Network Programming Quiz Questions

1. You have been hired by Bob's Burgers to scan its network for vulnerabilities. They would like you to perform a system-level scan. Which of the following programs should you use?

N-Stealth

SARA

Flawfinder

Whisker

SARA is the most suitable program for performing a system-level scan. SARA stands for Security Auditor's Research Assistant and it is designed specifically for network vulnerability assessment. It scans the network and identifies potential vulnerabilities in the system. N-Stealth is a web server security assessment tool, Flawfinder is a static analysis tool for C/C++ code, and Whisker is a web application vulnerability scanner. While these tools may be useful for specific purposes, SARA is the best choice for a system-level scan.

Explanation

SARA is the most suitable program for performing a system-level scan. SARA stands for Security Auditor's Research Assistant and it is designed specifically for network vulnerability assessment. It scans the network and identifies potential vulnerabilities in the system. N-Stealth is a web server security assessment tool, Flawfinder is a static analysis tool for C/C++ code, and Whisker is a web application vulnerability scanner. While these tools may be useful for specific purposes, SARA is the best choice for a system-level scan.

2. You have been able to get a Terminal window open on a remote Linux host. You now need to use a command-line web browser to download a privilege-escalation tool. Which of the following will work?

TFTP

Lynx

Explorer

Firefox

Lynx is a command-line web browser that can be used to download files from the internet. Since you need to download a privilege-escalation tool, Lynx is the most suitable option among the given choices. TFTP is a file transfer protocol, not a web browser. Explorer and Firefox are graphical web browsers and cannot be used in a Terminal window.

Explanation

Lynx is a command-line web browser that can be used to download files from the internet. Since you need to download a privilege-escalation tool, Lynx is the most suitable option among the given choices. TFTP is a file transfer protocol, not a web browser. Explorer and Firefox are graphical web browsers and cannot be used in a Terminal window.

3. Which of the following is a tool used to find DDoS programs?

DDOSPing

Shaft

Trinoo

MStream

DDOSPing is a tool used to find DDoS programs. It is specifically designed to test the vulnerability of a network or website to distributed denial of service (DDoS) attacks. By simulating a DDoS attack, DDOSPing can help identify weaknesses in the network's defenses and assist in developing appropriate countermeasures. This tool is commonly used by network administrators and security professionals to proactively protect their systems from potential DDoS attacks.

Explanation

DDOSPing is a tool used to find DDoS programs. It is specifically designed to test the vulnerability of a network or website to distributed denial of service (DDoS) attacks. By simulating a DDoS attack, DDOSPing can help identify weaknesses in the network's defenses and assist in developing appropriate countermeasures. This tool is commonly used by network administrators and security professionals to proactively protect their systems from potential DDoS attacks.

4. Which of the following is not a valid Linux user group?

Guests

Normal Users

System Users

Super Users

The given options consist of different types of Linux user groups. Guests is not a valid Linux user group because it is not a commonly recognized type of user group in Linux systems. The other options, Normal Users, System Users, and Super Users, are valid and commonly used user groups in Linux.

Explanation

The given options consist of different types of Linux user groups. Guests is not a valid Linux user group because it is not a commonly recognized type of user group in Linux systems. The other options, Normal Users, System Users, and Super Users, are valid and commonly used user groups in Linux.

5. Which of the following programs can be used for port redirection?

Loki

Recub

Girlfriend

FPipe

FPipe is a program that can be used for port redirection. Port redirection involves redirecting network traffic from one port to another, allowing for the rerouting of incoming connections. FPipe is a versatile tool that enables users to redirect TCP/IP or UDP/IP data streams between ports on different machines. It can be used for various purposes, such as load balancing, network testing, and troubleshooting.

Explanation

FPipe is a program that can be used for port redirection. Port redirection involves redirecting network traffic from one port to another, allowing for the rerouting of incoming connections. FPipe is a versatile tool that enables users to redirect TCP/IP or UDP/IP data streams between ports on different machines. It can be used for various purposes, such as load balancing, network testing, and troubleshooting.

6. This form of active sniffing is characterized by a large number of packets with bogus MAC addresses.

MAC flooding

Passive sniffing

Active sniffing

ARP poisoning

MAC flooding is a form of active sniffing where a large number of packets with fake or bogus MAC addresses are sent to a switch. This overwhelms the switch's MAC address table, causing it to enter a fail-open mode where it broadcasts all incoming packets to all ports. This allows the attacker to intercept and sniff network traffic, potentially gaining unauthorized access to sensitive information.

