrics data into a template on a smart card C. The amount of time and resources that are necessary to maintain a biometric system D. How long it takes to set up individual user accounts

Module 11 Session Hijacking IPSec is a suite of protocols that does all of the following except.. A. Authenticate B. Protect the payload and the headers C. Work at the Data Link layer D. Encrypt

C IPSec can work in either AH mode or ESP mode. In the older AH mode, it authenticates the sender and provides an integrity check for the data. ESP mode does all of this, but also adds encryption to the mix to protect the payload as well as the headers (if it’s in Tunnel mode).

Module 11 Session Hijacking If you want to use IPSec within your LAN, and you want to assure the confidentiality of the data being transmitted, which mode should you use? A. ESP transport mode B. ESP confidential C. AH Tunnel mode D. AH permiscuous

A Transport Mode is a method of sending data over the Internet where the data is encrypted but the original IP address information is not. The Encapsulating Security Payload (ESP) operates in Transport Mode or Tunnel Mode. In Transport Mode, ESP encrypts the data but the IP header information is viewable.

Module 11 Session Hijacking Which technique would you use to send files securely through a remote connection? A. DMZ B. VPN C. SMB signing D. Switch network

Module 11 Session Hijacking Your large company wants to implement biometric authentication. Which of these is the LEAST likely physical attribute to use for this? A. Fingerprints B. Height and Weight C. Voice D. Iris patterns

Module 11 Session Hijacking While at a public location, a VPN is a great tool to prevent someone from sniffing your traffic. If you did not use a VPN, which of these techniques would strongly indicate that someone is performing an ARP spoofing attack on your computer in order to sniff your traffic? A. You cannot identify such an attack and must use a VPN to protect your traffic. B. You should use netstat to check for any suspicious connections with another IP address within the LAN. C. You should scan the network using Nmap to check the MAC addresses of all the hosts and look for duplicates. D. You should check your ARP table and see if there is one IP address with two different MAC addresses.

D This one comes down to remembering the subtle differences between ARP poisoning and ARP/MAC flooding. With ARP poisoning (spoofing), the attacker spoofs his/her IP address to appear to be the same as the Default Gateway (for example), using his/her own MAC address. Thus, conceptually, there would appear to be 1 IP with 2 different MAC addresses.

Module 11 Session Hijacking An example of two-factor authentication would be using a smart-card and a PIN number that goes along with it. Which types of authentication factors does this utilize? A. Something you have and something you are B. Something you know and something you are C. Something you have and something you know D. Something you are something you remember

Module 11 Session Hijacking In order to test the security of your web app, you need a tool that lets you hijack a session between client and server. The tool needs to include an intercept proxy that can intercept, inspect, and modify the traffic between the browser and the app. Which tool should you use? A. Nmap B. CxSAST C. Burp Suite D. Wireshark

C Burp Suite is an integrated platform/graphical tool for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

Module 11 Session Hijacking Which of these tools would allow you to perform ARP poisoning and to intercept messages intended for another machine? A. Wireshark B. BetterCAP C. Gobbler D. DerpNSpoof

B Wireshark is a protocol analyzer but does not allow you to perform attacks like ARP poisoning. Gobbler is a DHCP starvation attack tool. DerpNSpoof is a DNS poisoning tool (look at the capital letters). BetterCAP is an ARP poisoning tool and can allow you to intercept traffic, do session hijacking, steal/modify/block data, and more.

Module 11 Session Hijacking Which layer-3 protocol would give you end-to-end encryption for FTP traffic? A. FTPS B. SFTP C. SSL D. IPSec

D First of all, there is only one layer-3 protocol listed here, which is IPSec. If it has “IP” in the name, it’s probably layer 3! Secondly, there are many ways to secure any type of traffic, including FTP. While IPSec is most commonly used to secure VPN traffic, it has many other uses. You can create an IPSec tunnel to securely transmit your FTP traffic.

Module 12 Evading IDS, Firewalls, and Honeypots Which of the following types of firewall only inspects header information in network traffic? A. Packet filter B. Stateful inspection C. Circuit-level gateway D. Application-level gateway

Module 12 Evading IDS, Firewalls, and Honeypots You want to send Bob an e-mail and make sure it’s encrypted so only he can read it. At what layer of the OSI model does encryption and decryption of e-mails take place? A. Application B. Presentation C. Session D. Transport

B File encryption and, in this case, e-mail encryption, takes place at layer-6 or the Presentation Layer.

Module 12 Evading IDS, Firewalls, and Honeypots Which type of tool would allow you to monitor all network traffic for malicious behavior, and send you an alert when it finds some? A. Firewall B. Proxy C. Network-based IDS D. Host-based IDS

Module 12 Evading IDS, Firewalls, and Honeypots You logged in to your corporate firewall to do some work, but the IDS logged your activity as an attack. How would you categorize the alert? A. False positive B. False negative C. True positive D. True negative

Module 12 Evading IDS, Firewalls, and Honeypots What can you infer if you send a TCP ACK segment to a known closed port on a firewall, but it does not respond with a RST? A. This event does not tell you anything about the firewall B. There is no firewall in place C. It is a stateful firewall D. It is a non-stateful firewall

C If you know the port is *closed* (not open, not filtered/blocked), then a stateless firewall would allow that packet in, but then it would respond with a RST. A stateful firewall, on the other hand, only allows traffic past if it’s part of an established conversation (only allow traffic past if we asked for it). Since you got no response (no RST), it must not have allowed that packet in, thus we infer it’s a stateful firewall.

Module 12 Evading IDS, Firewalls, and Honeypots Which type of IDS would be best suited to meet these requirements? - Monitors system activities - Verifies success or failure of an attack - Detects attacks that a network based IDS fails to detect - Near real time detection and response - Does not require additional hardware - Lower entry cost A. Network based IDS B. Open source based IDS C. Host based IDS D. Gateway based IDS

Module 12 Evading IDS, Firewalls, and Honeypots Which TWO types of detection methods are employed by Network Intrusion Detection Systems (NIDS)? A. Signature B. Anomaly C. Passive D. Reactive

Module 12 Evading IDS, Firewalls, and Honeypots Admin Alice accessed the company’s external router to change a setting in the configuration file. As she did this, she got an alert from the IDS about her activity. Which type of alert was this? A. True positive B. True negative C. False positive D. False negative

Module 12 Evading IDS, Firewalls, and Honeypots Which of these can emulate corporate servers to observe logins and action taken? A. Firewall B. Honeypot C. Core server D. Layer 4 switch

Module 12 Evading IDS, Firewalls, and Honeypots What kind of firewall checks to make sure that incoming packets are part of an established session? A. Circuit-level firewall B. Application-level firewall C. Switch-level firewall D. Stateful inspection firewall

Module 12 Evading IDS, Firewalls, and Honeypots Your company has blocked all the ports via external firewall and only allows port 80/443 to connect to the Internet. You want to use FTP to connect to some remote server on the Internet. How would you accomplish this? A. Use HTTP Tunneling B. Use Proxy Chaining C. Use TOR Network D. Use Reverse Chaining

Module 12 Evading IDS, Firewalls, and Honeypots What’s the BEST reason to implement a DMZ on your network? A. To contain the network devices you want to protect B. To provide a place to put the honeypot C. To only provide direct access to nodes within the DMZ and protect the network behind it D. To scan all traffic coming through the DMZ to the internal network

Module 12 Evading IDS, Firewalls, and Honeypots Which type of system could generate an alert when any computer sends “many” packets based on the typical number of packets sent by all your computers, and using some defined threshold values? A. A behavior-based IDS B. A hybrid IDS C. A signature-based IDS D. Just a network monitoring tool

Module 12 Evading IDS, Firewalls, and Honeypots Which of these methods would NOT be an effective way for your custom-made Trojan to evade corporate anti-virus scanners? A. Convert the Trojan.exe file extension to Trojan.txt disguising as text file B. Break the Trojan into multiple smaller files and zip the individual pieces C. Change the content of the Trojan using hex editor and modify the checksum D. Encrypt the Trojan using multiple algorithms like 3DES and AES

Module 12 Evading IDS, Firewalls, and Honeypots To help explain the difference between a signature-based IDS and an Anomaly-based IDS, you could say that the Anomaly-based IDS can.. A. Identify unknown attacks B. Cannot deal with encrypted network traffic C. Requires vendor updates for new threats D. Produces less false positives

Module 12 Evading IDS, Firewalls, and Honeypots Which type of Intrusion Detection System should be used to observe network segments in large environments? A. Host-based Intrusion Detection System (HIDS) B. Firewall C. Honeypot D. Network-based Intrusion Detection System (NIDS)

D A Network-based intrusion detection system (NIDS) is the most suitable Intrusion Detection System for large environments where critical assets on the network need extra security, as it monitors and analyzes the entire network's traffic and alerts administrators in case of possible breaches.

Module 12 Evading IDS, Firewalls, and Honeypots Which port number does the NSTX tool use to exfiltrate data past your firewall via DNS tunneling? A. 80 B. 50 C. 23 D. 53

Module 12 Evading IDS, Firewalls, and Honeypots Which firewall rule would ensure devices on the 192.168.5.0/24 network can only reach a website at 10.10.5.10 using https? A. if (source matches 192.168.5.0/24 and destination matches 10.10.5.10 and port matches 443) then permit B. if (source matches 192.168.5.0/24 and destination matches 10.10.5.10 and port matches 80 or 443) then permit C. If (source matches 10.10.5.10 and destination matches 192.168.5.0/24 and port matches 443) then permit D. If (sources matches 192.168.5.0 and destination matches 10.10.5.10 and port matches 443) then permit

Module 12 Evading IDS, Firewalls, and Honeypots A hacker has been attacking your network. You find that your IDS wasn’t configured correctly and couldn’t notify you about the attacks. Which type of alert is the IDS giving? A. True positives B. True negatives C. False positives D. False negatives

Module 12 Evading IDS, Firewalls, and Honeypots This IDS defeating technique works by splitting a datagram (or packet) into a continuous stream of multiple (small) fragments and the IDS will not spot the true nature of the fully assembled datagram. The datagram is not reassembled until it reaches its final destination. It would be a processor-intensive task for IDS to reassemble all fragments itself, and on a busy system the packet will slip through the IDS onto the network. What is this technique called? A. IP Routing or Packet Dropping B. IDS Spoofing or Session Assembly C. IP Fragmentation or Session Splicing D. IP Splicing or Packet Reassembly

Module 12 Evading IDS, Firewalls, and Honeypots One advantage of an application-level firewall is the ability to.. A. filter packets at the network level. B. filter specific commands, such as http:post. C. retain state information for each packet. D. monitor tcp handshaking.

