You have gained physical access to a Windows 2008 R2 server, which has an accessible disc drive. When you attempt to boot the server and log in, you are unable to guess the password. In your toolkit, you have an Ubuntu 9.10 Linux LiveCD. Which Linux-based tool can change any user's password or activate disabled Windows accounts? CHNTPW SET John the Ripper Cain & Abel.
Which of these is capable of searching for and locating rogue access points? WIPS WISS HIDS NIDS.
A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application.
What kind of Web application vulnerability likely exists in their software?
Web site defacement vulnerability Cross-site Request Forgery vulnerability Cross-site scripting vulnerability SQL injection vulnerability.
Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library? This weakness allows stealing the protected information, under normal conditions, by the SSL/TLS encryption used to secure the Internet. Shellshock Heartbleed Bug SSL/TLS Renegotiation Vulnerability POODLE.
The establishment of a TCP connection involves a negotiation called three-way handshake. What type of message does the client send to the server in order to begin this negotiation? SYN-ACK ACK RST SYN.
To determine if a software program properly handles a wide range of invalid inputs, a form of automated testing can be used to randomly generate invalid input in an attempt to crash the program.
What term is commonly used when referring to this type of testing? Mutating Bounding Fuzzing Randomizing.
An IT employee got a call from one of our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for both company and the customer. What should this employee do? Since the company's policy is all about Customer Service, he/she will provide information The employee should not provide any information without previous management authorization. The employee can not provide any information; but, anyway, he/she will provide the name of the person in charge. Disregarding the call, the employee should hang up.
What is not a PCI compliance recommendation? Use encryption to protect all transmission of card holder data over any public network. Limit access to card holder data to as few individuals as possible. Use a firewall between the public network and the payment card data. Rotate employees handling credit card transactions on a yearly basis to different departments.
A hacker has managed to gain access to a Linux host and stolen the password file from /etc/passwd
How can he use it?
He cannot read it because it is encrypted. He can open it and read the user ids and corresponding passwords. The file reveals the passwords to the root user only. The password file does not contain the passwords themselves.
As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the associated violations, and essentially protects both the organization's interest and your liabilities as a tester? Project Scope Non-Disclosure Agreement Rules of Engagement Service Level Agreement.
During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network.
What is this type of DNS configuration commonly called?
DNS Scheme DynDNS Split DNS DNSSEC.
"........ is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises but actually has been set up to eavesdrop on wireless communications. It is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider. This type of attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there. "
Fill in the blank with the appropriate choice.
Signal Jamming Attack Evil Twin Attack Sinkhole Attack Collision Attack.
Websites and web portals that provide web services commonly use the Simple Object Access Protocol (SOAP). Which of the following is an incorrect definition or characteristics of the protocol? Provides a structured model for messaging Only compatible with the application protocol HTTP Exchanges data between web services Based on XML.
When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing? At least twice a year and after any significant infrastructure or application upgrade or modification At least once every two years and after any significant infrastructure or application upgrade or modification At least once every three years and after any significant infrastructure or application upgrade or modification At least once a year and after any significant infrastructure or application upgrade or modification.
In cryptanalysis and computer security, 'pass the hash' is a hacking technique that allows an attacker to authenticate a remote server/service by using the underlying NTLM and/or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case.
Metasploit Framework has a module for this technique: psexec. The psexec module is often used by penetration testers to obtain access to a given system whose credentials are known. It was written by sysinternals and has been integrated within the framework. The penetration testers successfully gain ğşaccess to a system through some exploit, use meterpreter to grab the passwords or other methods like fgdump, pwdump, or cachedump and then utilize rainbowtables to crack those hash values.
Which of the following is a true hash type and sort order that is used in the psexec module's 'smbpass' option?
NT:LM NTLM:LM LM:NTLM LM:NT.
This asymmetry cipher is based on factoring the product of two large prime numbers.
What cipher is described above?
SHA RC5 RSA MD5.
Which of the following attacks exploits web page vulnerabilities that allow an attacker to force an unsuspecting user's browser to send malicious requests they did not intend? File Injection Attack Hidden Field Manipulation Attack Cross-Site Request Forgery (CSRF) Command Injection Attacks.
A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named ""nc."" The FTP server's access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted the contents of the tarball and ran the script using a function provided by the FTP server's software. The ps command shows that the nc file is running as process, and the netstat command shows the nc process is listening on a network port. What kind of vulnerability must be present to make this remote attack possible? Privilege escalation Directory traversal File system permissions Brute force login.
You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best nmap command you will use? nmap -T4 -F 10.10.0.0/24 nmap -T4 -q 10.10.0.0/24 nmap -T4 -O 10.10.0.0/24 nmap -T4 -r 10.10.1.0/24.
Shellshock allowed an unauthorized user to gain access to a server. It affected many Internet-facing services, which OS did it not directly affect? Linux Unix OS X Windows.
In Risk Management, how is the term "likelihood" related to the concept of "threat?" Likelihood is a possible threat-source that may exploit a vulnerability. Likelihood is the probability that a threat-source will exploit a vulnerability. Likelihood is the probability that a vulnerability is a threat-source. Likelihood is the likely source of a threat that could exploit a vulnerability.
An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to "www.MyPersonalBank.com," the user is directed to a phishing site.
Which file does the attacker need to modify? Networks Sudoers Boot.ini Hosts.
Which of the following security policies defines the use of VPN for gaining access to an internal corporate network? Network security policy Remote access policy Access control policy Information protection policy.
Which method of password cracking takes the most time and effort? Brute force Rainbow tables Dictionary attack Shoulder surfing.
You are logged in as a local admin on a Windows 7 system, and you need to launch the Computer Management Console from the command line.
Which command would you use?
c:\services.msc c:\compmgmt.msc c:\ncpa.cpl c:\gpedit.
PGP, SSL, and IKE are all examples of which type of cryptography? Secret Key Public Key Hash Algorithm Digest.
What term describes the amount of risk that remains after the vulnerabilities are classified, and the countermeasures have been deployed? Impact risk Residual risk Inherent risk Deferred risk.
It has been reported to you that someone has caused an information spillage on their computer. You go to the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What step in incident handling did you just complete? Eradication Recovery Containment Discovery.
Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN? ESP tranport mode ESP confidential AH permiscuous AH Tunnel mode.
The "white box testing" methodology enforces what kind of restriction? The internal operation of a system is completely known to the tester. Only the internal operation of a system is known to the tester. Only the external operation of a system is accessible to the tester. The internal operation of a system is only partly accessible to the tester.
What is the most common method to exploit the “Bash Bug” or “ShellShock" vulnerability? SSH Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment variable to a vulnerable Web server SYN Flood Manipulate format strings in text fields.
Due to a slowdown of normal network operations, the IT department decided to monitor internet traffic for all of the employees. From a legal standpoint, what would be troublesome to take this kind of measure? IT department would be telling employees who the boss is All of the employees would stop normal work activities The network could still experience traffic slow down Not informing the employees that they are going to be monitored could be an invasion of privacy.
___________is a set of extensions to DNS that provide the origin authentication of DNS data to DNS clients (resolvers) so as to reduce the threat of DNS poisoning, spoofing, and similar types of attacks. Resource transfer Resource records DNSSEC Zone transfer.
Which tool allows analysts and pen-testers to examine links between data using graphs and link analysis? Maltego Metasploit Wireshark Cain & Abel.
An Internet Service Provider (ISP) has a need to authenticate users connecting via analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network.
Which AAA protocol is the most likely able to handle this requirement?
TACACS+ RADIUS Kerberos DIAMETER.
A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer is able to transfer files locally to other machines but cannot successfully reach the Internet. When the technician examines the IP address and default gateway, they are both on the 192.168.1.0/24. Which of the following has occurred? The gateway and the computer are not on the same network The computer is using an invalid IP address The computer is not using a private IP address The gateway is not routing to a public IP address.
Which of the following is a low-tech way of gaining unauthorized access to systems? Scanning Social Engineering Sniffing Enumeration.