Explanation

MAC flooding is a form of active sniffing where a large number of packets with fake or bogus MAC addresses are sent to a switch. This overwhelms the switch's MAC address table, causing it to enter a fail-open mode where it broadcasts all incoming packets to all ports. This allows the attacker to intercept and sniff network traffic, potentially gaining unauthorized access to sensitive information.

7. Why is SYN flood attack detectable?

A large number of SYN packets will appear on the network without the corresponding reply

A large number of ACK packets will appear on the network without the corresponding reply

A large number of SYN ACK packets will appear on the network with-out the corresponding reply

The source and destination port of all the packets will be the same

A SYN flood attack is detectable because it involves a large number of SYN packets being sent to a target server without receiving the corresponding reply. This creates an imbalance in the network traffic, as the server becomes overwhelmed with incoming SYN packets and is unable to establish legitimate connections. Network monitoring tools can detect this abnormal behavior by analyzing the packet flow and identifying the high volume of SYN packets without proper responses.

Explanation

A SYN flood attack is detectable because it involves a large number of SYN packets being sent to a target server without receiving the corresponding reply. This creates an imbalance in the network traffic, as the server becomes overwhelmed with incoming SYN packets and is unable to establish legitimate connections. Network monitoring tools can detect this abnormal behavior by analyzing the packet flow and identifying the high volume of SYN packets without proper responses.

8. While hacking away at your roommate's Linux computer, you accessed his passwd file. Here is what you found. root :x: 0 : 0 : root: /root : /bin/bash bin : x : 1 : 1 : bin : /bin : daemon : x : 2 : 2 : daemon : /sbin : Where is the root password?

No password has been set

The password has been shadowed

The password is not visible because you are not logged in as root

The password is not in this file; it is in the SAM

The correct answer is "The password has been shadowed". In Linux, the password file (/etc/passwd) stores user account information, including the username, user ID, group ID, home directory, and shell. However, it does not store the actual passwords. Instead, the passwords are stored in a separate file called the shadow file (/etc/shadow), which is only accessible by the root user. The shadow file contains encrypted passwords and other security-related information. By finding the password file but not seeing the actual password, it indicates that the password has been shadowed.

Explanation

The correct answer is "The password has been shadowed". In Linux, the password file (/etc/passwd) stores user account information, including the username, user ID, group ID, home directory, and shell. However, it does not store the actual passwords. Instead, the passwords are stored in a separate file called the shadow file (/etc/shadow), which is only accessible by the root user. The shadow file contains encrypted passwords and other security-related information. By finding the password file but not seeing the actual password, it indicates that the password has been shadowed.

9. What does the following command in Ettercap do? ettercap -T -q -F cd.ef -M ARP /192.168.13.100

This command scans for NIC's in promiscuous mode

The command will detach Ettercap from the console and log all sniffed password

This command tells Ettercap to do a text mode man-in-the-middle attack

This command will check to see if someone else is performing ARP poisoning

The given command "ettercap -T -q -F cd.ef -M ARP /192.168.13.100" tells Ettercap to perform a text mode man-in-the-middle attack. The "-T" flag specifies text mode, "-q" flag makes the output quiet, "-F cd.ef" specifies the filter file to use, "-M ARP" sets the ARP poisoning method, and "/192.168.13.100" specifies the target IP address. This combination of flags and parameters indicates that the command is configuring Ettercap to intercept and manipulate network traffic in a man-in-the-middle attack in text mode.

Explanation

The given command "ettercap -T -q -F cd.ef -M ARP /192.168.13.100" tells Ettercap to perform a text mode man-in-the-middle attack. The "-T" flag specifies text mode, "-q" flag makes the output quiet, "-F cd.ef" specifies the filter file to use, "-M ARP" sets the ARP poisoning method, and "/192.168.13.100" specifies the target IP address. This combination of flags and parameters indicates that the command is configuring Ettercap to intercept and manipulate network traffic in a man-in-the-middle attack in text mode.

