1.
Which port is used by Kerberos by default?
Correct Answer
D. Kerberos makes use of port 88
Explanation
Kerberos is a network authentication protocol that uses port 88 by default. This port is specifically assigned for Kerberos services, allowing clients and servers to communicate and authenticate each other securely. Port 88 is commonly used in Windows Active Directory environments and is essential for the functioning of Kerberos-based authentication systems.
2.
You run Nmap against a server on the Certkiller .com network. You discover more open ports than you anticipated. What should you do?
Correct Answer
B. Your first step should be to examine the process using the ports.
Explanation
The correct answer is to examine the process using the ports. This is the most logical and effective step to take when faced with unexpected open ports. By examining the process using the ports, you can determine if any unauthorized or malicious activity is taking place. This will help you identify and address any potential security vulnerabilities or threats.
3.
Identify the port that permits a user to login remotely on a computer?
Correct Answer
A. Port 3389
Explanation
Port 3389 is the correct answer because it is the default port used by Microsoft's Remote Desktop Protocol (RDP), which allows users to connect to a computer remotely and login. RDP is commonly used for remote administration and accessing files or applications on a remote computer.
4.
Identify the ports utilized by e-mail users? (Choose TWO)
Correct Answer(s)
A. You should identify port 143
C. You should identify port 110
Explanation
The correct answer is to identify port 143 and port 110. Port 143 is used for the Internet Message Access Protocol (IMAP), which allows users to access their email on a remote mail server. Port 110 is used for the Post Office Protocol (POP3), which is another protocol for retrieving email from a remote server.
5.
Which of the following occurs when a string of data is sent to a buffer that is larger than the buffer was designed to handle?
Correct Answer
C. Buffer overflow
Explanation
Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135
6.
Which of the following attacks exploits the session initiation between the Transport Control Program (TCP) client and server in a network?
Correct Answer
B. SYN Attack
Explanation
SYN flood is a DoS attack in which the hacker sends a barrage of SYN packets. The receiving station tries to respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are rejected until all current connections can be established. Change this if you want but in the SYN flood the hacker sends a SYN packet to the receiving station with a spoofed return address of some broadcast address on their network. The receiving station sends out this SYN packets (pings the broadcast address) which causes multiple servers or stations to respond to the ping, thus overloading the originator of the ping (the receiving station). Therefore, the hacker may send only 1 SYN packet, whereas the network of the attacked station is actually what does the barrage of return packets and overloads the receiving station.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 530
7.
Which of the following attacks uses ICMP (Internet Control Message Protocol) and improperly formatted MTUs (Maximum Transmission Unit) to crash a target computer?
Correct Answer
C. Ping of death attack
Explanation
Explanation: The Ping of Death attack involved sending IP packets of a size greater than 65,535 bytes to the target computer. IP packets of this size are illegal, but applications can be built that are capable of creating them. Carefully programmed operating systems could detect and safely handle illegal IP packets, but some failed to do this. Note: MTU packets that are bigger than the maximum size the underlying layer can handle are fragmented into smaller packets, which are then reassembled by the receiver. For ethernet style devices, the MTU is typically 1500. Incorrect Answers A: A man in the middle attack allows a third party to intercept and replace components of the data stream. B: The "smurf" attack, named after its exploit program, is one of the most recent in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. D: In a TCP SYN attack a sender transmits a volume of connections that cannot be completed. This causes the connection queues to fill up, thereby denying service to legitimate TCP users.
8.
Which of the following determines which operating system is installed on a system by analyzing its response to certain network traffic?
Correct Answer
C. Fingerprinting
Explanation
Fingerprinting is the act of inspecting returned information from a server (ie. One method is ICMP Message quoting where the ICMP quotes back part of the original message with every ICMP error message. Each operating system will quote definite amount of message to the ICMP error messages. The peculiarity in the error messages received from various types of operating systems helps us in identifying the remote host's OS.
9.
Malicious port scanning determines the _______.
Correct Answer
B. Fingerprint of the operating system
Explanation
Malicious port scanning is an attempt to find an unused port that the system won't acknowledge. Several programs now can use port scanning for advanced host detection and operating system fingerprinting. With knowledge of the operating system, the hacker can look up known vulnerabilities and exploits for that particular system.
10.
Which of the following fingerprinting techniques exploits the fact that operating systems differ in the amount of information that is quoted when ICMP (Internet Control Message Protocol) errors are encountered?