Module 12 Evading IDS, Firewalls, and Honeypots Which of the following is a very common IDS evasion technique? A. Spyware B. Port knocking C. Unicode characters D. Subnetting

C Unicode is an international encoding standard for use with different languages and scripts, by which each letter, digit, or symbol is assigned a unique numeric value that applies across different platforms and programs. An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. An adversary using the Unicode character could encode attack packets that an IDS would not recognize but that an IIS web server would decode and become attacked.

Module 12 Evading IDS, Firewalls, and Honeypots Which type of scanning technique splits the TCP header into many packets so that it becomes hard for network monitoring devices to figure out what the packets are meant for? A. Ack flag scanning B. IP fragment scanning C. TCP scanning D. Inverse TCP flag scanning

Module 12 Evading IDS, Firewalls, and Honeypots Hacker Joe tries to send IRC traffic out of the company over TCP port 80. This traffic gets blocked, however, HTTP traffic is allowed out through the firewall. What type of firewall is inspecting this traffic? A. Circuit B. Stateful C. Application D. Packet Filtering

C If both IRC and HTTP are using port 80, but the IRC is blocked and HTTP allowed, something must be inspecting the payload itself and not just the port numbers. An Application-layer (layer 7) firewall can do this.

Module 12 Evading IDS, Firewalls, and Honeypots Your junior admin states that your company doesn’t need a DMZ if the firewall is configured to only allow access to servers and ports that can have direct internet access, and access to workstations is blocked. He says that a DMZ is only needed when a stateful firewall is used, and since your company only uses a stateless firewall, you don’t need a DMZ. Which is the true statement here: A. He is completely wrong. A DMZ is always relevant when the company has internet servers and workstations. B. He is partially right. You don’t need to separate networks if you can create rules by destination IP’s, one by one. C. He is partially right. DMZ does not make sense when a stateless firewall is available. D. He can be right since a DMZ does not make sense when combined with stateless firewalls.

A Your junior admin needs more training. ANY time you let outside traffic in, you restrict it to the DMZ only. For example, if you employ answer B and only allow outside traffic to one IP, what if that server gets compromised? The attacker could then pivot and attack the rest of the network. By restricting outside traffic to the DMZ only, any compromise can’t reach the internal LAN.

Module 12 Evading IDS, Firewalls, and Honeypots Hacker Joe encoded his malware with Unicode characters. Your IDS couldn’t recognize those packets, but your webserver was able to decode and run the malware. What’s the name of the method Joe used to evade your IDS? A. Session splicing B. Urgency flag C. Desynchronization D. Obfuscating

Module 12 Evading IDS, Firewalls, and Honeypots Admin Alice installed an isolated server to attract attackers. Her intention is to prevent the attacker from accessing her critical systems, while at the same time recording information about the attacker. Which of these is being described here? A. Firewall B. Botnet C. Intrusion Detection System (IDS) D. Honeypot

Module 12 Evading IDS, Firewalls, and Honeypots In which type of system would have a configuration file containing a rule like this: alert tcp any any -> 10.10.5.0/24 23 (msg: “Telnet in use!";) A. FTP Server rule B. An Intrusion Detection System C. A router IPTable D. A firewall IPTable

Module 12 Evading IDS, Firewalls, and Honeypots Which of the following identifies the three modes in which Snort can be configured to run? A. Sniffer, Packet Logger, and Network Intrusion Detection System B. Sniffer, Network Intrusion Detection System, and Host Intrusion Detection System C. Sniffer, Host Intrusion Prevention System, and Network Intrusion Prevention System D. Sniffer, Packet Logger, and Host Intrusion Prevention System

Module 12 Evading IDS, Firewalls, and Honeypots Study the snort rule given below and interpret the rule. When would an alert be generated? alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg "mountd access";) A. When a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111 B. When any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet C. When a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet D. When a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

Module 12 Evading IDS, Firewalls, and Honeypots Your development team just created a new web application for customers that needs three different servers to operate: a web server, and application server, and a database server. Where should you place these servers? A. All 3 servers should be placed internally. B. All three servers should face the internet so they can communicate between themselves. C. The web and database server facing the internet, and the app server on the internal network. D. The web server facing the internet, and the application and database servers on the internal network.

D Only the web server should be accessible from the internet (place it in the DMZ). From there the server itself can access the internal app & DB servers, but no direct contact should be allowed from internet customers to the app & DB servers.

Module 12 Evading IDS, Firewalls, and Honeypots Which of these tools can evade an IDS by performing session-splicing (fragmenting the data to make it difficult for an IDS to detect)? A. Burp B. Hydra C. Tcpsplice D. Whisker

Module 12 Evading IDS, Firewalls, and Honeypots What is the minimum number of network connections for a multihomed firewall? A. 2 B. 3 C. 4 D. 5

Module 12 Evading IDS, Firewalls, and Honeypots What is it called when you have one DNS server on your LAN for employees, and another DNS server in your DMZ for outside access? A. DNSSEC B. DNS Scheme C. DynDNS D. Split DNS

Module 12 Evading IDS, Firewalls, and Honeypots What does a firewall inspect to stop specific ports and programs from sending traffic in to your company? A. Application layer port numbers and the transport layer headers B. Network layer headers and the session layer port numbers C. Presentation layer headers and the session layer port numbers D. Transport layer port numbers and the application layer headers

Module 12 Evading IDS, Firewalls, and Honeypots The computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When the technician examines the IP address and default gateway they are both on the 192.168.1.0/24. Which of the following has occurred? A. The Gateway and the computer are not on the same network B. The computer is not using a private IP address C. The computer is using an invalid IP address D. The gateway is not routing to a public IP address

D The 192.168.1.0/24 address block is a Private address block and without a public IP assigned to the host (normally via DHCP) it will be unable to route traffic to the interne

Module 12 Evading IDS, Firewalls, and Honeypots BigCorp is a large company and has a huge data center full of Linux servers. The perimeter of the data center is secured with IPS and firewalls. Which of these is the best security policy for this setup? A. The operator knows that attacks and downtime are inevitable and should have a backup site. B. As long as the physical access to the network elements is restricted, there is no need for additional measures. C. Network elements must be hardened with user ids and strong passwords. Regular security tests and audits should be performed. D. There is no need for specific security measures on the network elements as long as firewalls and IPS systems exist.

Module 12 Evading IDS, Firewalls, and Honeypots In which type of honeypot detection would you use a time-based TCP fingerprinting method to compare the response from a normal PC, and the response of a honeypot, to a manual SYN request packet? A. Detecting honeypots running on Vmware B. Detecting the presence of Snort_inline honeypots C. Detecting the presence of Sebek-based honeypots D. Detecting the presence of Honeyd honeypots

D Honeyd is a widely used honeypot daemon. A big indicator that’s what you’re talking to is by doing the following: Send a manual Syn flag to the target. You’ll get a SYN/ACK back. A normal computer will re-send the SYN/ACK if it doesn’t get the final ACK in a timely manner. A Honeyd honeypot will *not* re-send!

Module 13 Hacking Web Servers Which is the best description of web server footprinting? A. When an attacker creates a complete profile of the site’s external links and file structure B. When an attacker implements a vulnerability scanner to identify weaknesses C. When an attacker gathers system-level data, including account details and server names D. When an attacker uses a brute-force attack to crack a web-server password

Module 13 Hacking Web Servers Hacker Joe wants to search for vulnerabilities on your website. He copied your entire site and its contents to his own machine. This included the site’s directory structure, file structure, external links, images, pages, etc. He is doing this to explore the data and to gain valuable information about the site. Which attack technique is Hacker Joe employing here? A. Session hijacking B. Web cache poisoning C. Website defacement D. Website mirroring

Module 13 Hacking Web Servers Hacker Joe want’s to target one of EvilCorp’s back-end servers, but it’s protected by a firewall. To bypass the firewall, he attacks the public webserver. He used the following URL to begin his attack: https://evilcorp.com/feed.php?url=differentsite.com/feed He then altered the URL to view local resources on that “differentsite.com” server. What type of attack was performed here? A. Web cache poisoning attack B. Web server misconfiguration C. Server-side request forgery (SSRF) attack D. Website defacement

C Server-side request forgery is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location. In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems. This could leak sensitive data, such as authorization credentials.

Module 13 Hacking Web Servers Hacker Joe is trying to footprint your website. Which of these would be a rich file that could give him clues as to the structure of the site? A. index.html B. Document root C. Robots.txt D. Domain.txt

C A robots.txt file tells search engine crawlers which URLs the crawler can access on your site. This is used mainly to avoid overloading your site with requests; it is not a mechanism for keeping a web page out of Google.

Module 13 Hacking Web Servers Which of these is a common configuration file on a webserver that contains the setting to turn on/off verbose error messages? A. httpd.conf B. php.ini C. administration.config D. idq.dll

Module 13 Hacking Web Servers How can telnet be used to fingerprint a web server? A. telnet webserverAddress 80 HEAD / HTTP/1.0 B. telnet webserverAddress 80 PUT / HTTP/1.0 C. telnet webserverAddress 80 HEAD / HTTP/2.0 D. telnet webserverAddress 80 PUT / HTTP/2.0

A HEAD – The HEAD request type only returns the header information and not the actual body of the webpage. This command is useful when you are not interested in returning the body of the page. GET – In contrast to the last command GET return both the head as well as the body.