10. When would an attacker ant to perform a session hijack?

Before authentication

Right before the four-step shutdown

After authentication

At the point that the three-step handshake completes

An attacker would want to perform a session hijack after authentication because at this point, the user's session has been established and they have access to the system. By hijacking the session, the attacker can gain unauthorized access to the user's account and potentially perform malicious activities without being detected.

Explanation

An attacker would want to perform a session hijack after authentication because at this point, the user's session has been established and they have access to the system. By hijacking the session, the attacker can gain unauthorized access to the user's account and potentially perform malicious activities without being detected.

11. Which of the following will allow you to set the user to full access, the group to read-only, and all others to no access?

Chmod 777

Chroot 740

Chroot 777

Chmod 740

The correct answer is "chmod 740". The chmod command is used to change the permissions of a file or directory. In this case, the numbers represent the permissions for the user, group, and others respectively. The number 7 gives full access, 4 gives read-only access, and 0 gives no access. Therefore, "chmod 740" will set the user to full access (7), the group to read-only (4), and all others to no access (0).

Explanation

The correct answer is "chmod 740". The chmod command is used to change the permissions of a file or directory. In this case, the numbers represent the permissions for the user, group, and others respectively. The number 7 gives full access, 4 gives read-only access, and 0 gives no access. Therefore, "chmod 740" will set the user to full access (7), the group to read-only (4), and all others to no access (0).

12. You have been exploring the files and directory structure of the new Linux server. What are the entries of the /etc/hosts file made up of?

The IP addres, the subnet mask, and the default gateway

The IP address, the hostname, and any alias

The IP address and status of approved or denied addresses

The IP address, the mask, and the deny or allow statement

The /etc/hosts file in Linux contains entries that associate IP addresses with hostnames and aliases. It does not include subnet masks, default gateways, status of approved or denied addresses, or deny/allow statements. This file is used for local hostname resolution before querying DNS servers.

Explanation

The /etc/hosts file in Linux contains entries that associate IP addresses with hostnames and aliases. It does not include subnet masks, default gateways, status of approved or denied addresses, or deny/allow statements. This file is used for local hostname resolution before querying DNS servers.

13. You have been able to intercept many packets with Wireshark that are addressed to the broadcast address on your network and are shown to be from the web server. The web server is not sending this traffic, so it is being spoofed. What type of attack is the network experiencing?

Land

SYN

Smurf

Chargen

The network is experiencing a Smurf attack. In a Smurf attack, the attacker spoofs the IP address of the victim and sends a large number of ICMP echo requests (ping) to the broadcast address of a network. This causes all devices on the network to respond to the victim's IP address, overwhelming it with traffic and causing a denial of service. In this case, the packets intercepted by Wireshark are addressed to the broadcast address and appear to be from the web server, indicating that the traffic is being spoofed and the network is under a Smurf attack.

Explanation

The network is experiencing a Smurf attack. In a Smurf attack, the attacker spoofs the IP address of the victim and sends a large number of ICMP echo requests (ping) to the broadcast address of a network. This causes all devices on the network to respond to the victim's IP address, overwhelming it with traffic and causing a denial of service. In this case, the packets intercepted by Wireshark are addressed to the broadcast address and appear to be from the web server, indicating that the traffic is being spoofed and the network is under a Smurf attack.

14. Which of the following best describes a covert communications? A program that appears desirable, but actually contains something harmful

A program that appears desirable, but actually contains something harmful

A way of getting into a guarded system without using the required password

A program or algorithm that replicates itself over a computer network and usually performs malicious actions

Covert communications refer to the act of sending and receiving unauthorized information or data by using a protocol, service, or server to transmit information in a way that it was not intended to be used. This means that individuals are secretly exchanging information in a manner that is not allowed or expected by the system or network. It involves bypassing security measures or exploiting vulnerabilities to engage in unauthorized communication.

Explanation

Covert communications refer to the act of sending and receiving unauthorized information or data by using a protocol, service, or server to transmit information in a way that it was not intended to be used. This means that individuals are secretly exchanging information in a manner that is not allowed or expected by the system or network. It involves bypassing security measures or exploiting vulnerabilities to engage in unauthorized communication.

15. Where will an attacker find the system password file in a Linux machine that is restricted to root and contains encrypted passwords?