Correct Answer
D. ICMP (Internet Control Message Protocol) message quoting
Explanation
ICMP Message quoting: The ICMP quotes back part of the original message with every ICMP error message. Each operating system will quote definite amount of message to the ICMP error messages. The peculiarity in the error messages received from various types of operating systems helps us in identifying the remote host's OS.
11.
Which of the following type of attacks exploits poor programming techniques and lack of code review?
Correct Answer
C. Buffer overflow
Explanation
Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system. This exploitation is usually a result of a programming error in the development of the software.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135
12.
Which of the following network attacks misuses TCP's (Transmission Control Protocol) three way handshake to overload servers and deny access to legitimate users?
Correct Answer
D. SYN (Synchronize)
Explanation
SYN flood is a DoS attack in which the hacker sends a barrage of SYN packets. The receiving station tries to respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are rejected until all current connections can be established.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 530
13.
Which of the following is most common method of accomplishing DDoS (Distributed Denial of Service) attacks?
Correct Answer
C. Multiple servers or routers monopolizing and over whelming the bandwidth of a particular server or router.
Explanation
A distributed denial of service attack takes place from within, and is usually the doing of a disgruntled worker. They set up a zombie software that takes over numerous servers, and routers within the network to overwhelm the systems bandwidth. A and B are incorrect because a DDoS doesn't fail or shut down the servers, it merely compromises them.
14.
Which of the following is a DoS (Denial of Service) attack that exploits TCP's (Transmission Control Protocol) three-way handshake for new connections?
Correct Answer
A. SYN (Synchronize) flood.
Explanation
The SYN flood attack works when a source system floods and end system with TCP SYN requests, but intentionally does not send out acknowledgements (ACK). Since TCP needs confirmation, the receiving computer is stuck with half-open TCP sessions, just waiting for acknowledgement so it can reset the port. Meanwhile the connection buffer is being overflowed, making it difficult or impossible for valid users to connect, therefore their service is denied.
15.
Which of the following is a DoS exploit that sends more traffic to a node than anticipated?
Correct Answer
B. Buffer Overflow
Explanation
Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135
16.
Which of the following is a security breach that does not usually result in the theft of information or other security loss but the lack of legitimate use of that system?
Correct Answer
B. DoS
Explanation
DOS attacks prevent access to resources by users authorized to use those resources. An attacker may attempt to bring down an e-commerce website to prevent or deny usage by legitimate customers.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 53
17.
Loki, NetCaZ, Masters Paradise and NetBus are examples of what type of attack?
Correct Answer
D. Back door
Explanation
Since backdoor's are publicly marketed/distributed software applications, they are characterized by having a trade name.
18.
What is usually the goal of TCP (transmission Control Protocol) session hijacking?
Correct Answer
A. Taking over a legitimate TCP (transmission Control Protocol) connection.
Explanation
The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered in a way that intercepts legitimate packets and allows a third party host to insert acceptable packets. Thus hijacking the conversation, and continuing the conversation under the disguise of the legitimate party, and taking advantage of the trust bond.
19.
Which of the following best describes TCP/IP (Transmission Control Protocol/Internet Protocol) session hijacking?
Correct Answer
A. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered in a way that intercepts legitimate packets and allows a third party host to insert acceptable packets.
Explanation
A detailed site on how to hijack a TCP/IP a session can be found at: http://staff.washington.edu/dittrich/talks/qsm-sec/script.html
20.
What characteristic of TCP/IP (transmission Control Protocol/Internet Protocol) does TCP/IP (transmission Control Protocol/Internet Protocol) session hijacking exploit?
Correct Answer
B. The fact that TCP/IP (transmission Control Protocol/Internet Protocol) allows a packet to be spoofed and inserted into a stream, thereby enabling commands to be executed on the remote host
Explanation
TCP/IP's connection orientated nature, and lack of natural security makes it easy to hijack a session by spoofing.
21.
Which of the following attacks can be mitigated against by implementing the following ingress/egress traffic filtering? * Any packet coming into the network must not have a source address of the internal network. * Any packet coming into the network must have a destination address from the internal network. * Any packet leaving the network must have a source address from the internal network. * Any packet leaving the network must not have a destination address from the internal networks. * Any packet coming into the network or leaving the network must not have a source or destination address of a private address or an address listed in RFC19lS reserved space.
Correct Answer
B. Spoofing
Explanation
By having strict addressing filters; an administrator prevents a spoofed address from gaining access.