Module 13 Hacking Web Servers Which of these would be best to secure the user accounts on your web server? A. Limit the administrator or root-level access to the minimum number of users B. Enable all non-interactive accounts that should exist but do not require interactive login C. Enable unused default user accounts created during the installation of an OS D. Retain all unused modules and application extensions

Module 13 Hacking Web Servers Your WordPress-based website was hacked. After researching the incident, the analyst discovers that there was a vulnerability in your version of WordPress, and that a fix had been available for six months prior to the incident. Which of your security processes needs to be improved here? A. Patch management B. Vendor risk management C. Security awareness training D. Software Development Life Cycle (SDLC)

Module 13 Hacking Web Servers You want to discover how much info can be obtained from your public web server. You telnet to port 80 on the server and get this output: HTTP/1.1 200 OK Server: Microsoft-IIS/5 Expires: Wed, 24 March 2010 02:15:22 EST Date: Fri, 12 June 2009 09:30:15 EST Content-Type: text/html Last-Modified: Tues, 12 May 2009 11:11:44 GMT Which one of these did you perform here? A. Cross-site scripting B. Banner grabbing C. SQL injection D. Whois database query

Module 13 Hacking Web Servers A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named "nc." The FTP server's access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted the contents of the tarball and ran the script using a function provided by the FTP server's software. The ps command shows that the nc file is running as process, and the netstat command shows the nc process is listening on a network port. What kind of vulnerability must be present to make this remote attack possible? A. Directory traversal B. Brute force login C. File system permissions D. Privilege escalation

Module 13 Hacking Web Servers You are able to enumerate usernames from the login page of a web application. The app asks you to enter some data, and if you supply the wrong credentials, it tells you which field you had incorrect. Which design flaw are you exploiting in this scenario? A. User impersonation B. Verbose failure messages C. Password reset mechanism D. Insecure transmission of credentials

B When you enter the wrong credentials to log-in to an application, it should *not* tell you whether you had the username wrong, or the password wrong! If it does, then you could just keep entering usernames to see which are valid, and which are invalid. Doing that would let you enumerate the valid usernames. In this scenario, the “failure messages” were too verbose. Instead, the app should just use the generic message “incorrect username or password”.

Module 13 Hacking Web Servers Why should you remove or disable unnecessary ISAPI filters? A. To defend against jailbreaking B. To defend against social engineering attacks C. To defend against wireless attacks D. To defend against webserver attacks

D ISAPI filters are DLL files that can modify incoming or outgoing data to a Microsoft IIS webserver. Among other things, they can sanitize incoming data to protect against many common threats. Be sure to disable unnecessary ISAPI filters though because some of the default filters have known vulnerabilities.

Module 14 Hacking Web Applications The Open Web Application Security Project (OWASP) is a community-driven effort to improve the security of web applications. What is the top item on their 2021 Top Ten most critical web security risks? A. Injection B. Cross Site Request Forgery C. Cross Site Scripting D. Broken Access Control

Module 14 Hacking Web Applications The command-line tool wget is used for retrieving files and info from websites. Using the following syntax against a target web server, what does this command do? wget 145.146.50.60 -q -S A. Downloads all the contents of the web page locally for further examination B. Performing content enumeration on the web server to discover hidden folders C. Flooding the web server with requests to perform a DoS attack D. Using wget to perform banner grabbing on the webserver

D With the wget command, the -q switch is “quiet” which turns off the screen output (makes it *not* verbose), and the -S switch is to grab the page’s header or banner information.

Module 14 Hacking Web Applications Which type of attack is it where the hacker targets websites frequently visited by his/her victim, injects malware in the site, then waits for the victim to visit that site and become infected? A. Watering hole attack B. DNS rebinding attack C. MarioNET attack D. Clickjacking attack

A A watering hole attack is a targeted attack designed to compromise users within a specific industry or group of users by infecting websites they typically visit and luring them to a malicious site. The end goal is to infect the user's computer with malware and gain access to the organization's network.

Module 14 Hacking Web Applications Which of these is a proxy tool that will let you intercept, test, and analyze your own web traffic in order to help you find vulnerabilities in web apps? A. Proxychains B. Dimitry C. Maskgen D. Burpsuite

D Burp Suite is a Java application that can be used to secure or penetrate web applications. The suite consists of different tools, such as a proxy server, a web spider, intruder and repeater.

Module 14 Hacking Web Applications What is the common name for vulnerability disclosure programs created by companies to find problems and vulnerabilities on their platforms? A. Bug bounty program B. Ethical hacking program C. Vulnerability hunting program D. White-hat hacking program

Module 14 Hacking Web Applications A common web site flaw allows users to provide data onto a web site, then displays that content to other users in an un-sanitized form. Which attack takes advantage of this? A. URL Traversal attack B. SQL Injection C. Cross-site-scripting attack D. Buffer Overflow attack

C Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.

Module 14 Hacking Web Applications An attacker has been successfully modifying the purchase price of items purchased on the company's web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused this. What is the most likely way the attacker has been able to modify the purchase price? A. By using SQL injection B. By changing hidden form values C. By using cross site scripting D. By utilizing a buffer overflow attack

Module 14 Hacking Web Applications Web-developer Dan wants his web API to update other apps with constantly changing information from his app. He creates a user-defined HTTP callback (push API) that triggers when certain events happen. When triggered, it supplies data to other applications so that users will always have the latest real-time information from his app. Name this technique: A. SOAP API B. Webhooks C. REST API D. Web shells

B A webhook is an HTTP request, triggered by an event in a source system and sent to a destination system, often with a payload of data. Webhooks are automated, in other words they are automatically sent out when their event is fired in the source system.

Module 14 Hacking Web Applications What type of attack will take advantage of a flaw in a web page to force other user’s browsers to send malicious requests they didn’t intend to send? A. File injection attack B. Hidden field manipulation attack C. SQL Injection attack (SQLi) D. Cross-Site Request Forgery (CSRF)

D Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Module 14 Hacking Web Applications How do you perform a CSPP attack (Connection String Parameter Pollution)? A. Injecting parameters into a connection string using semicolons as a separator B. Inserting malicious Javascript code into input parameters C. Setting a user's session identifier (SID) to an explicit known value D. Adding multiple parameters with the same name in HTTP requests

A Connection string parameter pollution (CSPP) is a problem that can be found in many ethical hacking engagements. It refers to the practice of using more than one connection string for a given target or exploit. A compromised system may have multiple connections open, allowing an attacker access to files and systems across organizations by exploiting vulnerabilities in any of those connected applications. Because PHP-FPM is used as the web server engine on many websites, it has been targeted numerous times by attackers looking for CSSP opportunities.

Module 14 Hacking Web Applications What is it called when you can type into a web page, and afterwards a pop-up box appears on the screen with the text: “Gotchya, sucka!”? A. Buffer overflow B. Cross-site request forgery C. Distributed denial of service D. Cross-site scripting

Module 14 Hacking Web Applications Using the Gobuster tool, which of these techniques would be the fastest way to enumerate content on a webserver? (pick two) A. Skipping SSL certificate verification B. Performing content enumeration using the bruteforce mode and 10 threads C. Performing content enumeration using a wordlist D. Performing content enumeration using the bruteforce mode and random file extensions

BC Answers B and C are both correct on this one. With Gobuster, you do directory and file brute-forcing with a wordlist, and 10 threads is the default. If you chose either answer here you are correct.

Module 14 Hacking Web Applications Which software testing technique sends random data to a program in an attempt to crash it? A. Randomizing B. Fuzzing C. Bounding D. Mutating

Module 14 Hacking Web Applications Which webserver attack uses strings like ../../ to move to folders higher-up in the server’s directory structure? A. Directory traversal B. SQL injection C. Cross-site scripting D. Denial of service

Module 14 Hacking Web Applications Your website can auto-generate content using SSI (ssi) directives. Unfortunately, this can lead to a vulnerability that accepts remote user inputs and uses them on the web page. A hacker could then pass malicious SSI directives and modify and/or erase server files. Which type of injection attack is this? A. Server-side includes injection B. Server-side JS injection C. Server-side template injection D. CRLF injection

A Server-Side Includes (SSI) are directives on a web application that allows the contents of files to be automatically loaded into a web page. Examples include headers, footers, logos, navigation menus, etc. Unfortunately, this is susceptible to malicious user input, which is why (once again) we need Input Validation!

Module 14 Hacking Web Applications Which of these web services components can maintain the integrity and confidentiality of SOAP (Simple Object Access Protocol) messages. A. WSDL B. WS-Policy C. WS-Security D. WS-Work Processes

C SOAP is a protocol for transferring data between different web services. WS-Security (Web Services-Security) is the component that encrypts the SOAP messages between different web applications, and is often used for transmitting user credentials to authenticate users.

Module 14 Hacking Web Applications Which of these web-page file types, if it exists on the server, would strongly indicate that the webserver is vulnerable to a Server-Side Includes attack? A. .html B. .rss C. .cms D. .stm

D A .stm file is an html file that contains server-side includes. The .shtm and .shtml are two more types that could also be vulnerable to this type of attack.

Module 14 Hacking Web Applications Which automated vulnerability scanner would be best suited to scanning a web server for info such as vulnerabilities, misconfigurations, hosts, and services running on the server? A. Netsparker B. Infoga C. WebCopier Pro D. Ncollector Studio

A Netsparker is an automated, yet fully configurable, web application security scanner that enables you to scan websites, web applications and web services, to identify security flaws. Infoga is a tool for gathering e-mail account information from public sources. WebCopier Pro and Ncollector Studio are tools for mirroring an entire website. While that can be useful for searching for vulnerabilities on the site, they are not, in themselves, vulnerability scanners.