What is attempting an injection attack on a web server based on responses to True/False questions called? Blind SQLi DMS-specific SQLi Compound SQLi Classic SQLi.
You have successfully gained access to a Linux server and would like to ensure that the succeeding outgoing traffic from this server will not be caught by Network-Based Intrusion Detection Systems (NIDS).
What is the best way to evade the NIDS?
Out of band signalling Protocol Isolation Encryption Alternate Data Streams.
Which of the following is the BEST way to defend against network sniffing? Use Static IP Address Restrict Physical Access to Server Rooms hosting Critical Servers Using encryption protocols to secure network communications Register all machines MAC Address in a Centralized Database.
How does the Address Resolution Protocol (ARP) work? It sends a reply packet for a specific IP, asking for the MAC address. It sends a request packet to all the network elements, asking for the domain name from a specific IP. It sends a reply packet to all the network elements, asking for the MAC address from a specific IP. It sends a request packet to all the network elements, asking for the MAC address from a specific IP.
Internet Protocol Security IPSec is a suite of protocols. Each protocol within the suite provides different functionality. Collective IPSec does everything except Authenticate Protect the payload and the headers Encrypt Work at the Data Link Layer.
This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools.
Which of the following tools is being described?
Airguard Aircrack-ng WLAN-crack wificracker.
Which of the following will perform an Xmas scan using NMAP? nmap -sA 192.168.1.254 nmap -sX 192.168.1.254 nmap -sV 192.168.1.254 nmap -sP 192.168.1.254.
You are doing an internal security audit and intend to find out what ports are open on all the servers. What is the best way to find out? Telnet to every port on each server Scan servers with MBSA Physically go to each server Scan servers with Nmap.
Your company performs penetration tests and security assessments for small and medium-sized business in the local area. During a routine security assessment, you discover information that suggests your client is involved in human trafficking.
What should you do?
Immediately stop work and contact the proper legal authorities Ignore the data and continue the assessment until completed as agreed Confront the client in a respectful manner and ask her about the data Copy the data to removable media and keep it in case you need it.
If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled, and the network may be using TCP. Which tool could the tester use to get a response from a host using TCP? Hping Traceroute TCP ping Broadcast ping.
Which regulation defines security and privacy controls for Federal information systems and organizations? PCI-DSS HIPAA NIST-800-53 EU Safe Harbor.
Sophia travels a lot and worries that her laptop containing confidential documents might be stolen. What is the best protection that will work for her? Hidden folders BIOS password Disk encryption Password protected files.
What two conditions must a digital signature meet? Has to be legible and neat Has to be unforgeable, and has to be authentic. Has to be the same number of characters as a physical signature and must be unique Must be unique and have special characters.
Which Intrusion Detection System is best applicable for large environments where critical assets on the network need extra scrutiny and is ideal for observing sensitive network segments? Host-based intrusion detection system (HIDS) Firewalls Network-based intrusion detection system (NIDS) Honeypots.
In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire access to another account's confidential files and information. How can he achieve this? Hacking Active Directory Privilege Escalation Port Scanning Shoulder-Surfing.
Your company has web servers, DNS servers, and mail servers in a DMZ that are accessible from the Internet. Hackers have been scanning your public IP addresses, and you even suspect they have begun enumerating some targets. Your company performs daily Nessus scans to find live hosts, open ports, and vulnerabilities. The Nessus scanner is connected to your internal network.
Your manager commented that he thinks a network firewall is blocking Nessus from scanning the hosts in the DMZ. What is a solution to provide Nessus with the same visibility of the DMZ as that of a hacker?
Run Nessus from a server that resides in the DMZ so that no firewalls, IPS, or other security products interfere with the scan. Leave the Nessus server in the internal network but add a second network card so that it can be connected to a switch in the DMZ. This will allow the Nessus server to have access to the internal and DMZ networks. Run Nessus from a location on the Internet which is separate from the company's network so that no firewalls, IPS, or other security products interfere with the scan. Have the firewall rules modified so that the Nessus server on the internal network is able to scan the hosts in the DMZ.
In order to have an anonymous Internet surf, which of the following is the best choice? Use Tor network with multi-node Use public VPN Use SSL sites when entering personal information Use shared WiFi.
Jimmy is standing outside a secure entrance to a facility. He is pretending to having a tense conversation on his cell phone as an authorized employee badges in. Jimmy, while still on the phone, grabs the door as it begins to close. what just happened? Masquerading Phishing Tailgating Whaling.
You are performing a penetration test for a client and have gained shell access to a Windows machine on the internal network. You intend to retrieve all DNS records for the internal domain. If the DNS server is at 192.168.10.2 and the domain name is abccorp.local, what command would you type at the nslookup prompt to attempt a zone transfer? ls -d abccorp.local lserver 192.168.10.2 -t all list server=192.168.10.2 type=all list domain=abccorp.local type=zone.
Jesse receives an email with an attachment labeled “Court_Notice_21206.zip”. Inside the zip file is a file named “Court_Notice_21206.docx.exe” disguised as a word document. Upon execution, a window appears stating, “This word document is corrupt.” In the background, the file copies itself to Jesse APPDATA\local directory and begins to beacon to a C2 server to download additional malicious binaries. What type of malware has Jesse encountered? Macro Virus Trojan Worm Key-Logger.
User A is writing a sensitive email message to user B outside the local network. User A has chosen to use PKI to secure his message and ensure only user B can read the sensitive email. At what layer of the OSI layer does the encryption and decryption of the message take place? Transport Session Presentation Application.
You are analysing a traffic on the network with Wireshark. You want to routinely run a cron job which will run the capture against a specific set of IPs - 192.168.8.0/24.
What command you would use?
tshark -net 192.255.255.255 mask 192.168.8.0 wireshark --fetch "192.168.8.*" wireshark --capture --local --masked 192.168.8.0 --range 24 sudo tshark -f "net 192.168.8.0/24".
Which of the following techniques are NOT relevant in preventing arp spoof attack? Arpwatch Static MAC Entries Secure ARP Protocol Kernel based patches.
The systems administrator for one of your clients has just called you, explaining that one of their critical servers has been breached. You let her know that your incident response team is on the way and instruct her not to power off the compromised system at this time.
Why should not she power off the server? Select the best answer.
The incident response team needs to retrieve information stored in volatile memory such as RAM. The attacker may have placed a logic bomb, which will trigger when the shutdown command is issued. Actually, the correct procedure in this case is to power off the server. This helps prevent the attacker from spreading deeper into the network. This will alert the attacker that they have been discovered, prompting them to delete data or install ransomware before their foothold in the network is severed.
You type the following command at a Linux command prompt:
hping3 -c 65535 -i u1 -S -p 80 --rand-source www.targetcorp.com
What action are you performing?
Port scan of all UDP ports SYN flood Idle scan of TCP port 80 Ping of death.
Seth is starting a penetration test from inside the network. He has not been given any information about the network. What type of test is he conducting? External, Whitebox vExternal, Blackbox Internal, Whitebox Internal, Blackbox.
What term describes the amount of risk that remains after the vulnerabilities are classified, and the countermeasures have been deployed? Inherent risk Impact risk Residual risk Deferred risk.
Darius and Mathew were performing internal vulnerability scan within the corporate network and reported the results to his manager.
Manager found that it was not performed correctly because there were some mismatches on comparing both of them. He was expecting the same results, as both the scans were performed at the same time, using the same tools and the same IP ranges. The results simply showed more findings in Darius' scan compared to Mathew's scan.
What was the most probably root cause?
Administrator of the scanned system updated most of the vulnerabilities One of the scan was blocked by IPS One of the scan was blocked by IDS Mathew's scan was blocked by Firewall.
During an Xmas scan, what indicates a port is closed? RST SYN ACK No return response.
What is the purpose of DNS AAAA record? Authorization, Authentication and Auditing record Address prefix record IPv6 address resolution record Address database record.
