1.
You have just completed a scan of your servers, and you found port 31337 open. Which of the following programs uses that port by default?
Correct Answer
B. Back Orifice
Explanation
Back Orifice is a remote administration tool that allows unauthorized access to a computer system. It is known for using port 31337 as its default port. Therefore, if port 31337 is open on the server, it suggests that Back Orifice may be running on the system. NetBus is another remote administration tool but it uses a different default port. Option 3 and Donald Dick are not relevant to the given question.
2.
Which of the following programs can be used for port redirection?
Correct Answer
D. FPipe
Explanation
FPipe is a program that can be used for port redirection. Port redirection involves redirecting network traffic from one port to another, allowing for the rerouting of incoming connections. FPipe is a versatile tool that enables users to redirect TCP/IP or UDP/IP data streams between ports on different machines. It can be used for various purposes, such as load balancing, network testing, and troubleshooting.
3.
Which of the following best describes a covert communications? A program that appears desirable, but actually contains something harmful
Correct Answer
D. Sending and receiving unauthorized information or data by using a protocol, service, or server to transmit info in a way in which it was not intended to be used
Explanation
Covert communications refer to the act of sending and receiving unauthorized information or data by using a protocol, service, or server to transmit information in a way that it was not intended to be used. This means that individuals are secretly exchanging information in a manner that is not allowed or expected by the system or network. It involves bypassing security measures or exploiting vulnerabilities to engage in unauthorized communication.
4.
Which of the following best describes Netcat?
Correct Answer
B. Netcat is called the TCP/IP Swiss army knife. It works with Windows and Linux and can read and write data across network connections using TCP or UDP.
Explanation
Netcat is a versatile tool that is often referred to as the TCP/IP Swiss army knife. It is compatible with both Windows and Linux operating systems. Netcat allows users to read and write data across network connections using either TCP or UDP protocols. This makes it a powerful tool for network monitoring and data acquisition. It can also be used to dump traffic on a network and print out packet headers that match a specific expression.
5.
One of your user’s Windows computers has been running slowly and performing erratically. After looking it over, you find a suspicious-looking file named watching.dll. Which of the following programs uses that file?
Correct Answer
A. SubSeven
Explanation
The correct answer is SubSeven. SubSeven is a remote administration tool (RAT) that is often used by hackers to gain unauthorized access to a computer. The suspicious-looking file named watching.dll is likely associated with SubSeven, indicating that the computer may have been compromised by a hacker using this program.
6.
Jane has noticed that her system is running strangely. However, even when she ran Netstat, everything looked fine. What should she do next?
Correct Answer
C. Use a third party tool with a verified fingerprint
Explanation
Jane should use a third party tool with a verified fingerprint next. This means she should use a tool that has been authenticated and deemed trustworthy by a reliable source. This can help her identify any potential threats or issues that may not have been detected by Netstat.
7.
You overheard a co-worker who is upset about not getting a promotion threaten to load FakeGina on to the boss’s computer. What does FakeGina do?
Correct Answer
B. It captues login usernames and password that are entered at system startup
Explanation
FakeGina captures login usernames and passwords that are entered at system startup. This means that if the co-worker loads FakeGina onto the boss's computer, it will record any login credentials that the boss enters when logging into the system. This can pose a serious security threat as the co-worker may use the captured information for unauthorized access or malicious purposes. It is important to prevent the installation of such programs to protect sensitive information and maintain the security of the system.
8.
Which covert communication program has the capability to bypass router ACLs that block incoming SYN traffic on port 80?
Correct Answer
B. ACKCMD
Explanation
ACKCMD is the covert communication program that has the capability to bypass router ACLs that block incoming SYN traffic on port 80. This program likely uses the ACK flag in TCP packets to establish a connection, rather than the SYN flag which is typically blocked by router ACLs. By using this technique, ACKCMD can successfully bypass the ACLs and establish communication on port 80.
9.
What does the command nc –n –v –l -p 25 accomplish?
Correct Answer
B. Opens up a netcat listener on the local computer on port 25
Explanation
The command "nc -n -v -l -p 25" opens up a netcat listener on the local computer on port 25. Netcat is a versatile networking tool that can be used for various purposes, such as port scanning, file transfer, and network debugging. In this case, the command is specifically used to create a listener on port 25, which is the default port for SMTP (Simple Mail Transfer Protocol) used for email communication. By opening this listener, the computer can receive incoming connections and data on port 25.
10.
What is Datapipe used for?
Correct Answer
D. It is a redirector. Remediation link - Cover communications
Explanation
Datapipe is used as a redirector, meaning it redirects network traffic from one location to another. It does not have any malicious intent like a virus or a remote-control Trojan. It is also not similar to Netstat, which is a command-line tool used for monitoring network connections. The reference to "Cover communications" in the remediation link suggests that Datapipe may be used to obfuscate or hide communication channels.
11.
How can a Linux user list which processes are running if he suspects something has been loaded that is not approved?