Module 14 Hacking Web Applications What type of firewall could protect against a SQL injection attack? A. Web application firewall B. Stateful firewall C. Data-driven firewall D. Packet firewall

A One of the most effective ways to minimize the chances of successful SQL injection is by using a web application firewall (WAF)

Module 14 Hacking Web Applications Hacker Joe entered this code into your company web-page: ]> Which type of attack is he attempting here? A. SQLi B. XXE C. XXS D. IDOR

B This is an XML External Entity (XXE) attack, which is #4 on the OWASP top 10 list. It’s basically a Server-Side Request Forgery (SSRF) attack that can occur when a webserver is not doing input validation against incoming XML input. This attack allows the attacker to access protected files and services from servers or connected networks. In the scenario above, Hacker Joe is trying to get the password file from a Linux machine. The clues to look for in this type of question are the DOCTYPE and ENTITY keywords. These are XML terms and are a big hint that you’re looing at an XXE attack.

Module 14 Hacking Web Applications While doing online banking your URL bar has this string: “http://www.Bank.com/account?id=11256&Xamount=5265&Yamount=98” You do some testing and figure out that if you alter the Xamount and Yamount values, the web page reflects the changes. Which of these vulnerabilities does this web site have? A. Web parameter tampering B. SQL injection C. XSS reflection D. Cookie tampering

Module 14 Hacking Web Applications In which type of attack does an attacker exploit vulnerabilities in dynamically generated web pages to inject client-side scripts into pages viewed by other users? A. Cross-Site Request Forgery (CSRF) B. SQL injection attack C. LDAP injection attack D. Cross-Site Scripting (XSS)

Module 14 Hacking Web Applications What type of attack is this? Char buff[20] buff[20]=‘x’; A. CSRF B. SQL injection C. XSS D. Buffer overflow

D The first line makes a character-based array of variables called “buff”, which should hold 20 values. These values start at “index” number 0 and goes up to number 19 (0-19 is 20 values). The second line tries to put the value ‘x’ in index number 20, but there is no such position. This is attempting overflow that memory buffer, which could cause problems on the target machine.

Module 14 Hacking Web Applications Which of these is a web application security scanner that can automate web-app security testing to find flaws such as XSS, directory traversal, fault injection, SQLi, and other vulnerabilities? A. Cisco ASA B. AlienVault OSSIM C. Salea Logic Analyzer D. Syhunt Hybrid

D The Syhunt Hybrid scanner automates web application security testing and guards the organization’s web infrastructure against web application security threats. Syhunt Hybrid dynamically crawls websites and detects XSS, directory traversal problems, fault injection, SQL injection, attempts to execute commands, and several other attacks.

Module 14 Hacking Web Applications In one type of an attack, the hacker sends the victim to a website that contains an interesting looking URL with a link to some funny internet memes. Unknown to the victim, the hacker has created a transparent ‘iframe’ in front of the URL. The victim tries to click the URL, but he is really just clicking the content or URL in the transparent iframe instead. Which type of attack is this? A. HTTP parameter pollution B. HTML injection C. Clickjacking attack D. Session fixation

Module 15 SQL Injection Which is the best description of a “Blind” SQL Injection vulnerability? A. The request to the web server is not visible to the administrator of the vulnerable application. B. The attack is called “Blind” because, although the application properly filters user input, it is still vulnerable to code injection. C. The successful attack does not show an error message to the administrator of the affected application. D. The vulnerable application does not display errors with information about the injection results to the attacker.

Module 15 SQL Injection You want to do an SQL injection attack where 1) you test the response time of a true or false response, and 2) you want to know whether the database will return a true or false result for user ID’s. Which answer lists these 2 types of injection attacks in the proper order? A. Time-based and boolean-based B. Out of band and boolean-based C. Union-based and error based D. Time-based and union based

A Time-based Injection: This type of SQL injection involves introducing a delay in the SQL query's execution to observe if there's a delay in the server's response. By injecting malicious code that causes a delay, the attacker can infer whether a true condition is met or not based on the delay in the server's response. If the response time is significantly different, it can indicate the success of the injected condition. Union-based Injection: Union-based injection involves exploiting SQL queries that use the UNION SQL operator to combine results from multiple SELECT statements. By injecting a crafted UNION query, the attacker can combine their own query results with the original query's results. This can help the attacker retrieve additional data or test conditions based on the structure of the query.

Module 15 SQL Injection You want to attack a Microsoft SQL server that is vulnerable to injection attacks. On the app’s login page, you enter this info: Username: Bob’ or 1=1 -- Password: Football Which SQL command will be executed by the server? A. Select * from Users where Username=‘Bob’ ‘or 1=1 -- and Password=‘Football’ B. Select * from Users where Username=‘Bob or 1=1 -- and Password=‘Football’ C. Select * from Users where Username=‘Bob’ or 1=1 -- and Password=‘Football’ D. Select * from Users where Username=‘Bob’ or 1=1 --’ and Password=‘Football’

Module 15 SQL Injection Which HTTP request includes a SQL injection attack? A. http://www.corpco.c0m/search.asp? lname=jones%27%3bupdate%20usertable%20set%20passwd%3d%27baseball%27%3b--%00 B. http://www.corpco.c0m/script.php? mydata=%3cscript%20src=%22 C. http%3a%2f%2fwww.acmecorp.c0m% 2fbadscript.js%22%3e%3c%2fscript%3e D. http://www.kleegin.com/ExampleAccountno =67891&credit=999999999

Module 15 SQL Injection Which of the following is used to indicate a single line comment in structured query language (SQL)? A. -- B. %% C. “ D. #

Module 15 SQL Injection A customer is prompted to enter his first and last name into a field on a web page. The query created would then look like this: SELECT * FROM CustTable WHERE Customer = ‘Bob Smith' How would you delete CustTable from the database using SQL Injection? A. Bob Smith'; drop table CustTable -- B. Delete table'blah'; CustTable -- C. EXEC; SELECT * CustTable > DROP -- D. cmdshell'; 'del c:\sql\mydb\CustTable' //

Module 15 SQL Injection What does this command do? Sqlmap.py -u “http://www.moviescope.com/?p=1&forumaction=search” --dbs A. Searches database statements at the IP address given B. Creates backdoors using SQL injection C. Enumerates the databases in the DBMS for the URL D. Retrieves SQL statements being executed on the database

Module 15 SQL Injection Which IDS signature-evasion technique would attempt a SQL injection on a website by replacing a basic injection statement such as “’ or 1=1” with something like “‘ or ‘1’=‘1’”? A. IP fragmentation B. Null byte C. Char encoding D. Variation

Module 15 SQL Injection Which type of SQL injection attack allows an attacker to add to the original query to run two or more statements if they have the same structure as the original one? A. Union SQL injection B. Boolean-based blind SQL injection C. Blind SQL injection D. Error-based injection

Module 15 SQL Injection What is it called when you perform a SQL injection attack, but you can’t see the results? A. Unique SQL Injection B. Blind SQL Injection C. Generic SQL Injection D. Double SQL Injection

Module 15 SQL Injection Which type of SQLi (SQL injection) attack takes advantage of a database server’s ability to make DNS requests to send data to an attacker’s machine? A. Union-based SQLi B. Out-of-band SQLi C. In-band SQLi D. Time-based SQLi

Module 15 SQL Injection In order to protect your company website from SQL injection attacks, you want to employ a defensive strategy where you will only accept input if it’s on a list of approved entries, such as data type, range, size, and value. What is this strategy called? A. Enforce least privilege B. Output encoding C. Whitelist validation D. Blacklist validation

C Whitelist Validation, Whitelist validation is a best practice whereby only the list of entities (i.e., data type, range, size, value, etc.) that have been approved for secured access is accepted. Whitelist validation can also be termed as positive validation or inclusion.

Module 15 SQL Injection Hacker Joe attacks a web page by entering unexpected data on the logon page. He then gains access to the database and displays the contents of the table that has usernames and passwords of other users. What is the problem here? A. Insufficient security management B. Insufficient exception handling C. Insufficient database hardening D. Insufficient input validation

Module 16 Hacking Wireless Networks Which hacking process involves driving around in a car while using a laptop to find wireless networks? A. Spectrum analysis B. GPS mapping C. Wardriving D. Wireless sniffing

C Wardriving is a method of hacking that can allow unauthorized users to gain access to a Wi-Fi network.

Module 16 Hacking Wireless Networks How would you make your WiFi network undiscoverable and only accessible to your authorized employees? A. Remove all passwords B. Delete the wireless network C. Lock all users D. Disable SSID broadcasting

Module 16 Hacking Wireless Networks Which device can locate a rogue access point? A. WIPS B. WISS C. NIDS D. HIDS

A A wireless intrusion prevention system (WIPS) is a dedicated security device or integrated software application that monitors a wireless LAN network's radio spectrum for rogue access points and other wireless threats.

Module 16 Hacking Wireless Networks Which of these are encryption vulnerabilities found in WPA3 that can be exploited? A. Key reinstallation attack B. Dragonblood C. AP misconfiguration D. Cross-site request forgery

B DragonBlood attack The discovered flaws can be abused to recover the password of the Wi-Fi network, launch resource consumption attacks, and force devices into using weaker security groups.

Module 16 Hacking Wireless Networks Which wireless encryption protocol was designed to mimic wired encryption? A. RADIUS B. TACACS+ C. WPA D. WPA2 E. WEP F. WPA3

E Wired Equivalent Privacy (WEP)

Module 16 Hacking Wireless Networks What type of encryption does WPA2 use? A. DES 64 bit B. AES-CCMP 128 bit C. MD5 48 bit D. SHA 160 bit

Module 16 Hacking Wireless Networks Hacker Joe sets up a fake wireless communications tower between his victim and the real tower. He then interrupts the data transmission between the victim and the authentic tower, in an attempt to hijack his active session. Next, he manipulates the traffic to redirect the victim to a malicious website. Which attack has Hacker Joe performed here? A. KRACK Attack B. Jamming Signal Attack C. Wardriving D. aLTEr Attack

D The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext.