22.
In which of the following attacks does the attacker pretend to be a legitimate user?
Correct Answer
B. Spoofing
Explanation
A spoofing attack is simple an attempt by someone or something masquerading as someone else. This type of attack is usually considered an access attack.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 56
23.
Which of the attacks can involve the misdirection of the domain name resolution and Internet traffic?
Correct Answer
B. Spoofing
Explanation
A spoofing attack is simply an attempt by someone or something masquerading as someone else.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 56
24.
In an IP (Internet Protocol) spoofing attack, what field of an IP (Internet Protocol) packet does the attacker manipulate?
Correct Answer
B. The source address field.
Explanation
In IP Spoofing a hacker tries to gain access to a network by pretending his or her machine has the same network address as the internal network.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 515
25.
You are the network administrator at Certkiller .com. You discover that your domain name server is resolving the domain name to the wrong IP (Internet Protocol) address and thus misdirecting Internet traffic. You suspect a malicious attack. Which of the following would you suspect?
Correct Answer
C. Spoofing
Explanation
Spoofing is when you forge the source address of traffic, so it appears to come from somewhere else, preferably somewhere safe and trustworthy. Web spoofing is a process where someone creates a convincing copy of a legitimate website or a portion of the world wide web, so that when someone enters a site that they think is safe, they end up communicating directly with the hacker. To avoid this you should rely on certificates, IPSEC, and set up a filter to block internet traffic with an internal network address.
26.
What is the process of forging an IP (Internet Protocol) address to impersonate another machine called?
Correct Answer
B. IP (Internet Protocol) spoofing
Explanation
The word spoofing was popularized in the air-force. When a fighter jet notices an enemy missile (air-to-air or surface-to-air) coming, the pilot will fire off a flair or a chaff (depending on whether or not the missile is heat seeking or radar guided) to spoof (trick) the missile into going after the wrong target. IP spoofing works the same way, and is commonly used by computer hackers because it's easy to implement, it takes advantage of someone else's trust relationship, it makes it harder to identify the source of the true attack, and it focuses attention away to an innocent 3rd party.
27.
You are the security administrator at Certkiller .com. You detect intruders accessing your internal network. The source IP (Internet Protocol) addresses originate from trusted networks. What type of attack are you experiencing?
Correct Answer
D. Spoofing
Explanation
Spoofing is the process of trying to deceive, or to spoof, someone into believing that a source address is coming from somewhere else. Incorrect answers:
A: Social engineering deals with the human aspect of gaining access and passwords.
B: TCP/IP hijacking requires an existing session.
C: Smurfing is a legitimate kind of DoS attack that does involve spoofing, however it doesn't match the above description.
28.
What is an attack whereby two different messages using the same hash function produce a common message digest known as?
Correct Answer
C. Birthday attack.
Explanation
A birthday attack is based on the principle that amongst 23 people, the probability of 2 of them having the same birthday is greater the 50%. By that rational if an attacker examines the hashes of an entire organizations passwords, they'll come up with some common denominators.
29.
Which of the following can be deterred against by increasing the keyspace and complexity of a password?
Correct Answer
B. Brute force
Explanation
Increasing the keyspace and complexity of a password can deter against brute force attacks. Brute force attacks involve trying all possible combinations of characters until the correct password is found. By increasing the keyspace (the range of characters that can be used in the password) and complexity (the length and variety of characters used), it becomes exponentially more difficult and time-consuming for an attacker to guess the correct password through brute force methods.
30.
Which type of attack can easily break a user's password if the user uses simple and meaningful things such as pet names or birthdays for their passwords?
Correct Answer
D. Dictionary attack
Explanation
A dictionary attack is an attack which uses a dictionary of common words to attempt to find the password of a user.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 58
31.
What should the minimum length of a password be to deter dictionary password cracks?
Correct Answer
B. 8 characters
Explanation
A password should be at least 8 characters long to deter dictionary password cracks. A longer password provides more combinations, making it harder for hackers to guess or crack the password using automated tools that rely on dictionary words or common combinations. Therefore, an 8-character minimum length helps to enhance the security of the password and protect against dictionary attacks.
32.
In which of the following does someone use an application to capture and manipulate packets as they are passing through your network?