Correct Answer
A. Ps
Explanation
The correct answer is "ps". The "ps" command in Linux is used to list the currently running processes on a system. By running "ps", a Linux user can see a list of all processes running on their system and identify any suspicious or unauthorized processes that may have been loaded. This can help in identifying and investigating any potential security threats or unauthorized activities on the system.
12.
You have been hired by Bob’s Burgers to scan its network for vulnerabilities. They would like you to perform a system-level scan. Which of the following programs should you use?
Correct Answer
B. SARA
Explanation
SARA is the most suitable program for performing a system-level scan. SARA stands for Security Auditor's Research Assistant and it is designed specifically for network vulnerability assessment. It scans the network and identifies potential vulnerabilities in the system. N-Stealth is a web server security assessment tool, Flawfinder is a static analysis tool for C/C++ code, and Whisker is a web application vulnerability scanner. While these tools may be useful for specific purposes, SARA is the best choice for a system-level scan.
13.
You have been able to get a Terminal window open on a remote Linux host. You now need to use a command-line web browser to download a privilege-escalation tool. Which of the following will work?
Correct Answer
B. Lynx
Explanation
Lynx is a command-line web browser that can be used to download files from the internet. Since you need to download a privilege-escalation tool, Lynx is the most suitable option among the given choices. TFTP is a file transfer protocol, not a web browser. Explorer and Firefox are graphical web browsers and cannot be used in a Terminal window.
14.
Which of the following will allow you to set the user to full access, the group to read-only, and all others to no access?
Correct Answer
D. Chmod 740
Explanation
The correct answer is "chmod 740". The chmod command is used to change the permissions of a file or directory. In this case, the numbers represent the permissions for the user, group, and others respectively. The number 7 gives full access, 4 gives read-only access, and 0 gives no access. Therefore, "chmod 740" will set the user to full access (7), the group to read-only (4), and all others to no access (0).
15.
While hacking away at your roommate’s Linux computer, you accessed his passwd file. Here is what you found. root :x: 0 : 0 : root: /root : /bin/bash bin : x : 1 : 1 : bin : /bin : daemon : x : 2 : 2 : daemon : /sbin : Where is the root password?
Correct Answer
B. The password has been shadowed
Explanation
The correct answer is "The password has been shadowed". In Linux, the password file (/etc/passwd) stores user account information, including the username, user ID, group ID, home directory, and shell. However, it does not store the actual passwords. Instead, the passwords are stored in a separate file called the shadow file (/etc/shadow), which is only accessible by the root user. The shadow file contains encrypted passwords and other security-related information. By finding the password file but not seeing the actual password, it indicates that the password has been shadowed.
16.
Your team lead has asked you to make absolute changes to a file’s permissions. Which of the following would be correct?
Correct Answer
D. Chmod 320
Explanation
The correct answer is "chmod 320". The "chmod" command is used to change the permissions of a file or directory. In this case, the "320" argument specifies the new permissions for the file. The number "3" represents the owner's permissions, "2" represents the group's permissions, and "0" represents the permissions for others. The "2" in "320" indicates that the group will have write permissions, while the owner and others will have no permissions.
17.
Which of the following is not a valid Linux user group?
Correct Answer
A. Guests
Explanation
The given options consist of different types of Linux user groups. Guests is not a valid Linux user group because it is not a commonly recognized type of user group in Linux systems. The other options, Normal Users, System Users, and Super Users, are valid and commonly used user groups in Linux.
18.
You have been exploring the files and directory structure of the new Linux server. What are the entries of the /etc/hosts file made up of?
Correct Answer
B. The IP address, the hostname, and any alias
Explanation
The /etc/hosts file in Linux contains entries that associate IP addresses with hostnames and aliases. It does not include subnet masks, default gateways, status of approved or denied addresses, or deny/allow statements. This file is used for local hostname resolution before querying DNS servers.
19.
At the prompt of your Linux server, you enter cat /etc/passwd. In the following output line, what is the function of 100?chubs : 2cX1eDm8cFiJYc : 500 : 100 : chubs Lex : /home/chubs/bin/bash
Correct Answer
D. The group ID
Explanation
In the output line, "100" represents the group ID. In Linux, each user is assigned a unique user ID (UID) and a group ID (GID). The group ID is used to determine the group that the user belongs to. It helps in managing file and directory permissions, as well as in controlling access to resources on the system.
20.
Where will an attacker find the system password file in a Linux machine that is restricted to root and contains encrypted passwords?
Correct Answer
D. /etc/shadow
Explanation
The system password file in a Linux machine, which contains encrypted passwords, can be found in the /etc/shadow directory. This directory is restricted to the root user, making it difficult for attackers to access the encrypted passwords. The /etc/hosts file contains IP address to hostname mappings, the /etc/passwd file contains user account information, and the /etc/inetd.conf file contains configuration settings for internet services, but none of these files store the encrypted passwords.
21.