An attacker is trying to redirect the traffic of a small office. That office is using their own mail server, DNS server and NTP server because of the importance of their jobs. The attacker gains access to the DNS server and redirects the direction www.google.com to his own IP address. Now, when the employees of the office want to go to Google, they are being redirected to the attacker's machine. What is the name of this kind of attack? DNS Spoofing ARP Poisoning Smurf Attack MAC Flooding.
Max saw a guy (Mario) who looked like a janitor who was holding a lot of boxes. Max held the door open for Mario. Mario was able to access the company without identification. What kind of attack is this? Tailgating Session Hijacking None of them Phishing.
An enterprise recently moved to a new office, and the new neighborhood is a little risky. The CEO wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do this job? Use an IDS in the entrance doors and install some of them near the corners Install a CCTV with cameras pointing to the entrance doors and the street Use lights in all the entrance doors and along the company's perimeter Use fences in the entrance doors.
Which method of password cracking takes the most time and effort? Dictionary attack Brute force Rainbow tables Shoulder surfing.
Rebecca commonly sees an error on her Windows system that states that a Data Execution Prevention (DEP) error has taken place. Which of the following is most likely taking place ? A page fault is occurring, which forces the operating system to write data from the hard drive Malware is executing in either ROM or a cache memory area. Malicious code is attempting to execute instruction in a non executable memory region. A race condition is being exploited, and the operating system is containing the malicious process.
Which Metasploit Framework tool can help penetration tester for evading Anti-virus Systems? Msfd msfcli msfencode msfpayload.
Which of the following is NOT correct about the usefulness of vulnerability scanning: Check compliance with host application usage and security policies Provide the environment to be able to safely penetrate vulnerable systems Provide information on how to mitigate discovered vulnerabilities Provide information on targets for penetration testing.
What is the most important for a pentester before he can start any hacking activities? Preparing a list of targeted systems Finding new exploits which can be used during the pentest Ensuring that his activity will be authorized and he will have proper agreement with the owners of the targeted system Creating action plan.
Although FTP traffic is not encrypted by default, which layer 3 protocol would allow for end-to-end encryption of the connection? Ipsec FTPS SFTP SSL.
Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN? ESP tranport mode ESP confidential AH tunnel mode AH permiscuous.
Which of the following statements is FALSE with respect to Intrusion Detection Systems? Intrusion Detection Systems can examine the contents of the data in context of the network protocol Intrusion Detection Systems can be configured to distinguish specific content in network packets Intrusion Detection Systems can easily distinguish a malicious payload in an encrypted traffic Intrusion Detection Systems require constant update of the signature library.
Darius just received a call:
Unknown Caller: Hello, my name is Rashad and I'm a security engineer from Microsoft Corporation. We have observed suspicious activity originating from your system and we would like to stop this threat. To do so, I would ask you to install some updates on your system. Would you prefer to send me you a link or an attachment within email?
Darius: Hello, please send me an email with the attachment at darius@protonmail.com
Unknow Caller: Thank you for your cooperation. I'm sending instruction and all the files.
What Darius just faced?
Piggybacking Tailgating Social Engineering Attack Just normal call from Microsoft Cyberdivision.
Attempting an injection attack on a web server based on responses to True/False questions is called which of the following? DMS-specific SQLi Classic SQLi Blind SQLi Compound SQLi.
What is the process for allowing or blocking a specific port in the Windows firewall? (For example, TCP port 22 inbound) This is not possible without installing third-party software since Windows only allows changing firewall settings for individual applications. A rule matching these requirements can be created in "Windows Firewall with Advanced Security", located in the Control Panel. The only way to implement a specific rule like this is to use the "netsh" program on the command-line. The firewall rule must be added from within the application that is using that port.
A large mobile telephony and data network operator has a data center that houses network elements. These are essentially large computers running on Linux. The perimeter of the data center is secured with firewalls and IPS systems. What is the best security policy concerning this setup? Network elements must be hardened with user ids and strong passwords. Regular security tests and audits should be performed. As long as the physical access to the network elements is restricted, there is no need for additional measures The operator knows that attacks and down time are inevitable and should have a backup site There is no need for specific security measures on the network elements as long as firewalls and IPS systems exist.
Which command can be used to show the current TCP/IP connections? Net use connection Netsh Net use Netstat.
You are performing a penetration test.You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrator's bank account password and login information for the administrator's bitcoin account.What should you do? Report immediately to the administrator. Do not report it and continue the penetration test. Transfer money from the administrator's account to another account. Do not transfer the money but steal the bitcoins.
Which of the following algorithms is used for Kerberos encryption? ECC DSA DES RSA.
Suppose your company has just passed a security risk assessment exercise. The results display that the risk of the breach in the main company application is 50%. Security staff has taken some measures and implemented the necessary controls. After that, another security risk assessment was performed showing that risk has decreased to 10%. The risk threshold for the application is 20%.
Which of the following risk decisions will be the best for the project in terms of its successful continuation with most business profit?
Mitigate the risk Introduce more controls to bring risk to 0% Avoid the risk Accept the risk.
PGP, SSL, and IKE are all examples of which type of cryptography? Secret Key Hash Algorithm Public Key Digest.
Mary found a high vulnerability during a vulnerability scan and notified her server team. After analysis, they sent her proof that a fix to that issue had already been applied. The vulnerability that Marry found is called what? Brute force attack Backdoor False-positive False-negative.
To determine if a software program properly handles a wide range of invalid inputs, a form of automated testing can be used to randomly generate invalid input in an attempt to crash the program. What term is commonly used when referring to this type of testing? Mutating Fuzzing Bounding Randomizing.
What does the line 7 of the traceroute mean:
ark@debian-lxde:~$ traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.2.1 0.914 ms 1.000 ms 1.054 ms
2 192.168.1.1 2.364 ms 1.983 ms 2.126 ms
3 * * *
4 193.253.85.230 2.313 ms 3.021 ms 2.848 ms
5 81.253.182.230 3.086 ms 2.868 ms 4.077 ms
6 81.253.184.82 10.248 ms 10.268 ms 10.085 ms
7 81.52.200.209 6.970 ms 81.52.200.217 6.454 ms 81.52.200.209 7.179 ms
8 81.52.186.142 6.766 ms 7.278 ms 7.206 ms
9 209.85.244.252 8.847 ms 8.644 ms 8.639 ms
10 8.8.8.8 9.289 ms 9.123 ms 9.024 ms
ark@debian-lxde:~$
The traffic is encapsulated by a GRE tunnel between routers 3 and 8 MPLS is used between router 6 and router 7 Router 81.253.184.82 has two equivalent paths toward destination The 81.58.200.217 address is a host which has redirected the traffic.
39: Clara, a black hat, has connected her Linux laptop to an Ethernet jack in the E-Corp reception area. She types "ip route" at a terminal and receives the following output, realizing that she's still connected to a WiFi network across the street. If she were to attack a host at 192.168.100.250, out of which interface would the traffic exit?
default via 192.168.100.1 dev wlp5s0 src 192.168.100.156 metric 202
default via 192.168.96.1 dev enp5s0u1 src 192.168.100.54 metric 600
192.168.100.0/24 dev wlp5s0 proto kernel scope link src 192.168.100.156 metric 202
192.168.96.0/21 dev enp5s0u1 proto kernel scope link src 192.168.100.54 metric 600
enp5s0u1 wlp5s0 default wlan0.
Your company provides data analytics services to several large clients. A new client says that your company is required to sign a Business Associate Agreement (BAA) document before they will transfer any data to your company. You review the BAA and determine it is a legal contract between your company and the client. It lists the exact details of how your company will handle the client's data and specific security requirements.
What regulation, which requires a Business Associate Agreement for some vendors, is the client following?
HIPAA ISO 27001 PCI SOC.
You have successfully logged on a Linux system. You want to now cover your track.Your login attempt may be logged on several files located in /var/log.
Which file does NOT belongs to the list:
auth.log wtmp user.log btmp.