/etc/hosts

/etc/passwd

/etc/inetd.conf

/etc/shadow

The system password file in a Linux machine, which contains encrypted passwords, can be found in the /etc/shadow directory. This directory is restricted to the root user, making it difficult for attackers to access the encrypted passwords. The /etc/hosts file contains IP address to hostname mappings, the /etc/passwd file contains user account information, and the /etc/inetd.conf file contains configuration settings for internet services, but none of these files store the encrypted passwords.

Explanation

The system password file in a Linux machine, which contains encrypted passwords, can be found in the /etc/shadow directory. This directory is restricted to the root user, making it difficult for attackers to access the encrypted passwords. The /etc/hosts file contains IP address to hostname mappings, the /etc/passwd file contains user account information, and the /etc/inetd.conf file contains configuration settings for internet services, but none of these files store the encrypted passwords.

16. One of the members of your red team would like to run Dsniff on a span of the network that is composed of hubs. Which of the following type best describes this attack?

Passive Sniffing

MAC Flooding

ARP Poisoning

Active Sniffing

Passive Sniffing is the best type to describe this attack because Dsniff is a passive network monitoring tool that captures and analyzes network traffic. It does not actively send any packets or modify network settings. Since the network is composed of hubs, which are less secure than switches, Dsniff can easily capture and analyze all the network traffic passing through the hub without being detected. Therefore, the attacker can passively sniff and gather information without actively interfering with the network.

Explanation

Passive Sniffing is the best type to describe this attack because Dsniff is a passive network monitoring tool that captures and analyzes network traffic. It does not actively send any packets or modify network settings. Since the network is composed of hubs, which are less secure than switches, Dsniff can easily capture and analyze all the network traffic passing through the hub without being detected. Therefore, the attacker can passively sniff and gather information without actively interfering with the network.

17. How can a Linux user list which processes are running if he suspects something has been loaded that is not approved?

Ps

Echo

Ls

Netstat

The correct answer is "ps". The "ps" command in Linux is used to list the currently running processes on a system. By running "ps", a Linux user can see a list of all processes running on their system and identify any suspicious or unauthorized processes that may have been loaded. This can help in identifying and investigating any potential security threats or unauthorized activities on the system.

Explanation

The correct answer is "ps". The "ps" command in Linux is used to list the currently running processes on a system. By running "ps", a Linux user can see a list of all processes running on their system and identify any suspicious or unauthorized processes that may have been loaded. This can help in identifying and investigating any potential security threats or unauthorized activities on the system.

18. Which of the following is not a DoS program?

Land

Smurf

Stacheldraht

Fraggle

Stacheldraht is not a DoS program because it is actually a type of DDoS (Distributed Denial of Service) tool. Unlike traditional DoS programs that are run from a single source, Stacheldraht allows multiple attackers to coordinate their efforts and launch a DDoS attack on a target. This tool was popular in the late 1990s and early 2000s and was known for its ability to amplify the impact of an attack by using multiple sources to overwhelm a target's resources.

Explanation

Stacheldraht is not a DoS program because it is actually a type of DDoS (Distributed Denial of Service) tool. Unlike traditional DoS programs that are run from a single source, Stacheldraht allows multiple attackers to coordinate their efforts and launch a DDoS attack on a target. This tool was popular in the late 1990s and early 2000s and was known for its ability to amplify the impact of an attack by using multiple sources to overwhelm a target's resources.

19. How many steps are in the ARP process?

2

1

4

3

The ARP (Address Resolution Protocol) process involves two steps. The first step is the ARP request, where a device sends a broadcast message to the network asking for the MAC address of a specific IP address. The second step is the ARP reply, where the device with the corresponding IP address sends its MAC address back to the requesting device. Therefore, there are two steps in the ARP process.

Explanation

The ARP (Address Resolution Protocol) process involves two steps. The first step is the ARP request, where a device sends a broadcast message to the network asking for the MAC address of a specific IP address. The second step is the ARP reply, where the device with the corresponding IP address sends its MAC address back to the requesting device. Therefore, there are two steps in the ARP process.

20. Which DDoS tool uses TCP port 6667?

Trinity

DDOSPing

Trinoo

Shaft

Trinity is the correct answer because it is a DDoS tool that uses TCP port 6667. The other options, DDOSPing, Trinoo, and Shaft, do not specifically use TCP port 6667 for their DDoS attacks.