How many steps are in the ARP process?
Correct Answer
A. 2
Explanation
The ARP (Address Resolution Protocol) process involves two steps. The first step is the ARP request, where a device sends a broadcast message to the network asking for the MAC address of a specific IP address. The second step is the ARP reply, where the device with the corresponding IP address sends its MAC address back to the requesting device. Therefore, there are two steps in the ARP process.
22.
One of the members of your red team would like to run Dsniff on a span of the network that is composed of hubs. Which of the following type best describes this attack?
Correct Answer
A. Passive Sniffing
Explanation
Passive Sniffing is the best type to describe this attack because Dsniff is a passive network monitoring tool that captures and analyzes network traffic. It does not actively send any packets or modify network settings. Since the network is composed of hubs, which are less secure than switches, Dsniff can easily capture and analyze all the network traffic passing through the hub without being detected. Therefore, the attacker can passively sniff and gather information without actively interfering with the network.
23.
You have been able to intercept many packets with Wireshark that are addressed to the broadcast address on your network and are shown to be from the web server. The web server is not sending this traffic, so it is being spoofed. What type of attack is the network experiencing?
Correct Answer
C. Smurf
Explanation
The network is experiencing a Smurf attack. In a Smurf attack, the attacker spoofs the IP address of the victim and sends a large number of ICMP echo requests (ping) to the broadcast address of a network. This causes all devices on the network to respond to the victim's IP address, overwhelming it with traffic and causing a denial of service. In this case, the packets intercepted by Wireshark are addressed to the broadcast address and appear to be from the web server, indicating that the traffic is being spoofed and the network is under a Smurf attack.
24.
What does the following command in Ettercap do?ettercap -T -q -F cd.ef -M ARP /192.168.13.100
Correct Answer
C. This command tells Ettercap to do a text mode man-in-the-middle attack
Explanation
The given command "ettercap -T -q -F cd.ef -M ARP /192.168.13.100" tells Ettercap to perform a text mode man-in-the-middle attack. The "-T" flag specifies text mode, "-q" flag makes the output quiet, "-F cd.ef" specifies the filter file to use, "-M ARP" sets the ARP poisoning method, and "/192.168.13.100" specifies the target IP address. This combination of flags and parameters indicates that the command is configuring Ettercap to intercept and manipulate network traffic in a man-in-the-middle attack in text mode.
25.
This form of active sniffing is characterized by a large number of packets with bogus MAC addresses.
Correct Answer
A. MAC flooding
Explanation
MAC flooding is a form of active sniffing where a large number of packets with fake or bogus MAC addresses are sent to a switch. This overwhelms the switch's MAC address table, causing it to enter a fail-open mode where it broadcasts all incoming packets to all ports. This allows the attacker to intercept and sniff network traffic, potentially gaining unauthorized access to sensitive information.
26.
Which DDoS tool uses TCP port 6667?
Correct Answer
A. Trinity
Explanation
Trinity is the correct answer because it is a DDoS tool that uses TCP port 6667. The other options, DDOSPing, Trinoo, and Shaft, do not specifically use TCP port 6667 for their DDoS attacks.
27.
Which of the following is a tool used to find DDoS programs?
Correct Answer
A. DDOSPing
Explanation
DDOSPing is a tool used to find DDoS programs. It is specifically designed to test the vulnerability of a network or website to distributed denial of service (DDoS) attacks. By simulating a DDoS attack, DDOSPing can help identify weaknesses in the network's defenses and assist in developing appropriate countermeasures. This tool is commonly used by network administrators and security professionals to proactively protect their systems from potential DDoS attacks.
28.
Which of the following is not a DoS program?
Correct Answer
C. Stacheldraht
Explanation
Stacheldraht is not a DoS program because it is actually a type of DDoS (Distributed Denial of Service) tool. Unlike traditional DoS programs that are run from a single source, Stacheldraht allows multiple attackers to coordinate their efforts and launch a DDoS attack on a target. This tool was popular in the late 1990s and early 2000s and was known for its ability to amplify the impact of an attack by using multiple sources to overwhelm a target's resources.
29.
Why is SYN flood attack detectable?
Correct Answer
A. A large number of SYN packets will appear on the network without the corresponding reply
Explanation
A SYN flood attack is detectable because it involves a large number of SYN packets being sent to a target server without receiving the corresponding reply. This creates an imbalance in the network traffic, as the server becomes overwhelmed with incoming SYN packets and is unable to establish legitimate connections. Network monitoring tools can detect this abnormal behavior by analyzing the packet flow and identifying the high volume of SYN packets without proper responses.
30.
When would an attacker ant to perform a session hijack?
Correct Answer
C. After authentication
Explanation
An attacker would want to perform a session hijack after authentication because at this point, the user's session has been established and they have access to the system. By hijacking the session, the attacker can gain unauthorized access to the user's account and potentially perform malicious activities without being detected.
31.
Which one do you like?
Correct Answer
A. Option 1