This proprietary information security standard wireless guideline classifies CDEs (Cardholder Data Environments) into three scenarios depending on WLANs deployment. What standard is being mentioned? SOX ISO 27001 HIPPA PCI.
In IPv6, what is the major difference concerning application layer vulnerabilities compared to IPv4? Vulnerabilities in the application layer are greatly different from IPv4 Implementing IPv4 security in a dual-stack network offers protection from IPv6 attacks too. Due to the extensive security measures built in IPv6, application layer vulnerabilities need not be addressed Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation techniques are almost identical.
OpenSSL on Linux servers includes a command line tool for testing TLS. What is the name of the tool and the correct syntax to connect to a web server? openssl_client -connect www.website.com:443 openssl s_client -site www.website.com:443 openssl s_client -connect www.website.com:443 openssl_client -site www.website.com:443.
A hacker gained access to database with logins and hashed passwords. To speed up the cracking of these passwords, the best method would be: Brute force Rainbow tables Collision Decryption.
The I.T. Helpdesk at XYZ Company has begun receiving several phone calls from concerned staff regarding a suspicious email they have received. One employee has forwarded a copy of the suspicous email to you for further investigation. Your manager is asking for immediate information to determine if this is a phishing attack.
The email message looks like this:
From: news@xyzcompany.com
To: jdoe@xyzcompany.com
Date: 4/10/17 2:35pm
Subject:New corporate HR sign up today!
Priority: High
You want to quickly determine who sent this email message so you look at the envelope headers and see this information:
Received from unknown (209.85.213.50) by mail.xyzcompany.com id 2BqvU15YHBK; 10 Apr 2017 14:33:50
You perform a DNS query to determine more information about 209.85.213.50, but no record is found. What web site will allow you to quickly find out more information about 209.85.213.50 including the owner of the IP address?
https://www.networksolutions.com/whois http://www.tucowsdomains.com/whois https://whois.arin.net https://www.godaddy.com/whois.
Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He is determined that the application is vulnerable to SQL injection and has introduced conditional timing delays into injected queries to determine whether they are successful. What type of SQL injection is Elliot most likely performing? NoSQL injection Error-based SQL injection Blind SQL injection Union-based SQL injection.
You are tasked to configure the DHCP server to lease the last 100 usable IP addresses in subnet 10.1.4.0/23. Which of the following IP addresses could be leased as a result of the new configuration? 10.1.4.156 10.1.4.254 10.1.5.200 10.1.255.200.
What is the way to decide how a packet will move from an untrusted outside host to a protected inside host that is behind a firewall, which permits the hacker to determine which ports are open and if the packets can pass through the packet-filtering of the firewall? Network sniffing Firewalking Man-in-the-middle attack Session hijacking.
By using a smart card and pin, you are using a two-factor authentication that satisfies Something you know and something you are Something you are and something you remember Something you have and something you are Something you have and something you know.
What is the role of test automation in security testing? It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely. Test automation is not usable in security due to the complexity of the tests It should be used exclusively. Manual testing is outdated because of low speed and possible test setup inconsistencies It is an option, but it tends to be very expensive.
Which TCP scanning method is unlikely to set off network IDS? TCP SYN scan TCP connect scan TCP ACK scan TCP FIN scan.
Peter is surfing the internet looking for information about DX Company. Which hacking process is Peter doing? System Hacking Footprinting Enumeration Scanning.
Which of the following is true regarding a PKI system? The CA encrypts all messages The CA is the recovery agent for lost certificates The RA issues all certificates The RA verifies an applicant to the system.
What is the difference between the AES and RSA algorithms? Both are asymmetric algorithms, but RSA uses 1024-bit keys. RSA is asymmetric, which is used to create a public/private key pair; AES is symmetric, which is used to encrypt data. AES is asymmetric, which is used to create a public/private key pair; RSA is symmetric, which is used to encrypt data. Both are symmetric algorithms, but AES uses 256-bit keys.
Scenario:1. Victim opens the attacker's web site. 2. Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make $1000 in a day?'. 3. Victim clicks to the interesting and attractive content URL. 4. Attacker creates a transparent 'iframe' in front of the URL which the victim attempts to click, so the victim thinks that he/she clicks on the 'Do you want to make $1000 in a day?' URL but actually he/she clicks on the content or URL that exists in the transparent 'iframe' which is setup by the attacker. What is the name of the attack which is mentioned in the scenario? Session Fixation ClickJacking Attack HTTP Parameter Pollution HTML Injection.
What kind of detection techniques is being used in antivirus softwares that identifies malware by collecting data from multiple protected systems and instead of analyzing files locally it's made on the provider's environment. Heuristics based Behavioral based Honypot based Cloud based.
The tools which receive event logs from servers, network equipment, and applications, and perform analysis and correlation on those logs, and can generate alarms for security relevant issues, are known as what? Vulnerability Scanner Intrusion Prevention Server Network Sniffer Security Incident and Event Monitoring.
A hacker is an intelligent individual with excellent computer skills and the ability to explore a computer’s software and hardware without the owner’s permission. Their intention can either be to simply gain knowledge or to illegally make changes. Which of the following class of hacker refers to an individual who works both offensively and defensively at various times? Suicide Hacker White Hat Gray Hat Black Hat.
Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp's lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824-861252104-501. What needs to happen before Matthew has full administrator access? He needs to disable antivirus protection. He needs to gain physical access. He already has admin privileges, as shown by the "501" at the end of the SID He must perform privilege escalation.
During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called? Split DNS DynDNS DNSSEC DNS Scheme.
The "white box testing" methodology enforces what kind of restriction? Only the external operation of a system is accessible to the tester The internal operation of a system is only partly accessible to the tester Only the internal operation of a system is known to the tester. The internal operation of a system is completely known to the tester.
In which phase of the ethical hacking process can Google hacking be employed? This is a technique that involves manipulating a search string with specific operators to search for vulnerabilities. Example: allintitle: root passwd Gaining Access Maintaining Access Scanning and Enumeration Reconnaissance.
This tool is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools. Which of the following tools is being described? wificracker Airguard WLAN-crack Aircrack-ng.
What is the known plaintext attack used against DES which gives the result that encrypting plaintext with one DES key followed by encrypting it with a second DES key is no more secure than using a single key? Traffic analysis attack Man-in-the-middle attack Replay attack Meet-in-the-middle attack.
Why is a penetration test considered to be more thorough than vulnerability scan? Vulnerability scans only do host discovery and port scanning by default A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability scan does not typically involve active exploitation. The tools used by penetration testers tend to have much more comprehensive vulnerability databases. It is not - a penetration test is often performed by an automated tool, while a vulnerability scan requires active engagement.
At 2:05 pm, your log monitoring tool sends an alert to the InfoSec team that a special account named dba_admin was just used. While investigating this alert, at 2:30 pm, your database administrator calls with information that a database extract of ten thousand records occurred around 2 pm. He says this is unusual because no data extract jobs were scheduled at that time. At 2:45 pm, your web proxy sends an alert to the InfoSec team that someone just tried to access the underground hacker site named Data4Sale.com. After consulting on the information available so far, the Manager of Information Security, the Director of Information Technology, and the Chief Information Security Officer declare an incident.
During the Evidence Gathering and Handling phase of the incident response, what is the most important thing to do?
Creating detailed notes about lessons learned from the incident. Recording what is discussed at every incident response meeting. Reviewing the evidence carefully to identify the attacking hosts Recording the date and time when evidence is gathered, and the location where the evidence is stored.
What attack is used to crack passwords by using a precomputed table of hashed passwords? Brute Force Attack Dictionary Attack Rainbow Table Attack Hybrid Attack.
You are logged in as a local admin on a Windows 7 system, and you need to launch the Computer Management Console from the command line. Which command would you use? c:\compmgmt.msc c:\ncpa.cpl c:\gpedit c:\services.msc.
Tremp is an IT Security Manager, and he is planning to deploy an IDS in his small company. He is looking for an IDS with the following characteristics:
- Verifies success or failure of an attack
- Monitors system activities
- Detects attacks that a network-based IDS fails to detect
- Near real-time detection and response
- Does not require additional hardware
- Lower entry cost
Which type of IDS is best suited for Tremp's requirements?