Explanation

Trinity is the correct answer because it is a DDoS tool that uses TCP port 6667. The other options, DDOSPing, Trinoo, and Shaft, do not specifically use TCP port 6667 for their DDoS attacks.

21. Jane has noticed that her system is running strangely. However, even when she ran Netstat, everything looked fine. What should she do next?

Restore from a recent backup

Remove any entries from the Windows startup folder

Use a third party tool with a verified fingerprint

Install patch.exe

Jane should use a third party tool with a verified fingerprint next. This means she should use a tool that has been authenticated and deemed trustworthy by a reliable source. This can help her identify any potential threats or issues that may not have been detected by Netstat.

Explanation

Jane should use a third party tool with a verified fingerprint next. This means she should use a tool that has been authenticated and deemed trustworthy by a reliable source. This can help her identify any potential threats or issues that may not have been detected by Netstat.

22. You have just completed a scan of your servers, and you found port 31337 open. Which of the following programs uses that port by default?

NetBus

Back Orifice

Option 3

Donald Dick

Back Orifice is a remote administration tool that allows unauthorized access to a computer system. It is known for using port 31337 as its default port. Therefore, if port 31337 is open on the server, it suggests that Back Orifice may be running on the system. NetBus is another remote administration tool but it uses a different default port. Option 3 and Donald Dick are not relevant to the given question.

Explanation

Back Orifice is a remote administration tool that allows unauthorized access to a computer system. It is known for using port 31337 as its default port. Therefore, if port 31337 is open on the server, it suggests that Back Orifice may be running on the system. NetBus is another remote administration tool but it uses a different default port. Option 3 and Donald Dick are not relevant to the given question.

23. Which covert communication program has the capability to bypass router ACLs that block incoming SYN traffic on port 80?

Firekiller 2000

ACKCMD

Stealth Tools

Loki

ACKCMD is the covert communication program that has the capability to bypass router ACLs that block incoming SYN traffic on port 80. This program likely uses the ACK flag in TCP packets to establish a connection, rather than the SYN flag which is typically blocked by router ACLs. By using this technique, ACKCMD can successfully bypass the ACLs and establish communication on port 80.

Explanation

ACKCMD is the covert communication program that has the capability to bypass router ACLs that block incoming SYN traffic on port 80. This program likely uses the ACK flag in TCP packets to establish a connection, rather than the SYN flag which is typically blocked by router ACLs. By using this technique, ACKCMD can successfully bypass the ACLs and establish communication on port 80.

24. Which of the following best describes Netcat?

Netcat is a versatile tool that is often referred to as the TCP/IP Swiss army knife. It is compatible with both Windows and Linux operating systems. Netcat allows users to read and write data across network connections using either TCP or UDP protocols. This makes it a powerful tool for network monitoring and data acquisition. It can also be used to dump traffic on a network and print out packet headers that match a specific expression.

Explanation

Netcat is a versatile tool that is often referred to as the TCP/IP Swiss army knife. It is compatible with both Windows and Linux operating systems. Netcat allows users to read and write data across network connections using either TCP or UDP protocols. This makes it a powerful tool for network monitoring and data acquisition. It can also be used to dump traffic on a network and print out packet headers that match a specific expression.

25. One of your user's Windows computers has been running slowly and performing erratically. After looking it over, you find a suspicious-looking file named watching.dll. Which of the following programs uses that file?

SubSeven

Donald Dick

Loki

NetBus

The correct answer is SubSeven. SubSeven is a remote administration tool (RAT) that is often used by hackers to gain unauthorized access to a computer. The suspicious-looking file named watching.dll is likely associated with SubSeven, indicating that the computer may have been compromised by a hacker using this program.

Explanation

The correct answer is SubSeven. SubSeven is a remote administration tool (RAT) that is often used by hackers to gain unauthorized access to a computer. The suspicious-looking file named watching.dll is likely associated with SubSeven, indicating that the computer may have been compromised by a hacker using this program.

26. Your team lead has asked you to make absolute changes to a file's permissions. Which of the following would be correct?

Chroot a+rwx

Chroot 320

Chmod a+rwx

Chmod 320

The correct answer is "chmod 320". The "chmod" command is used to change the permissions of a file or directory. In this case, the "320" argument specifies the new permissions for the file. The number "3" represents the owner's permissions, "2" represents the group's permissions, and "0" represents the permissions for others. The "2" in "320" indicates that the group will have write permissions, while the owner and others will have no permissions.