Module 16 Hacking Wireless Networks Hacker Joe uses a WiFi Pineapple as an access point. He uses the same SSID as the business next door, in an attempt to capture the wireless password. Which type of attack is he performing here? A. War driving attack B. Phishing attack C. MAC spoofing attack D. Evil-twin attack

D An evil twin attack takes place when an attacker sets up a fake Wi-Fi access point hoping that users will connect to it instead of a legitimate one. When users connect to this access point, all the data they share with the network passes through a server controlled by the attacker. An attacker can create an evil twin with a smartphone or other internet-capable device and some readily available software. Evil twin attacks are more common on public Wi-Fi networks which are unsecured and leave your personal data vulnerable.

Module 16 Hacking Wireless Networks Which of these protocols would you use for short-range (100 meters maximum) wireless communications that would transfer data infrequently, at slower speeds, and within a restricted area of your building? A. Zigbee B. MQTT C. NB-IoT D. LPWAN

Module 16 Hacking Wireless Networks Your WiFi router has a long, complex password set. Some visitors connect to your wireless network, but did not need to enter a password. Which of these attacks has most likely happened in this scenario? A. Piggybacking B. Evil Twin C. Wardriving D. Wireless sniffing

Module 16 Hacking Wireless Networks Which of these Bluetooth attacks steals information using a wireless device’s Bluetooth connection? A. Bluejacking B. Bluesmacking C. Bluebugging D. Bluesnarfing

D Bluesmack is a cyber-attack done on Bluetooth-enabled devices. Basically, it is the type of DoS attack for Bluetooth. When the victim's device is overwhelmed by huge packets it is known as Blusmacking. Bluebugging - A cyberattack that seeks to infiltrate the victim's device through a discoverable Bluetooth connection.

Module 16 Hacking Wireless Networks Which wireless security protocol requires 192-bit minimum security protocols, and can protect your data with protocols like GCMP-256, ECDSA-384, and HMAC-SHA-384? A. WPA2-Personal B. WPA2-Enterprise C. WPA3-Personal D. WPA3-Enterprise

Module 16 Hacking Wireless Networks Your wireless NIC can see the wireless network, but can’t connect. You sniff the wireless traffic and can see that the WAP is not responding to the association requests being sent by the wireless NIC. What could the problem be? A. The client cannot see the SSID of the wireless network B. The wireless client is not configured to use DHCP C. The WAP does not recognize the client’s MAC address D. Client is configured for the wrong channel

C A possible source of the problem could be that the Wireless Access Point (WAP) does not recognize the client's MAC address. MAC address filtering is a security feature commonly used in wireless networks to restrict access based on the MAC addresses of devices. If the WAP's MAC address filtering is enabled and the client's MAC address is not added to the list of allowed addresses, the WAP will not respond to the client's association requests.

Module 16 Hacking Wireless Networks Junior admin Bob is configuring a wireless router. He has disabled the SSID broadcast, set the authentication to “open”, and set the SSID to a long string of random numbers and letters. Which is the best assessment of this scenario? A. Disabling the SSID broadcast prevents 802.11 beacons from being transmitted from the access point, resulting in a valid setup leveraging “security through obscurity”. B. The router is still vulnerable to wireless hacking attempts, because the SSID broadcast setting can be enabled using a specially crafted packet sent to the hardware address of the access point. C. It is still possible for a hacker to connect to the network after sniffing the SSID from a successful wireless association. D. Since the SSID is required in order to connect, the 32-character string is sufficient to prevent brute-force attacks.

Module 16 Hacking Wireless Networks A hacker sets up a rogue wireless access point that appears to be a legitimate company WAP. Then the attacker tricks users into connecting to it so he can snoop on the victim’s communications. What type of attack is this? A. Sinkhole attack B. Collision attack C. Signal jamming attack D. Evil Twin attack

Module 16 Hacking Wireless Networks Which attack below would trick a victim into reinstalling an already-in-use encryption key, which would allow the MiTM to decrypt traffic? A. Wardriving B. KRACK C. Evil Twin D. Chop chop attack

B KRACK is short for Key Reinstallation Attack. It is an attack that leverages a vulnerability in the Wi-Fi Protected Access 2 (WPA2) protocol, which keeps your Wi-Fi connection secure. For hackers, KRACK is a tool they use when in close range of one of their targets to access encrypted data.

Module 16 Hacking Wireless Networks You use wireless access points compatible with both WPA2 and WPA3 encryption. An attacker installed a rogue WAP with only WPA2, and forced a victim to connect to it using the standard WPA2 four-way handshake to connect to the network. After getting connected to the network, the attacker used tools to crack the victim’s WPA2 encrypted messages. Which type of attack took place? A. Side-channel attack B. Timing-based attack C. Cache-based attack D. Downgrade security attack

D Downgrade style attacks in general force victims into using older, less secure protocols. In this scenario you’d prefer everyone to use WPA3, but here an attacker “downgraded” a victim’s session to use the older protocol, which the attacker was able to crack.

Module 16 Hacking Wireless Networks All of these are Bluetooth attacks except for which? A. Bluejacking B. Bluesnarfing C. Bluedriving D. Bluesmacking

Module 16 Hacking Wireless Networks Hacker Joe used a rogue WAP to do a MiTM attack, where he injected malicious HTTP code whenever users accessed web pages. Which tool is Hacker Joe most likely using to inject the HTML code? A. Aircrack-ng B. Ettercap C. TCPDump D. Wireshark

B TCPDump and Wireshark are protocol analyzers that let you inspect traffic, but they’re not for modifying traffic. Aircrack-ng is a wireless tool that can monitor the wireless network, crack the encryption and authentication, and do other useful wireless activities. Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

Module 16 Hacking Wireless Networks Some Wireless Access Point’s (WAPs) use a feature called WiFi Protected Setup (WPS) to authenticate devices and allow them to connect to the network using a pin-code. If you try to brute-force that code, the WAP will lock until the admin unlocks it. Which of these command-line utilities could you use to find WPS enabled APs, and to check if they are locked or unlocked? A. ntptrace B. wash C. macof D. net view

Module 16 Hacking Wireless Networks Your admins and managers at your branch offices often plug in to the various ethernet ports at those offices. You don’t want regular employees to use these wired ethernet ports though. What is the BEST way to restrict access to these ethernet ports to only admins and authorized individuals? A. Ask everyone else to only use the wireless network. B. Disable unused ports in the switches. C. Separate employees into a different VLAN. D. Use the 802.1x protocol.

D With 802.1x you can control access to the network by authorizing only specific user accounts to access these ports.

Module 16 Hacking Wireless Networks A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the corporate network. What tool should the analyst use to perform a Blackjacking attack? A. Paros Proxy B. BBProxy C. BBCrack D. Blooover

Module 16 Hacking Wireless Networks The BtleJack utility will allow an attacker to do a variety of attacks on a BlueTooth connection. You can sniff connections, jam them, or hijack them. Which BtleJack switch will allow you to do BlueTooth hijacking? A. -c B. -t C. -j D. -d

B If you are interested in BlueTooth pen-testing, more info on the BtleJack tool can be found here: https://github.com/virtualabs/btlejack

Module 16 Hacking Wireless Networks Which WiFi security protocol uses Simultaneous Authentication of Equals (SAE), which is more resistant to dictionary attacks than personal pre-shared keys (PSK’s)? A. ZigBee B. WPA3-Personal C. WPA2-Enterprise D. Bluetooth

B WPA3-Personal replaces the PSK concept used in WPA2 because it uses a modern key establishment protocol called SAE (also known as Dragonfly Key Exchange), which is more secure than a simple pre-shared key. Basically it uses a password that the user can remember, then turns that into a one-time key (that can never be used again) for authentication. This makes it resistant to offline dictionary attacks.

Module 17 Hacking Mobile Platforms Not knowing any better, Aunt Hilda connected her iPhone to a public computer that had malware on it. She then enabled iTunes Wi-Fi Sync on the computer so that her phone could download music and synchronize data with the computer, even after she disconnected the cable. Unfortunately, Hacker Joe was controlling that computer via his pre-installed malware. Now he is able to monitor and read all of Aunt Hilda’s activity on her iPhone, even after she physically disconnected the cable to the computer. Which attack was performed here? A. Exploiting the SS7 vulnerability B. iOS trustjacking C. iOS jailbreaking D. Man-in-the-disk attack

Module 17 Hacking Mobile Platforms Which file in an Android app lists the basic configuration, such as app name, components, permissions, activities, services, broadcast receivers, etc? A. APK.info B. classes.dex C. AndroidManifest.xml D. Resources.asrc

Module 17 Hacking Mobile Platforms Which technique for jailbreaking an iOS device involves patching the kernel during the bootup process so that it becomes jailbroken on every successive reboot? A. Tethered jailbreaking B. Untethered jailbreaking C. Semi-tethered jailbreaking D. Semi-untethered jailbreaking

Module 17 Hacking Mobile Platforms What is it called when you disassemble and extract the source code of a mobile application in order to find the underlying vulnerabilities? A. App sandboxing B. Jailbreaking C. Reverse engineering D. Social engineering

Module 17 Hacking Mobile Platforms Which type of attack uses a malicious mobile-phone app to monitor the audio coming from someone’s loudspeaker? A. aLTEr attack B. Spearphone attack C. SIM card attack D. Man-in-the-disk attack

B A Spearphone attack is where a malicious Android app installed on your phone can “listen” to what’s being played through your phone’s loudspeaker. It uses the phone’s accelerometer, which requires no special permissions, to “listen” to your loudspeaker via the vibrations it creates. The app can then transmit that information to an attacker. This lets the bad-guy listen to your phone calls, your Google Assistant, or whatever is coming out of your loudspeaker. Crafty!