Open source-based IDS Network-based IDS Gateway-based IDS Host-based IDS.
This asymmetry cipher is based on factoring the product of two large prime numbers. What cipher is described above? RSA MD5 SHA RC5.
Gavin owns a white-hat firm and is performing a website security audit for one of his clients. He begins by running a scan which looks for common misconfigurations and outdated software versions. Which of the following tools is he most likely using? Nikto Nmap Metasploit Armitage.
You are doing an internal security audit and intend to find out what ports are open on all the servers. What is the best way to find out? Physically go to each server Scan servers with MBSA Scan servers with Nmap Telnet to every port on each server.
Using spoofed IP address to generate port responses during a scan while using a SYN flag is a technique related to: IDLE (side-channel) SYN XMAS FIN.
You are performing a web application penetration test for one of your clients. The app uses HTTPS exclusively. You configure your browser to use Burp Suite as a proxy but immediately receive a certificate error when attempting to visit the website. Which steps would you follow to remove this warning for all websites, and what would be the associated security risk? Add the Burp Suite certificate as a trusted root CA for your browser/OS. This would expose you to man-in-the-middle attacks from anyone possessing the same certificate. Configure your browser to ignore all SSL/TLS certificate warnings. This would make your HTTPS sessions vulnerable to ARP spoofing on the local LAN. Force your browser to connect over port 80. Data would be transmitted in cleartext, removing the need for certificates Start sslstrip and redirect port 443 to its listening port. This ensures that plaintext sessions are not upgraded to SSL/TLS.
Port scanning can be used as part of a technical assessment to determine network vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system. If a scanned port is open, what happens? The port will send a SYN The port will ignore the packets The port will send an RST The port will send an ACK.
You are an Ethical Hacker who is auditing the ABC company. When you verify the NOC, one of the machines has 2 connections: one wired and the other wireless. When you verify the configuration of this Windows system, you find two static routes: route add 10.0.0.0 mask 255.0.0.0 10.0.0.1route add 0.0.0.0 mask 255.0.0.0 199.168.0.1. What is the main purpose of those static routes? The first static route indicates that the internal addresses are using the internal gateway, and the second static route indicates that all the traffic that are not internal must go to the external gateway Both static routes indicate that the traffic is external with different gateways The first static route indicates that the internal traffic will use an external gateway, and the second static route indicates that the traffic will be rerouted Both static routes indicate that the traffic is internal with different gateways.
Hackers often raise the trust level of a phishing message by modeling the email to look similar to the internal email used by the target company. This includes using logos, formatting, and names of the target company. The phishing message will often use the name of the company CEO, president, or managers. The time a hacker spends performing research to locate this information about a company is known as? Enumeration Reconnaissance Investigation Exploration.
Which utility will tell you in real time which ports are listening or in another state? Nmap TCPView Netstat Loki.
While scanning with Nmap, Patin found several hosts which have the IP ID of incremental sequences. He then decided to conduct: nmap -Pn -p- -sI kiosk.adobe.com www.riaa.com.
kiosk.adobe.com is the host with incremental IP ID sequence.
What is the purpose of using "-sI" with Nmap?
Conduct IDLE scan Conduct stealth scan Conduct silent scan Conduct ICMP scan.
Jim's company regularly performs backups of their critical servers. But the company cannot afford to send backup tapes to an off-site vendor for long-term storage and archiving. Instead, Jim's company keeps the backup tapes in a safe in the office. Jim's company is audited each year, and the results from this year's audit show a risk because backup tapes are not stored off-site. The Manager of Information Technology has a plan to take the backup tapes home with him and wants to know what two things he can do to secure the backup tapes while in transit? Encrypt the backup tapes and use a courier to transport them Encrypt the backup tapes and transport them in a lock box Degauss the backup tapes and transport them in a lock box. Hash the backup tapes and transport them in a lock box.
An LDAP directory can be used to store information similar to a SQL database. LDAP uses a _____ database structure instead of SQL's _____ structure. Because of this, LDAP has difficulty representing many-to-one relationships. Hierarchical, Relational Simple, Complex Strict, Abstract Relational, Hierarchical.
In both pharming and phishing attacks, an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims. What is the difference between pharming and phishing attacks? In a phishing attack, a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a pharming attack, an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual websites domain name In a pharming attack, a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack, an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name Both pharming and phishing attacks are identical Both pharming and phishing attacks are purely technical and are not considered forms of social engineering.
Which protocol is used for setting up secure channels between two devices,
typically in VPNs? PPP IPSEC PEM SET.
Some clients of TPNQM SA were redirected to a malicious site when they tried to
access the TPNQM main site. Bob, a system administrator at TPNQM SA, found
that they were victims of DNS Cache Poisoning.
What should Bob recommend to deal with such a threat? The use of security agents in clients’ computers The use of DNSSEC The use of double-factor authentication Client awareness.
What type of analysis is performed when an attacker has partial knowledge of
inner-workings of the application? Black-box Announced White-box Grey-box.
Security Policy is a definition of what it means to be secure for a system,
organization or other entity. For Information Technologies, there are sub-policies
like Computer Security Policy, Information Protection Policy, Information Security
Policy, network Security Policy, Physical Security Policy, Remote Access Policy,
and User Account Policy.
What is the main theme of the sub-policies for Information Technologies? Availability, Non-repudiation, Confidentiality Authenticity, Integrity, Non-repudiation Confidentiality, Integrity, Availability. Authenticity, Confidentiality, Integrity.
Which of the following types of jailbreaking allows user-level access but does not
allow iboot-level access? Bootrom Exploit iBoot Exploit Sandbox Exploit Userland Exploit.
DNS cache snooping is a process of determining if the specified resource address is present in the DNS cache records. It may be useful during the
examination of the network to determine what software update resources are used, thus discovering what software is installed.
What command is used to determine if the entry is present in DNS cache? nslookup -fullrecursive update.antivirus.com dnsnooping –rt update.antivirus.com nslookup -norecursive update.antivirus.com dns --snoop update.antivirus.com.
Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS? Produces less false positives Can identify unknown attacks Requires vendor updates for a new threat Cannot deal with encrypted network traffic.
DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which security feature on switches leverages the DHCP snooping database to help prevent man-in-the-middle attacks? Port security A Layer 2 Attack Prevention Protocol (LAPP) Dynamic ARP inspection (DAI) Spanning tree.
A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what river and library are required to allow the NIC to work in promiscuous mode? Libpcap Awinpcap Winprom Winpcap.
Which of the following steps for risk assessment methodology refers to vulnerability identification?
Determines if any flaws exist in systems, policies, or procedures Assigns values to risk probabilities; Impact values. Determines risk probability that vulnerability will be exploited (High. Medium, Low) Identifies sources of harm to an IT system. (Natural, Human. Environmental).
Based on the below log, which of the following sentences are true?
Mar 1, 2016, 7:33:28 AM 10.240.250.23 – 54373 10.249.253.15 – 22 tcp_ip
SSH communications are encrypted it’s impossible to know who is the client or the server Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the server Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the server.
In Wireshark, the packet bytes panes show the data of the current packet in
which format?
Decimal ASCII only Binary Hexadecimal.
Which of the following is the best countermeasure to encrypting ransomwares?
Use multiple antivirus softwares Keep some generation of off-line backup. Analyze the ransomware to get decryption key of encrypted data Pay a ransom.
What is the least important information when you analyze a public IP address in a security alert?
ARP Whois DNS Geolocation.
What type of vulnerability/attack is it when the malicious person forces the user’s browser to send an authenticated request to a server?
Cross-site request forgery Cross-site scripting Session hijacking Server side request forgery.