Correct Answer
C. Man in the Middle
Explanation
The method used in these attacks places a piece of software between a server and the user. The software intercepts and then sends the information to the server. The server responds back to the software, thinking it is the legitimate client. The attacking software then sends this information on to the server, etc. The man in the middle software may be recording this information, altering it, or in some other way compromising the security of your system.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 57
33.
Which of the following is the best defense against a man in the middle attack?
Correct Answer
C. PKI (Public Key Infrastructure)
Explanation
PKI is a two-key system. Messages are encrypted with a public key. Messages are decrypted with a private key. If you want to send an encrypted message to someone, you would request their public key. You would encrypt the message using their public key and send it to them. They would then use their private key to decrypt the message.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 331
34.
Which of the following is the best defense against man in the middle attacks?
Correct Answer
B. Strong encryption
Explanation
Strong encryption is the best defense against man-in-the-middle attacks because it ensures that the data being transmitted between two parties is encrypted and cannot be intercepted or modified by an attacker. Encryption converts the data into a secure format that can only be decrypted by the intended recipient, making it extremely difficult for an attacker to access or manipulate the information. Firewalls, strong passwords, and strong authentication can provide additional layers of security, but they do not directly address the issue of intercepting and tampering with data in transit like strong encryption does.
35.
You are the security administrator at Certkiller .com. All Certkiller users have a token and 4-digit personal identification number (PIN) that are used to access their computer systems. The token performs off-line checking for the correct PIN. To which of the following type of attack is Certkiller vulnerable?
Correct Answer
C. Brute force
Explanation
Explanation: Brute force attacks are performed with tools that cycle through many possible character, number, and symbol combinations to guess a password. Since the token allows offline checking of PIN, the cracker can keep trying PINS until it is cracked.
36.
What is an attach in which the attacker spoofs the source IP address in an ICMP ECHO broadcast packet so it seems to have originated at the victim's system, in order to flood it with REPLY packets called?
Correct Answer
B. Smurf attack
Explanation
A Smurf attack is a type of denial of service (DOS) attack where the attacker spoofs the source IP address in an ICMP ECHO broadcast packet to make it appear as if it originated from the victim's system. The attacker then sends a large number of these packets to a network's broadcast address, causing all devices on the network to respond with ICMP REPLY packets to the victim's system. This flood of REPLY packets overwhelms the victim's system, resulting in a denial of service.
37.
Which type of attack is based on the probability of two different messages using the same hash function producing a common message digest?
Correct Answer
C. Birthday attack
Explanation
A good hashing algorithm should not produce the same hash value for two different messages. If the algorithm does produce the same value for two distinctly different messages, it is referred to as a collision. If an attacker finds an instance of a collision, he has more information to use when trying to break the cryptographic methods used. A complex way of attacking a one-way hash function is called the birthday attack. If an attacker has one hash value and wants to find a message that hashes to the same hash value, this process could take him years. However, if he just wants to find any two messages with the same hashing value, it could take him only a couple hours.
38.
Which of the following attacks attempts to crack passwords
Correct Answer
B. Dictionary
Explanation
Dictionaries may be used in a cracking program to determine passwords. A short dictionary attack involves trying a list of hundreds or thousands of words that are frequently chosen as passwords against several systems. Although most systems resist such attacks, some do not. In one case, one system in five yielded to a particular dictionary attack.
39.
As the security administrator you monitor traces from IDS and detect the subsequent data: Date Time Source IP Destination IP Port Type 10/21 0845 192.168.155.28 10.1.20.1 20 SYN 10/21 0850 192.168.155.28 10.1.20.1 21 SYN 10/21 0900 192.168.155.28 10.1.20.1 23 SYN 10/21 0910 192.168.155.28 10.1.20.1 25 SYN You need to determine what will occur?
Correct Answer
B. A Port scanning will occur.
Explanation
The given traces indicate that the source IP address (192.168.155.28) is sending SYN packets to the destination IP address (10.1.20.1) on different ports (20, 21, 23, 25). This behavior suggests that the source IP is scanning the destination IP for open ports. Port scanning is a common technique used by attackers to identify potential vulnerabilities in a system. Therefore, the correct answer is that a port scanning will occur.
40.
Identify the attack that targets a web server if numerous computers send a lot of FIN packets at the same time with spoofed source IP addresses?
Correct Answer
B. This attack is known as DDoS
41.
You implement IDS on the Certkiller .com network. You discover traffic from an internal host IP address accessing internal network resources from the Internet. What is causing this?