Module 17 Hacking Mobile Platforms Which of these is a spyware tool that can exploit vulnerabilities on an iPhone to jailbreak the phone, take control, and monitor and track the user’s activities? A. Zscaler B. Androrat C. Trident D. DroidSheep

C Androrat attacks Android devices. DroidSheep is a session hijack tool that runs on Android. Zscaler is a Security-as-a-Service company. Of the listed answer choices, only Trident attacks an iPhone with the above techniques.

Module 17 Hacking Mobile Platforms After downloading an app in a third-party app store, your legitimate apps on your mobile device have been replaced with fraudulent versions. You’ve also started getting many advertisements on your device. Which type of attack happened to you here? A. Clickjacking B. Agent Smith attack C. SMS phishing attack D. SIM card attack

Module 18 IoT and OT Hacking Bob works at a manufacturing plant and all of his robotic assembly devices are controlled remotely from HQ over the internet. In order to ensure the reliability of these devices, and to reduce downtime, protect against security incidents such as cyber espionage, zero-day attacks, and malware, which tool should his company employ? A. Robotium B. Flowmon C. Intent-Fuzzer D. BalenaCloud

B The Flowmon solution provides IP flow-based monitoring to networks from 10 Mbps to 100 Gbps. It provides network monitoring, security, troubleshooting, IP accounting and billing, capacity planning, user and application monitoring, law fulfilling data retention, Network Performance Monitoring (NPM) and more.

Module 18 IoT and OT Hacking If you suspect that one of our IoT devices has been compromised, which port should you monitor? A. 80 B. 443 C. 22 D. 666 E. 3898 F. 48101

Module 18 IoT and OT Hacking Which type of SDR-Based (Software Defined Radio) attack against IoT devices is being described here? -Attacker records the specific frequency being used to communicate between devices -Attacker captures the original data when commands were initiated by the devices -Using a free tool, such as URH (Universal Radio Hacker), the attacker segregated the command sequence into discrete, individual commands -Later, attacker injects command sequences of his choosing, on the same frequency, into the IoT network A. Side-channel attack B. Replay attack C. Cryptanalysis attack D. Reconnaissance attack

Module 18 IoT and OT Hacking Which Nmap command would target industrial control systems to gather information like vendor name, product code and name, device name, and IP address? A. Nmap -Pn -sU -p 44818 --script enip-info B. Nmap -Pn -sT --scan-delay 1s --max-parallelism 1 -p C. Nmap -Pn -sT -p 46824 D. Nmap -Pn -sT -p 102 --script s7-info

Module 18 IoT and OT Hacking Which tool would let you search for info on an IoT device, such as the model number and the certifications granted to it? A. FCC ID Search B. Google image search C. EarthExplorer D. Search.com

Module 18 IoT and OT Hacking Which of these is an information gathering tool that could allow you to collect info about an organizations internet-connected IoT devices? A. Wapiti B. Lacework C. NeuVector D. Censys

D Wapiti is a SQL injection detection tool. Lacework and NeuVector are container security tools. Censys is an IoT search engine, similar to Shodan and Thingful, that can give you info about a target IoT device, such as manufacturer, geographic location, IP address, hostname, open ports, etc.

Module 18 IoT and OT Hacking Mirai is a type of malware that targets IoT devices, takes control of them by making them part of a botnet, then launches attacks. Which type of attack would these botnets perform? A. Birthday attack B. DDoS attack C. Password attack D. MiTM attack

B Mirai creates a botnet of IoT devices to then launch DDoS attacks against the attackers chosen victim.

Module 18 IoT and OT Hacking Which tool below can discover IoT devices on your network that are using default credentials and that are vulnerable to hijacking attacks? A. Azure IoT Central B. IoTSeeker C. IoT Inspector D. AT&T IoT Platform

Module 18 IoT and OT Hacking Which of these attacks targets industrial control systems? A. SMishing attack B. HMI-based attack C. Reconnaissance attack D. Spear-phishing attack

B Human–Machine Interfaces (HMIs) are often called Hacker–Machine Interfaces. Even with the advancement and automation of OT, human interaction and control over the operational process remain challenges due to the underlying vulnerabilities. The lack of global standards for developing HMI software without any defense-in-depth security measures leads to many security problems. Attackers exploit these vulnerabilities to perform various attacks such as memory corruption, code injection, privilege escalation, etc. on target OT systems.

Module 18 IoT and OT Hacking Hacker Heather is trying to do a fault injection attack on an IoT device. She injects faults or glitches into the power supply to cause the system to skip some important instructions. She also tries to inject faults into the clock network of the chip. Which type of fault injection is Heather attempting here? A. Frequency/voltage tampering B. Temperature attack C. Optical, electromagnetic fault injection (EMFI) D. Power/clock/reset glitching

D Optical, Electromagnetic Fault Injection (EMFI): The main objective of these attacks is to inject faults into devices by PROJECTING LASERS and electromagnetic pulses that are used in analog blocks. Power/Clock/Reset Glitching: These types of attacks occur when faults or glitches are INJECTED into the Power supply that can be used for remote execution.

Module 19 Cloud Computing Your developers are using the Docker architecture for a client/server application they are building. Which Docker component can process API requests and handle Docker objects like containers, images, volumes, and networks? A. Docker client B. Docker daemon C. Docker objects D. Docker registries

B The Docker daemon ( dockerd ) listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes.

Module 19 Cloud Computing Which tier of Container Technology Architecture involves verifying and validating image contents, signing images, and sending them to the registries? A. Tier-1: Developer machines B. Tier-2: Testing and accreditation systems C. Tier-3: Registries D. Tier-4: Orchestrators E. Tier-5: Hosts

Module 19 Cloud Computing You need a cloud computing service that will give your employees access to a cloud-based Customer Relationship Management tool. You want the provider to manage the hardware, the OS, and the software patching, monitoring, & administration. The only thing you want to have to do is manage your employee’s user accounts. Which type of Cloud Computing Service should you look into? A. SaaS B. PaaS C. IaaS D. CaaS E. IDaaS

Module 19 Cloud Computing Which type of cloud deployment allows several organizations to share a cloud environment to split the costs? A. Public B. Private C. Community D. Hybrid

Module 19 Cloud Computing Your company utilizes a cloud provider for some services. You want to secure these cloud services by assuming by default that any user attempting to access the service is not (necessarily) an authentic entity, and that every incoming connection must be verified first. Which technique should you use? A. Container technology B. Demilitarized Zone C. Zero trust network D. Serverless computing

C The Zero Trust model assumes that every incoming connection is suspect and must undergo strict authentication and access control processes. It follows the principal “Trust no one and validate before providing a cloud service”

Module 19 Cloud Computing Which cloud services model requires the customer to take full responsibility of the maintenance of the cloud-based resources? A. Software as a Service B. Platform as a Service C. Infrastructure as a Service D. Functions as a Service

Module 19 Cloud Computing You’ve decided to move some of your computing needs to a cloud provider. Your telecomm company is providing the internet connectivity for your users to access this cloud service. In which category of the NIST Cloud Deployment Reference Architecture does the telecom company fall? A. Consumer B. Provider C. Carrier D. Auditor E. Broker

C Cloud Carrier - An intermediary for providing connectivity and transport services between cloud consumers and providers.

Module 19 Cloud Computing Your company’s cloud services have been compromised. After investigating, you discover the attacker infiltrated the MSP provider using spear-phishing e-mails containing custom made malware to compromise user accounts and gain remote access. Which type of cloud attack happened here? A. Cloudborne attack B. Cloud cryptojacking C. Cloud hopper attack D. Man-in-the-cloud (MITC) attack

Module 19 Cloud Computing You want to use an open-source technology to develop, package and run containerized applications that provide OS-level virtualization. You also need to be able to deliver software to users quickly. Which cloud technology should you choose? A. Docker B. Virtual machine C. Zero trus network D. Serverless computing

Module 19 Cloud Computing Which type of cloud attack targets a bare-metal cloud server to implant a malicious backdoor in its firmware? A. Cloudborne attack B. Metadata spoofing attack C. Cloud cryptojacking D. Man-in-the-cloud attack

A In the Cloudborne scenario, an attacker can first use a known vulnerability in Supermicro hardware to overwrite the firmware of a Baseboard Management Controller (BMC).

Module 19 Cloud Computing If you are unhappy with your current cloud provider and want to switch to another, which of these is a problem that could prevent you from doing so? A. Lock-in B. Lock-up C. Lock-down D. Virtualization

A Vendor lock-in refers to a situation where the cost of switching to a different vendor is so high that the customer is essentially stuck with the original vendor. Because of financial pressures, an insufficient workforce, or the need to avoid interruptions to business operations, the customer is "locked in" to what may be an inferior product or service.

Module 20 Cryptography Which encryption algorithm uses 64-bit blocks and three 56-bit keys? A. AES B. MD5 encryption algorithm C. Triple Data Encryption Standard D. IDEA

Module 20 Cryptography Which of the following techniques will identify if computer files have been changed? A. Network sniffing B. Permission sets C. Integrity checking hashes D. Firewall alerts

Module 20 Cryptography What is the primary drawback to using advanced encryption standard (AES) algorithm with a 256 bit key to share sensitive data? A. Due to the key size, the time it will take to encrypt and decrypt the message hinders efficient communication. B. To get messaging programs to function with this algorithm requires complex configurations. C. It has been proven to be a weak cipher, therefore, should not be trusted to protect sensitive data. D. It is a symmetric key algorithm, meaning each recipient must receive the key through a different channel than the message.

Module 20 Cryptography What’s the best way to protect the data on your laptop while traveling? A. Password protected files B. Disk encryption C. BIOS encryption D. Hidden folders

Module 20 Cryptography Why shouldn’t we just use the longest possible key and strongest possible algorithm when selecting an encryption algorithm? A. Overhead B. If an algorithm such as Rijndael is chosen for AES it has been cracked and is probably useless. C. The longest possible unbreakable key is a “one- time pad”, but the length of a message is not always known in advance, therefore the best solution is a passphrase that makes a longer key. D. This question cannot be answered because there are so many variables and complicated factors involved and there just isn’t enough information provided.