You are monitoring the network of your organizations. You notice that:
1. There are huge outbound connections from your Internal Network to External IPs.
2. On further investigation, you see that the External IPs are blacklisted.
3. Some connections are accepted, and some are dropped.
4. You find that it is a CnC communication.
Which of the following solution will you suggest? A Block the Blacklist IP’s @ Firewall B Update the Latest Signatures on your IDS/IPS C Clean the Malware which are trying to Communicate with the External Blacklist IP’s D Both B and C.
What would you enter, if you wanted to perform a stealth scan using Nmap? nmap -sU nmap -sS nmap -sM nmap -sT.
The collection of potentially actionable, overt, and publicly available information is
known as
Open-source intelligence Human intelligence Social intelligence Real intelligence.
Which of the following is an adaptive SQL Injection testing technique used to
discover coding errors by inputting massive amounts of random data and
observing the changes in the output?
Function Testing Dynamic Testing Static Testing Fuzzing Testing.
On performing a risk assessment, you need to determine the potential impacts
when some of the critical business process of the company interrupt its service.
What is the name of the process by which you can determine those critical
business?
Risk Mitigation Emergency Plan Response (EPR) Disaster Recovery Planning (DRP) Business Impact Analysis (BIA).
Which of the following act requires employer’s standard national numbers to identify them on standard transactions?
SOX HIPAA DMCA PCI-DSS.
Log monitoring tools performing behavioral analysis have alerted several suspicious logins on a Linux server occurring during non-business hours. After further examination of all login activities, it is noticed that none of the logins have occurred during typical work hours. A Linux administrator who is investigating this problem realizes the system time on the Linux server is wrong by more than twelve hours. What protocol used on Linux servers to synchronize the time has stopped working?
Time Keeper NTP PPP OSPP.
What is the purpose of a demilitarized zone on a network?
To scan all traffic coming through the DMZ to the internal network To only provide direct access to the nodes within the DMZ and protect the network behind it To provide a place to put the honeypot To contain the network devices you wish to protect.
Which of the following is considered as one of the most reliable forms of TCP
scanning?
TCP Connect/Full Open Scan Half-open Scan NULL Scan Xmas Scan.
Which of the following cryptography attack is an understatement for the extraction of cryptographic secrets
(e.g. the password to an encrypted file) from a person by a coercion or torture? Chosen-Cipher text Attack Ciphertext-only Attack Timing Attack Rubber Hose Attack.
Bob, your senior colleague, has sent you a mail regarding a deal with one of the clients. You are requested to accept the offer and you oblige. After 2 days. Bob denies that he had ever sent a mail. What do you want to ""know"" to prove yourself that it was Bob who had send a mail?
Authentication Confidentiality Integrity Non-Repudiation.
You are a Penetration Tester and are assigned to scan a server. You need to use a scanning technique wherein the TCP Header is split into many packets so that it becomes difficult to detect what the packets are meant for.
Which of the below scanning technique will you use?
ACK flag scanning TCP Scanning IP Fragment Scanning Inverse TCP flag scanning.
You are a security officer of a company. You had an alert from IDS that indicates that one PC on your Intranet is connected to a blacklisted IP address (C2 Server) on the Internet. The IP address was blacklisted just before the alert. You are staring an investigation to roughly analyze the severity of the situation. Which of the following is appropriate to analyze?
Event logs on the PC Internet Firewall/Proxy log IDS log Event logs on domain controller.
In the field of cryptanalysis, what is meant by a “rubber-hose" attack?
Attempting to decrypt cipher text by making logical assumptions about the contents of the original plain text. Extraction of cryptographic secrets through coercion or torture. Forcing the targeted key stream through a hardware-accelerated device such as an ASIC. A backdoor placed into a cryptographic algorithm by its creator.
A company's policy requires employees to perform file transfers using protocols which encrypt traffic. You suspect some employees are still performing file transfers using unencrypted protocols because the employees do not like changes. You have positioned a network sniffer to capture traffic from the laptops used by employees in the data ingest department. Using Wire shark to examine the captured traffic, which command
can be used as a display filter to find unencrypted file transfers? tcp.port != 21 tcp.port = 23 tcp.port ==21 tcp.port ==21 || tcp.port ==22.
Bob, a network administrator at BigUniversity, realized that some students are connecting their notebooks in the wired network to have Internet access. In the university campus, there are many Ethernet ports available for professors and authorized visitors but not for students.
He identified this when the IDS alerted for malware activities in the network.
What should Bob do to avoid this problem?
Disable unused ports in the switches Separate students in a different VLAN Use the 802.1x protocol. Ask students to use the wireless network.
Insecure direct object reference is a type of vulnerability where the application does not verify if the user is authorized to access the internal object via its name or key Suppose a malicious user Rob tries to get access to the account of a benign user Ned.
Which of the following requests best illustrates an attempt to exploit an insecure
direct object reference vulnerability?
“GET/restricted/goldtransfer?to=Rob&from=1 or 1=1’ HTTP/1.1Host: westbank.com” “GET/restricted/accounts/?name=Ned HTTP/1.1 Host: westbank.com” “GET/restricted/bank.getaccount(‘Ned’) HTTP/1.1 Host: westbank.com” “GET/restricted/\r\n\%00account%00Ned%00access HTTP/1.1 Host: westbank.com”.
You are attempting to run an Nmap port scan on a web server. Which of the following commands would result in a scan of common ports with the least amount of noise in order to evade IDS?
nmap –A - Pn nmap –sP –p-65535-T5 nmap –sT –O –T0 nmap –A --host-timeout 99-T1.
You perform a scan of your company’s network and discover that TCP port 123 is open. What services by default run on TCP port 123?
Telnet POP3 Network Time Protocol DNS.
You are working as a Security Analyst in a company XYZ that owns the whole subnet range of 23.0.0.0/8 and 192.168.0.0/8 While monitoring the data, you find a high number of outbound connections. You see that IP’s owned by XYZ (Internal) and private IP’s are communicating to a Single Public IP. Therefore, the Internal IP’s are sending data to the Public IP. After further analysis, you find out that this Public IP is a blacklisted IP, and the internal communicating devices are compromised.
What kind of attack does the above scenario depict? Botnet Attack Spear Phishing Attack Advanced Persistent Threats Rootkit Attack.
What does the option * indicate?
s t n a.
In which of the following cryptography attack methods, the attacker makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions?
Chosen-plaintext attack Ciphertext-only attack Adaptive chosen-plaintext attack Known-plaintext attack.
Trinity needs to scan all hosts on a /16 network for TCP port 445 only. What is the fastest way she can accomplish this with Nmap? Stealth is not a concern.
nmap -sn -sF 10.1.0.0/16 445 nmap -p 445 -n -T4 –open 10.1.0.0/16 nmap -s 445 -sU -T5 10.1.0.0/16 nmap -p 445 –max -Pn 10.1.0.0/16.
If an attacker uses the command SELECT*FROM user WHERE name = ‘x’ AND userid IS NULL; --‘; which type of SQL injection attack is the attacker performing?
End of Line Comment UNION SQL Injection ILLegal/Logically Incorrect Query Tautology.
Chandler works as a pen-tester in an IT-firm in New York. As a part of detecting viruses in the systems, he uses a detection method where the anti-virus executes the malicious codes on a virtual machine to simulate CPU and memory activities.
Which type of virus detection method did Chandler use in this context?
Heuristic Analysis Code Emulation Integrity checking Scanning.
An attacker scans a host with the below command. Which three flags are set?
(Choose three.) #nmap –sX host.domain.com
This is ACK scan. ACK flag is set This is Xmas scan. SYN and ACK flags are set This is Xmas scan. URG, PUSH and FIN are set This is SYN scan. SYN flag is set.
Analyst is investigating proxy logs and found out that one of the internal user visited website storing suspicious Java scripts. After opening one of them, he noticed that it is very hard to understand the code and that all codes differ from the typical Java script.
What is the name of this technique to hide the code and extend analysis time? Encryption Code encoding Obfuscation Steganography.
What network security concept requires multiple layers of security controls to be placed throughout an IT infrastructure, which improves the security posture of an organization to defend against malicious attacks or potential vulnerabilities?