Explanation

The correct answer is "chmod 320". The "chmod" command is used to change the permissions of a file or directory. In this case, the "320" argument specifies the new permissions for the file. The number "3" represents the owner's permissions, "2" represents the group's permissions, and "0" represents the permissions for others. The "2" in "320" indicates that the group will have write permissions, while the owner and others will have no permissions.

27. What does the command nc –n –v –l -p 25 accomplish?

Forwards email on the remote server to the hacker's computer on port 25

Opens up a netcat listener on the local computer on port 25

Allows the hacker to use a victim's mail server to send spam

Blocks all incoming traffic on port 25

The command "nc -n -v -l -p 25" opens up a netcat listener on the local computer on port 25. Netcat is a versatile networking tool that can be used for various purposes, such as port scanning, file transfer, and network debugging. In this case, the command is specifically used to create a listener on port 25, which is the default port for SMTP (Simple Mail Transfer Protocol) used for email communication. By opening this listener, the computer can receive incoming connections and data on port 25.

Explanation

The command "nc -n -v -l -p 25" opens up a netcat listener on the local computer on port 25. Netcat is a versatile networking tool that can be used for various purposes, such as port scanning, file transfer, and network debugging. In this case, the command is specifically used to create a listener on port 25, which is the default port for SMTP (Simple Mail Transfer Protocol) used for email communication. By opening this listener, the computer can receive incoming connections and data on port 25.

28. At the prompt of your Linux server, you enter cat /etc/passwd. In the following output line, what is the function of 100? chubs : 2cX1eDm8cFiJYc : 500 : 100 : chubs Lex : /home/chubs/bin/bash

A binary value

The 100th users created

The user ID

The group ID

In the output line, "100" represents the group ID. In Linux, each user is assigned a unique user ID (UID) and a group ID (GID). The group ID is used to determine the group that the user belongs to. It helps in managing file and directory permissions, as well as in controlling access to resources on the system.

Explanation

In the output line, "100" represents the group ID. In Linux, each user is assigned a unique user ID (UID) and a group ID (GID). The group ID is used to determine the group that the user belongs to. It helps in managing file and directory permissions, as well as in controlling access to resources on the system.

29. Which one do you like?

Option 1

Option 2

Option 3

Option 4

not-available-via-ai

Explanation

not-available-via-ai

30. You overheard a co-worker who is upset about not getting a promotion threaten to load FakeGina on to the boss's computer. What does FakeGina do?

It captures all keystrokes entered after the system starts up

It captues login usernames and password that are entered at system startup

It is a hardware keystroke capture program

It's a password trojan that emails password and usernames to a predetermined email address

FakeGina captures login usernames and passwords that are entered at system startup. This means that if the co-worker loads FakeGina onto the boss's computer, it will record any login credentials that the boss enters when logging into the system. This can pose a serious security threat as the co-worker may use the captured information for unauthorized access or malicious purposes. It is important to prevent the installation of such programs to protect sensitive information and maintain the security of the system.

Explanation

FakeGina captures login usernames and passwords that are entered at system startup. This means that if the co-worker loads FakeGina onto the boss's computer, it will record any login credentials that the boss enters when logging into the system. This can pose a serious security threat as the co-worker may use the captured information for unauthorized access or malicious purposes. It is important to prevent the installation of such programs to protect sensitive information and maintain the security of the system.

31. What is Datapipe used for?

It is a virus

It is similar to Netstat and can report running processes and ports

It is a remote-control Trojan

It is a redirector. Remediation link - Cover communications

Datapipe is used as a redirector, meaning it redirects network traffic from one location to another. It does not have any malicious intent like a virus or a remote-control Trojan. It is also not similar to Netstat, which is a command-line tool used for monitoring network connections. The reference to "Cover communications" in the remediation link suggests that Datapipe may be used to obfuscate or hide communication channels.

Explanation

Datapipe is used as a redirector, meaning it redirects network traffic from one location to another. It does not have any malicious intent like a virus or a remote-control Trojan. It is also not similar to Netstat, which is a command-line tool used for monitoring network connections. The reference to "Cover communications" in the remediation link suggests that Datapipe may be used to obfuscate or hide communication channels.