Module 20 Cryptography Which of these is hardware on your computer’s motherboard that generates and stores an encryption key, and can be used to encrypt/decrypt data on your hard drive? A. CPU B. GPU C. TPM D. UEFI E. BIOS

Module 20 Cryptography You want to send an e-mail, but you need to ensure the recipient can check to see if it has been tampered with. To do this, you first create a checksum of the e-mail. Then you will encrypt the checksum with which of these keys? A. Your own private key B. The recipient’s private key C. Your own public key D. The recipient’s public key E. A symmetric key

Module 20 Cryptography What is it called when a copy of your private key is stored so that it can be restored if you happen to lose it, and to also provides your employer with access in case you should leave the company? A. Key registry B. Recovery agent C. Directory D. Key escrow

Module 20 Cryptography Symmetric key cryptography uses which of the following? A. Multiple keys for non-repudiation of bulk data B. Different keys on both ends of the transport medium C. Bulk encryption for data transmission over fiber D. The same key on each end of the transmission medium

Module 20 Cryptography Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust relationship exists and that a certificate is still valid for specific operations? A. Certificate issuance B. Certificate validation C. Certificate cryptography D. Certificate revocation

Module 20 Cryptography What’s the difference between RSA and AES? A. Both are symmetric algorithms, but AES uses 256-bit keys. B. AES is asymmetric, which is used to create a public/private key pair; RSA is symmetric, which is used to encrypt data. C. Both are asymmetric algorithms, but RSA uses 1024-bit keys. D. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data.

Module 20 Cryptography You encrypt your data with your public key, then copy the data to a commercial cloud-based storage solution. Which of these scenarios would compromise the privacy of your data? A. A hacker compromises the cloud server and steals the encrypted data. B. The FBI forces you to give them your private key, however, since they have no warrant, the cloud service provider refuses to give the FBI access to the stored data. C. You also store your private key on the cloud server, and an attacker has gained access to the server. D. None of these scenarios would compromise the privacy of your data.

Module 20 Cryptography Which does hashing provide? A. Confidentiality B. Integrity C. Availability D. Authentication

Module 20 Cryptography To send a PGP encrypted message, which piece of information from the recipient must the sender have before encrypting the message? A. Recipient's private key B. Recipient's public key C. Master encryption key D. Sender's public key

Module 20 Cryptography Which of the following defines the role of a root CA in a public key infrastructure? A. The root CA stores the users hash value for safekeeping B. The CA is the trusted root that issues certificates C. The root CA is the recovery agent used to encrypt data when a user certificate is lost D. The root CA is used to encrypt email messages to prevent unintended disclosure of data

Module 20 Cryptography Which of these statements about digital signatures is correct? A. Digital signatures may be used in different documents of the same type B. A digital signature cannot be moved from one signed document to another because it is a plain hash of the document content C. A digital signature cannot be moved from one signed document to another because it is the hash of the original document encrypted with the private key of the signing party D. Digital signatures are issued once for each user and can be used everywhere until they expire

Module 20 Cryptography Which of these would be the best way to prevent data-theft from lost or stolen corporate laptops? A. Set BIOS passwords B. Use strong logon passwords for the OS’s C. Back up everything on the laptops and store the backups in a safe place D. Encrypt the data on the hard drives

Module 20 Cryptography Which of these encryption algorithms is the fastest? A. SHA-1 B. SHA-2 C. ECC D. AES

Module 20 Cryptography Frank from accounting sends you a an e-mail threatening you if you don’t “keep your mouth shut” over something you witnessed earlier. You report Frank to HR but he denies having sent that e-mail. What can you use to prove the e-mail did come from Frank? A. Confidentiality B. Integrity C. Authentication D. Non-Repudiation

Module 20 Cryptography What is the length of an MD5 hash? A. 32 character B. 64 byte C. 48 char D. 128 kb

Module 20 Cryptography With SSL/TLS we use both symmetric and asymmetric cryptography. What is an advantage of this? A. Asymmetric cryptography is computationally expensive in comparison. However, it’s well suited to securely negotiate keys for use with symmetric cryptography. B. Symmetric encryption allows the server to securely transmit the session keys out-of-band. C. Symmetric algorithms such as AES provide a failsafe when asymmetric methods fail. D. Supporting both types of algorithms allows less-powerful devices such as mobile phones to use symmetric encryption instead.

Module 20 Cryptography Which of these Secure Hashing Algorithms (SHA) resembles MD5 and produces a 160-bit message digest? A. SHA-0 B. SHA-1 C. SHA-2 D. SHA-3

Module 20 Cryptography A digital signature is simply a message that is encrypted with the public key instead of the private key. A. true B. false

Module 20 Cryptography Which of the following encryption is NOT based on block cipher? A. DES B. Blowfish C. AES (Rijndael) D. RC4

Module 20 Cryptography With one method of cryptanalysis, an attacker is able to make a bunch of interactive queries, and then choose subsequent plaintexts based on the previous encryption results. Which type of crypto-attack is this describing? A. Chosen-plaintext attack B. Ciphertext-only attack C. Known-plaintext attack D. Adaptive chosen-plaintext attack

D An adaptive chosen plaintext attack is a chosen plaintext attack scenario in which the attacker has the ability to make his or her choice of the inputs to the encryption function based on the previous chosen plaintext queries and their corresponding ciphertexts. The scenario is more powerful than the basic chosen plaintext attack.

Module 20 Cryptography Advanced Encryption Standard is an algorithm used for which of the following? A. Data integrity B. Key discovery C. Bulk data encryption D. Key recovery

Module 20 Cryptography Which TWO of these are symmetric block ciphers with 128-bit blocks and keys up to 256 bits? A. IDEA B. Onefish C. Twofish D. Threefish E. Blowfish F. HMAC G. RSA H. AES I. ECC

C & H

Module 20 Cryptography You want to send an e-mail to Bob that’s both encrypted and signed. Which key would you use to 1) encrypt the message, and which key would 2) confirm the digital signature? A. Your public key, your public key B. Bob’s private key, your public key C. Bob’s public key, Bob’s public key D. Bob’s public key, your public key

Module 20 Cryptography Which of these is a free hybrid encryption program, based on the OpenPGP standard, that uses both symmetric and asymmetric encryption and can be used for securing e-mail messages? A. S/MIME B. SMTP C. GPG D. PGP

C The big clue here is the word “free”. PGP is only free for 30 days, but after that you have to pay for it. GPG (GNU Privacy Guard) is free.

Module 20 Cryptography After gaining access to the password hashes used to protect access to a web based application, knowledge of which cryptographic algorithms would be useful to gain access to the application? A. SHA1 B. Diffie-Helman C. RSA D. AES

Module 20 Cryptography Which of the following is a symmetric cryptographic standard? A. DSA B. PKI C. RSA D. 3DES

Module 20 Cryptography A Certificate Authority (CA) creates a pair of keys to secure data in-transit. The integrity of the encrypted data depends on the security of which of these? A. Public key B. Private key C. Modulus length D. Email server certificate

Module 20 Cryptography You want to ensure that your users are encrypting their messages with the recipient’s public key, so that only the recipient can decrypt, using his/her private key. To achieve this, you implement a security model where every user maintains a ring of public keys to secure their corporate messages. What is the name of this model? A. Zero trust network B. Web of Trust (WoT) C. Transport Layer Security (TLS) D. Secure Socket Layer (SSL)

B Web Of Trust is a model used by PGP, OpenPGP, and GPG where each user acts as a Certificate Authority (CA) and signs each other’s public keys for distribution. In a WoT network, every user has a “ring of public keys” (other user’s keys) to encrypt data to keep it secure.

Module 20 Cryptography Which of these PKI components actually verifies the applicant? A. Certificate authority B. Validation authority C. Registration authority D. Verification authority

C Certificate Authority (CA): A CA is a trusted entity responsible for issuing, revoking, and managing digital certificates. It verifies the identity of certificate applicants before issuing certificates, thus establishing a chain of trust. Registration Authority (RA): The RA assists the CA in the identity verification process. It collects and validates identity information from certificate applicants before passing it to the CA for certificate issuance.

Module 20 Cryptography To send a digitally signed e-mail to Bob, which key would you use to sign it, and how will Bob validate that the e-mail really came from you? A. You sign the message with your public key, and Bob will verify that the message came from you by using your private key. B. You sign the message with Bob’s private key, and Bob will verify that the message came from you using your public key. C. You sign the message with your private key, and bob will verify that the message came from you by using your public key. D. You sign the message with Bob’s public key, and bob will verify that the message came from you by using your public key.

Module 20 Cryptography Which of these is a service in a PKI that can vouch for your employees’ identities? A. CR B. KDC C. CA D. CBC

Module 20 Cryptography Your company got breached while transferring important files. This process was transmitting sensitive data, such as usernames and passwords, in plaintext. To prevent a session hijack using this information, you want to use a protocol that instead sends data using encryption and digital certificates. Which of these protocols would be best here? A. HTTPS B. IP C. FTP D. FTPS

D While both HTTPS and FTPS both use encryption and digital certificates, this scenario specifically talks about file transfers. The best tool here then, would be FTP Secure, which is specifically for file transfers, uses digital certificates and encryption, and would protect sensitive credentials as you log-in to the FTP server.

Module 20 Cryptography While doing a security audit, you notice that two of your webservers allow SSLv2 connections, and they both use the same private key certificate. This makes them vulnerable to attacks because SSLv2 can be cracked and leak your server’s private key. Which of these attacks could take advantage of this vulnerability? A. Side-channel attack B. Padding oracle attack C. DUHK attack D. DROWN attack

D DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.