What kind of Web application vulnerability likely exists in their software? Host-Based Intrusion Detection System Security through obscurity Defense in depth Network-Based Intrusion Detection System.
Code injection is a form of attack in which a malicious user: Inserts text into a data field that gets interpreted as code Gets the server to execute arbitrary code using a buffer overflow Inserts additional code into the JavaScript running in the browser Gains access to the codebase on the server and inserts new code.
Your business has decided to add credit card numbers to the data it backs up to tape. Which of the following represents the best practice your business should observe? Hire a security consultant to provide direction. Do not back up cither the credit card numbers or then hashes. Back up the hashes of the credit card numbers not the actual credit card numbers. Encrypt backup tapes that are sent off-site.
An unauthorized individual enters a building following an employee through the employee entrance after the lunch rush. What type of breach has the individual just performed?
Announced Reverse Social Engineering Piggybacking Tailgating.
Which of the following Secure Hashing Algorithm (SHA) produces a 160-bit digest
from a message with a maximum length of (264-1) bits and resembles the MD5
algorithm? SHA-2 SHA-3 SHA-1 SHA-0.
Email is transmitted across the Internet using the Simple Mail Transport Protocol SMTP does not encrypt email, leaving the information in the message vulnerable to being read by an unauthorized person. SMTP can upgrade a connection between two mail servers to use TLS. Email transmitted by SMTP over TLS is encrypted. What is the name of the command used by SMTP to transmit email over TLS?
OPPORTUNISTICTLS FORCETLS UPGRADETLS STARTTLS.
Steve, a scientist who works in a governmental security agency, developed a technological solution to identify people based on walking patterns and implemented this approach to a physical control access.
A camera captures people walking and identifies the individuals using Steve’s approach.
After that, people must approximate their RFID badges. Both the identifications are required to open the door.
In this case, we can say: Although the approach has two phases, it actually implements just one authentication factor The solution implements the two authentication factors: physical object and physical characteristic The solution will have a high level of false positives Biological motion cannot be used to identify people.
Which Nmap option would you use if you were not concerned about being detected and wanted to perform avery fast scan?
–T0 –T5 -O -A.
Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he properly configures the firewall to allow access just to servers/ports, which can have direct internet access, and block the access to workstations. Bob also concluded that DMZ makes sense just when a stateful firewall is available,which is not the case of TPNQM SA.
In this context, what can you say?
Bob can be right since DMZ does not make sense when combined with stateless firewalls Bob is partially right. He does not need to separate networks if he can create rules by destination IPs, one by one Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations Bob is partially right. DMZ does not make sense when a stateless firewall is available.
The network team has well-established procedures to follow for creating new rules on the firewall. This includes having approval from a manager prior to implementing any new rules. While reviewing the firewall configuration, you notice a recently implemented rule but cannot locate manager approval for it. What would be a good step to have in the procedures for a situation like this?
Have the network team document the reason why the rule was implemented without prior manager approval. Monitor all traffic using the firewall rule until a manager can approve it Do not roll back the firewall rule as the business may be relying upon it, but try to get manager approval as soon as possible. Immediately roll back the firewall rule until a manager can approve it.
A hacker named Jack is trying to compromise a bank’s computer system. He needs to know the operating system of that computer to launch further attacks.
What process would help him? Banner Grabbing IDLE/IPID Scanning SSDP Scanning UDP Scanning.
Firewalls are the software or hardware systems that are able to control and monitor the traffic coming in and out the target network based on pre-defined set of rules.
Which of the following types of firewalls can protect against SQL injection attacks?
Data-driven firewall Stateful firewall Packet firewall Web application firewall.
Darius is analysing logs from IDS. He want to understand what have triggered one alert and verify if it's true positive or false positive. Looking at the logs he copy and paste basic details like below:
source IP: 192.168.21.100
source port: 80
destination IP: 192.168.10.23
destination port: 63221
What is the most proper answer. This is most probably true negative. This is most probably true positive which triggered on secure communication between client and server. This is most probably false-positive, because an alert triggered on reversed traffic. This is most probably false-positive because IDS is monitoring one direction traffic.
When tuning security alerts, what is the best approach?
Tune to avoid False positives and False Negatives Rise False positives Rise False Negatives Decrease the false positives Decrease False negatives.
Bob finished a C programming course and created a small C application tonmonitor the network traffic and produce alerts when any origin sends “many” IP packets, based on the average number of packets sent by all origins and using some thresholds.
In concept, the solution developed by Bob is actually:
Just a network monitoring tool A signature-based IDS A hybrid IDS A behavior-based IDS.
Which component of IPsec performs protocol-level functions that are required to encrypt and decrypt the packets? Internet Key Exchange (IKE) Oakley IPsec Policy Agent IPsec driver.
Nedved is an IT Security Manager of a bank in his country. One day. he found out that there is a security breach to his company's email server based on analysis of a suspicious connection from the email server to an unknown IP Address.
What is the first thing that Nedved needs to do before contacting the incident response team?
Leave it as it Is and contact the incident response te3m right away Block the connection to the suspicious IP Address from the firewall Disconnect the email server from the network Migrate the connection to the backup email server.
Company XYZ has asked you to assess the security of their perimeter email gateway. From your office in New York, you craft a specially formatted email message and send it across the Internet to an employee of Company XYZ. The employee of Company XYZ is aware of your test.
Your email message looks like this:
From: jim_miller@companyxyz.com
To: michelle_saunders@companyxyz.com
Subject: Test message
Date: 4/3/2017 14:37
The employee of Company XYZ receives your email message. This proves that Company XYZ's email gateway doesn't prevent what?
Email Phishing Email Masquerading Email Spoofing Email Harvesting.
A virus that attempts to install itself inside the file it is infecting is called?
Tunneling virus Cavity virus Polymorphic virus Stealth virus.
Which of the following antennas is commonly used in communications for a frequency band of 10 MHz to VHF and UHF?
Omnidirectional antenna Dipole antenna Yagi antenna Parabolic grid antenna.
An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections. When users accessed any page, the applet ran and exploited many machines. Which one of the following tools the hacker probably used to inject HTML code? Wireshark Ettercap Aircrack-ng Tcpdump.
Vlady works in a fishing company where the majority of the employees have very little understanding of IT let alone IT Security. Several information security issues that Vlady often found includes, employees sharing password, writing his/her password on a post it note and stick it to his/her desk, leaving the computer unlocked, didn’t log out from emails or other social media accounts, and etc. After discussing with his boss, Vlady decided to make some changes to improve the security environment in his company. The first thing that Vlady wanted to do is to make the employees understand the importance of keeping confidential information, such as password, a secret and they should not share it with other persons. Which of the following steps should be the first thing that Vlady should do to make the employees in his company understand to importance of keeping confidential information a secret?
Warning to those who write password on a post it note and put it on his/her desk. Developing a strict information security policy Information security awareness training Conducting a one to one discussion with the other employees about the importance of information security.
Which one of the following Google advanced search operators allows an attacker
to restrict the results to those websites in the given domain?
[cache:] [site:] .[inurl:] .[link:].
Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of communication? 123 161 69 113.
Which of the following provides a security professional with most information about the system’s security posture? Wardriving, warchalking, social engineering Social engineering, company site browsing, tailgating Phishing, spamming, sending trojans Port scanning, banner grabbing, service identification.
Identify the web application attack where the attackers exploit vulnerabilities in dynamically generated web pages to inject client-side script into web pages viewed by other users.
SQL injection attack Cross-Site Scripting (XSS) LDAP Injection attack Cross-Site Request Forgery (CSRF).
Sam is working as s pen-tester in an organization in Houston. He performs penetration testing on IDS in order to find the different ways an attacker uses to evade the IDS. Sam sends a large amount of packets to the target IDS that generates alerts, which enable Sam to hide the real traffic. What type of methodis Sam using to evade IDS?
Denial-of-Service False Positive Generation Insertion Attack Obfuscating.
What is the minimum number of network connections in a multi homed firewall? 3 5 4 2.