Correct Answer
A. This occurred since a user without permission is spoofing internal IP addresses.
Explanation
The correct answer is that this occurred since a user without permission is spoofing internal IP addresses. This means that someone is pretending to have an internal IP address in order to access internal network resources from the Internet. This is a security concern as it indicates unauthorized access and potential malicious activity.
42.
Identify the methods of password guessing that needs the longest attack time?
Correct Answer
A. Brute force needs the longest attack time.
Explanation
Brute force is a method of password guessing where every possible combination of characters is tried until the correct password is found. This method requires the longest attack time because it systematically tries every possible option, which can be time-consuming, especially for longer and more complex passwords. Dictionary attacks, rainbow attacks, and birthday attacks are all more efficient methods that exploit weaknesses in password systems, such as common or easily guessable passwords, precomputed tables, or hash collisions, respectively.
43.
Identify the attack that consists of a PC sending PING packets with destination addresses set to the broadcast address and the source address set to the target PC's IP address?
Correct Answer
A. You should identify a Smurf attack.
Explanation
A Smurf attack is a type of DDoS attack where an attacker sends a large number of ICMP ping requests (PING packets) with the source IP address set to the target PC's IP address and the destination IP address set to the broadcast address. This causes all the devices on the network to respond to the ping requests, overwhelming the target PC with an excessive amount of traffic and potentially causing it to crash or become unavailable.
44.
Identify common utilization of Internet-exposed network services?
Correct Answer
D. Buffer overflows is a common utilization. Buffer overflows is a common utilization.
45.
What results in poor programming techniques and lack of code review?
Correct Answer
A. It can result in the Buffer overflow attack.
Explanation
Poor programming techniques and lack of code review can result in a buffer overflow attack. This type of attack occurs when a program writes data outside the allocated memory buffer, causing the program to crash or allowing an attacker to execute malicious code. Inadequate programming practices and the absence of code review can lead to vulnerabilities in the code, making it easier for attackers to exploit and carry out buffer overflow attacks.
46.
Identify a port scanning tool?
Correct Answer
A. Nmap is port scanning tool.
Explanation
Nmap is a well-known and widely used port scanning tool. It is designed to scan networks and discover open ports on remote systems. Nmap provides a comprehensive set of features and options that allow users to perform various types of scans, such as TCP, UDP, SYN, and more. It also offers advanced techniques like OS fingerprinting and version detection. Nmap is highly flexible and can be used for both legitimate network administration tasks and malicious activities, making it a popular choice among both security professionals and hackers.
47.
How can you determine whether the workstations on the internal network are functioning as zombies participating in external DDoS attacks?
Correct Answer
D. You should use Firewall logs to confirm the suspicion.
Explanation
The correct answer is to use Firewall logs to confirm the suspicion. Firewall logs can provide information about the network traffic and connections that are being allowed or blocked by the firewall. By analyzing these logs, you can identify any suspicious or abnormal traffic patterns that may indicate the presence of zombies participating in external DDoS attacks. This can help you determine whether the workstations on the internal network are functioning as zombies.
48.
You configure a computer to act as a zombie set in order to attack a web server on a specific date. What would this contaminated computer be part of?
Correct Answer
A. The computer is part of a DDoS attack.
Explanation
The computer is part of a DDoS attack, where multiple compromised computers are used to overwhelm a target server or network with a flood of internet traffic, causing it to become unavailable to legitimate users.
49.
What is used in a distributed denial of service (DDOS) attack?
Correct Answer
A. DDOS makes use of Botnet.
Explanation
A distributed denial of service (DDOS) attack utilizes a botnet. A botnet is a network of compromised computers or devices that are under the control of a malicious actor. These compromised devices, also known as bots, are used to flood a target system or network with an overwhelming amount of traffic, rendering it inaccessible to legitimate users. By using a botnet, the attacker can amplify the impact of the attack by coordinating multiple sources of traffic simultaneously.
50.
Identify the attack where the purpose is to stop a workstation or service from functioning?
Correct Answer
C. This attack is known as denial of service (DoS).
Explanation
Denial of service (DoS) attack is a type of attack where the purpose is to stop a workstation or service from functioning. In a DoS attack, the attacker overwhelms the target system with a flood of illegitimate requests or excessive traffic, causing the system to become unresponsive or crash. This prevents legitimate users from accessing the system or service. The goal of this attack is to disrupt the availability of the targeted resource rather than gaining unauthorized access or stealing information.