Module 20 Cryptography You want to send some sensitive info to Bob in an e-mail using PGP. How will you protect that info? A. Use your own private key to encrypt the message. B. Use your own public key to encrypt the message. C. Use Bob’s private key to encrypt the message. D. Use Bob’s public key to encrypt the message.

Module 20 Cryptography Digital signatures must meet which conditions? A. Must be unforgeable and has to be authentic B. Must be unique and have special characters C. Has to be the same number of characters as a physical signature and must be unique D. Has to be legible and neat

Module 20 Cryptography When referring to the field of cryptanalysis, what is a “rubber-hose” attack? A. Attempting to decrypt ciphertext by making logical assumptions about the contents of the original plaintext B. Extraction of cryptographic secrets through coercion or torture C. A backdoor placed into a cryptographic algorithm by its creator D. Forcing the targeted keystream through a hardware-accelerated device such as an ASIC

B In cryptography, rubber-hose cryptanalysis is a euphemism for the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture—such as beating that person with a rubber hose, hence the name—in contrast to a mathematical or technical cryptanalytic attack.

Module 20 Cryptography Which of these is the best solution for sending encrypted e-mails if you don’t want to have to pay any money or manage a server? A. IP Security (IPSEC) B. Multipurpose Internet Mail Extensions (MIME) C. Pretty Good Privacy (PGP) D. Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS)

Module 20 Cryptography When dealing with a particular hashing algorithm, which property makes it less likely the algorithm will create the same hash result for multiple different source messages? A. Collision resistance B. Bit length C. Key strength D. Entropy

Module 20 Cryptography If two employees want to exchange data, which one of these can verify and authenticate their identities to each other? A. SOA B. Single sign-on C. PKI D. biometrics

C Single sign-on would verify an employee’s identity while logging on to the network, but in this scenario two people want to exchange data. With PKI, they can exchange certificates with each other, which would validate each user’s identity.

Module 20 Cryptography What is a "Collision attack”? A. Collision attacks try to break the hash into two parts, with the same bytes in each part to get the private key B. Collision attacks try to break the hash into three parts to get the plaintext value C. Collision attacks try to find two inputs producing the same hash D. Collision attacks try to get the public key

Module 20 Cryptography Which of these is a technique to improve the security of encryption keys by taking a key and running it through an algorithm to generate an enhanced key that is resistant to brute-force attacks? A. Key derivation function B. Key reinstallation C. Key stretching D. Public key infrastructure

Module 20 Cryptography PGP, SSL, and IKE are all examples of which type of cryptography? A. Public Key B. Secret Key C. Hash Algorithm D. Digest

A The correct answer is 'Public Key'. Not sure if this is a good question. they all involve the private and public key. ... EDIT: Because all these methods use both private and public key, both choices (private and public) key are correct. therefor, i changed the last option from "Private" to "Shared" key. this way the question is a lot less confusion., and it's only 1 correct answer.

Module 20 Cryptography Which key does the Heartbleed bug leave exposed on a web server? A. Root B. Public C. Private D. Shared

C If the server version is vulnerable to Heartbleed, cybercriminals can retrieve the private key and impersonate the server. The consequences can be quite dire, as secure connections to the server are not possible anymore, and private information can be easily exposed

Module 20 Cryptography Which of these is the plaintext attack used on DES where encrypting the plaintext with one DES key, and then encrypting it again with a second DES key, is no more secure than just using a single key? A. Replay attack B. Meet-in-the-middle attack C. Man-in-the-middle attack D. Traffic analysis attack

B When DES started getting old and less secure, they went to 2DES (double-DES) where they would just encrypt traffic with a DES twice, using two different keys. Unfortunately, the Meet-In-The-Middle attack was able to derive one of the keys, which then essentially reduced it back to single DES again. This is why these days we use 3DES as it avoids this problem.

Module 20 Cryptography Which algorithm uses 64 bit blocks and does 12 or 16 rounds of encryption? A. AES B. GOST block cipher C. CAST-128 D. DES

C AES: 128, 192, or 256 bit keys, 128 bit blocks, 10, 12, or 14 rounds GOST: 256 bit key, 64 bit blocks, 32 rounds CAST-128: 40-128 bit keys, 64 bit blocks, 12 or 16 rounds DES: 56-bit key, 64-bit blocks, 16 rounds

Module 20 Cryptography Which encryption algorithm listed below is symmetric, uses key sizes of 128, 192, or 256 bits, does 32 rounds of encryption, and uses four 32-bit blocks? A. TEA B. RC5 C. Serpent D. CAST-128

C RC5: 128 bit keys, variable block size & number of rounds TEA: 128 bit keys, 64 bit blocks, 64 rounds CAST-128: 40-128 bit keys, 64 bit blocks, 12 or 16 rounds Serpent: 128, 192, or 256 bit keys, 4x32-bit blocks, 32 rounds

Port Numbers, Protocols, & Misc Which service runs on TCP port 445? A. Telnet B. Remote Procedure Call (RPC) C. Network File System (NFS) D. Server Message Block (SMB)

D Port 445 is a Microsoft networking port which is also linked to the NetBIOS service present in earlier versions of Microsoft Operating Systems. It runs Server Message Block (SMB), which allows systems of the same network to share files and printers over TCP/IP.

Port Numbers, Protocols, & Misc What is the port number for SNMP? A. 150 B. 161 C. 169 D. 69

Port Numbers, Protocols, & Misc Examine this log file entry and pick the true statement: June 15, 2017 2:15:45 PM 192.168.5.10 – 59888 192.168.6.130 – 22 tcp_ip A. Application is SSH and 192.168.5.10 is the client and 192.168.6.130 is the server. B. Application is SSH and 192.168.5.10 is the server and 192.168.6.130 is the client. C. Application is Telnet and 192.168.5.10 is the client and 192.168.6.130 is the server. D. SSH communications are encrypted and it’s impossible to know who is the client or the server.

Port Numbers, Protocols, & Misc Which protocol is specifically designed to send event messages? A. SMS B. Syslog C. SNMP D. ICMP

Port Numbers, Protocols, & Misc LDAP uses which port number? A. 110 B. 389 C. 464 D. 445

Port Numbers, Protocols, & Misc Which port number is involved with file sharing on a Windows computer? A. 445 B. 3389 C. 1433 D. 161

Port Numbers, Protocols, & Misc Your users can’t reach internet sites for some reason, so you try pinging the sites and they do return a reply. You try putting an IP address into your browser and the sites display properly, but you can’t see the sites when you use their URL’s. What is the problem? A. Traffic is blocked on TCP port 80 B. Traffic is blocked on UDP port 80 C. Traffic is blocked on UDP port 53 D. Traffic is blocked on TCP port 54

C 53 Domain Name System (DNS) service - UDP queries and replies | TCP zone transfers

Port Numbers, Protocols, & Misc While checking the settings on the internet browser, a technician finds that the proxy server settings have been checked and a computer is trying to use itself as a proxy server. What specific IP within the subnet does the technician see? A. 10.10.10.10 B. 127.0.0.1 C. 192.168.1.1 D. 192.168.168.168

Port Numbers, Protocols, & Misc Your audit report says you have a service running on port 389, and it has been flagged as a critical problem that needs to be rectified. What service is this, and how would you fix the problem? A. The findings do not require immediate actions and are only suggestions. B. The service is LDAP, and you must change it to 636, which is LDAPS. C. The service is NTP, and you have to change it from UDP to TCP in order to encrypt it. D. The service is SMTP, and you must change it to SMIME, which is an encrypted way to send emails.

Port Numbers, Protocols, & Misc Admin Alice just discovered unencrypted traffic on your network using UDP port 161. What protocol is this, and what should she do to increase security? A. RPC and the best practice is to disable RPC completely B. SNMP, and it is not necessary to perform any actions, as SNMP is not carrying important information C. SNMP, and she should change it to SNMP v3 D. SNMP, and she should change it to SNMP v2, which is encrypted

Port Numbers, Protocols, & Misc You are combing through event logs from your firewall, IDS, and proxy server looking for a possible security breach. When you correlate the data from the logs, you find that the sequence of many of the events don’t match up. What is the most likely reason for this? A. The network devices are not all synchronized B. Proper chain of custody was not observed while collecting the logs C. The attacker altered or erased events from the logs D. The security breach was a false positive

A This is one of the many reasons we need to use NTP (or a similar protocol) to synchronize the time on all of your devices!

Port Numbers, Protocols, & Misc Which port number is commonly used by NTP (Network Time Protocol)? A. TCP Port 124 B. UDP Port 125 C. UDP Port 123 D. TCP Port 126

Port Numbers, Protocols, & Misc While port-scanning a system, you find that it has ports 21, 23, 80, 139, and 9100 open. Which type of machine are you most likely looking at here? A. The host is likely a Linux machine. B. The host is likely a Windows machine. C. The host is likely a router. D. The host is likely a printer.

Port Numbers, Protocols, & Misc What are the short concrete or metal poles called in front of a building that prevent you from driving through an area, while at the same time allowing foot traffic through? A. Speed bumps B. Bollards C. Pillars D. Block posts

Port Numbers, Protocols, & Misc Which service runs on port 21? A. Remote Procedure Call (RPC) B. Border Gateway Protocol (BGP) C. File Transfer Protocol (FTP) D. Network File System (NFS)

Addendum What is it commonly called when companies like HackerOne create programs for vulnerability disclosures? A. White-hat hacking program B. Bug bounty program C. Ethical hacking program D. Vulnerability hunting program

Addendum Which of these attacks can extract password hashes by attacking the NetNTLMv1 protocol? A. Dictionary attack B. Rainbow Table attack C. Combinator attack D. Internal Monologue attack

Addendum Which one of these Kubernetes components will allocate nodes (computers) to newly created pods (groups of containers)? A. Kube-scheduler B. Kube-apiserver C. Kube-controller-manager D. Etcd cluster

Practice Exam Sept 2023 Flashcards

(465 cards)