How is the public key distributed in an orderly, controlled fashion so that the users can be sure of the sender’s identity?
Hash value Private key Digital signature Digital certificate.
Why should the security analyst disable/remove unnecessary ISAPI filters? To defend against social engineering attacks To defend against webserver attacks To defend against jailbreaking To defend against wireless attacks.
If you want only to scan fewer ports than the default scan using Nmap tool, whichoption would you use?
-sP -P -r -F.
You need to deploy a new web-based software package for your organization. The package requires three separate servers and needs to be available on the Internet. What is the recommended architecture in terms ofserver placement? All three servers need to be placed internally A web server facing the Internet, an application server on the internal network, a database server on the internal network. A web server and the database server facing the Internet, an application server on the internal network All three servers need to face the Internet so that they can communicate between themselves.
Which of the following scanning method splits the TCP header into several packets and makes it difficult for packet filters to detect the purpose of the packet? ICMP Echo scanning SYN/FIN scanning using IP fragments ACK flag probe scanning IPID scanning.
When conducting a penetration test, it is crucial to use all means to get all available information about the target network. One of the ways to do that is by sniffing the network. Which of the following cannot be performed by the passive network sniffing?
Identifying operating systems, services, protocols and devices Modifying and replaying captured network traffic Collecting unencrypted information about usernames and passwords Capturing a network traffic for further analysis.
You need a tool that can do network intrusion prevention and intrusion detection, function as a network sniffer, and record network activity, what tool would you most likely select?
Nmap Cain & Abel Nessus Snort.
What is one of the advantages of using both symmetric and asymmetric
cryptography in SSL/TLS? Symmetric algorithms such as AES provide a failsafe when asymmetric methods fail. Asymmetric cryptography is computationally expensive in comparison.
However, it is well-suited to securely negotiate keys for use with symmetric cryptography. Symmetric encryption allows the server to securely transmit the session keys out-of-band. Supporting both types of algorithms allows less-powerful devices such as mobile phones to use symmetric encryption instead .
What is the main security service a cryptographic hash provides? Integrity and ease of computation Message authentication and collision resistance C Integrity and collision resistance Integrity and computational in-feasibility.
From the following table, identify the wrong answer in terms of Range (ft). 802.11b 802.11g 802.16(WiMax) 802.11a.
Which is the first step followed by Vulnerability Scanners for scanning a network?
TCP/UDP Port scanning Firewall detection OS Detection Checking if the remote host is alive.
During the process of encryption and decryption, what keys are shared? Private keys User passwords Public keys Public and private keys.
When a security analyst prepares for the formal security assessment - what of the following should be done in order to determine inconsistencies in the secure assets database and verify that system is compliant to the minimum security baseline? Data items and vulnerability scanning Interviewing employees and network engineers Reviewing the firewalls configuration Source code review.
Assume a business-crucial web-site of some company that is used to sell handsets to the customers worldwide. All the developed components are
reviewed by the security team on a monthly basis. In order to drive business further, the web-site developers decided to add some 3rd party marketing tools on it. The tools are written in JavaScript and can track the customer’s activity on the site. These tools are located on the servers of the marketing company.
What is the main security risk associated with this scenario?
External script contents could be maliciously modified without the security team knowledge. External scripts have direct access to the company servers and can steal the data from there There is no risk at all as the marketing services are trustworthy External scripts increase the outbound company data traffic which leads greater financial losses.
Which of the following program infects the system boot sector and the executable files at the same time? Stealth virus Polymorphic virus Macro virus Multipartite Virus.
The Payment Card Industry Data Security Standard (PCI DSS) contains six different categories of control objectives. Each objective contains one or more requirements, which must be followed in order to achieve compliance. Which of the following requirements would best fit under the objective, "Implement strong access control measures"? Regularly test security systems and processes. Encrypt transmission of cardholder data across open, public networks. Assign a unique ID to each person with computer access. Use and regularly update anti-virus software on all systems commonly affected by malware.
Alice encrypts her data using her public key PK and stores the encrypted data in the cloud. Which of the following attack scenarios will compromise the privacy of her data?
None of these scenarios compromise the privacy of Alice’s data Agent Andrew subpoenas Alice, forcing her to reveal her private key. However, the cloud server successfully resists Andrew’s attempt to
access the stored data Hacker Harry breaks into the cloud server and steals the encrypted data Alice also stores her private key in the cloud, and Harry breaks into the cloud server as before.
These hackers have limited or no training and know how to use only basic techniques or tools
.
What kind of hackers are we talking about?
Black-Hat Hackers A Script Kiddies White-Hat Hackers. Gray-Hat Hacker.
Why containers are less secure that virtual machines?
Host OS on containers has a larger surface attack. Containers may full fill disk space of the host. A compromise container may cause a CPU starvation of the host. Containers are attached to the same virtual network.
The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router, nobody can access to the ftp, and the permitted hosts cannot access the Internet. According to the next configuration, what is happening in the network? The ACL 104 needs to be first because is UDP The ACL 110 needs to be changed to port 80 The ACL for FTP must be before the ACL 110 The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router.
A hacker is an intelligent individual with excellent computer skills and the ability to explore a computer's software and hardware without the owner’s permission. Their intention can either be to simply gain knowledge or to illegally make changes. Which of the following class of hacker refers to an individual who works both offensively and defensively at various times?
Suicide Hacker Black Hat White Hat . Gray Hat.
Which of the following attacks exploits web age vulnerabilities that allow an attacker to force an unsuspecting user’s browser to send malicious requests they did not intend? Command Injection Attacks File Injection Attack Cross-Site Request Forgery (CSRF) Hidden Field Manipulation Attack.
What does the -oX flag do in an Nmap scan? Perform an express scan Output the results in truncated format to the screen Perform an Xmas scan Output the results in XML format to a file.
In which of the following password protection technique, random strings of characters are added to the password before calculating their hashes?
Keyed Hashing Key Stretching Salting Double Hashing.
Cross-site request forgery involves:
A request sent by a malicious user from a browser to a server Modification of a request by a proxy between client and server A browser making a request to a server without the user’s knowledge. A server making a request to another server without the user’s knowledge.
Which of the following DoS tools is used to attack target web applications by starvation of available sessions on the web server?
The tool keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily large content-length header value.
My Doom Astacheldraht R-U-Dead-Yet?(RUDY) LOIC.
You are the Network Admin, and you get a compliant that some of the websites are no longer accessible. You try to ping the servers and find them to be reachable. Then you type the IP address and then you try on the browser, and find it to be accessible. But they are not accessible when you try using the URL.
What may be the problem? Traffic is Blocked on UDP Port 53 Traffic is Blocked on UDP Port 80 Traffic is Blocked on UDP Port 54 Traffic is Blocked on UDP Port 80.
Darius is analysing IDS logs. During the investigation, he noticed that there was nothing suspicious found and an alert was triggered on normal web application traffic. He can mark this alert as: False-Negative False-Positive True-Positive False-Signature.
Developers at your company are creating a web application which will be available for use by anyone on the Internet, The developers have taken the approach of implementing a Three-Tier Architecture for the web application. The developers are now asking you which network should the Presentation Tier (frontend web server) be placed in? isolated vlan network Mesh network DMZ network Internal network.
Which of the following Bluetooth hacking techniques does an attacker use to send messages to users without the recipient’s consent, similar to email spamming?
Bluesmacking Bluesniffing Bluesnarfing Bluejacking.
You are looking for SQL injection vulnerability by sending a special character to web applications. Which of the following is the most useful for quick validation? Double quotation Backslash Semicolon Single quotation.
Which of the following statements is TRUE?
Sniffers operate on Layer 2 of the OSI model Sniffers operate on Layer 3 of the OSI model Sniffers operate on both Layer 2 & Layer 3 of the OSI model. Sniffers operate on the Layer 1 of the OSI model.
Which of the below hashing functions are not recommended for use?
SHA-1.ECC MD5, SHA-1 SHA-2. SHA-3 MD5. SHA-5.
|
