CEH Quiz (201 - 261) - Quiz, Flashcards & Trivia

1. A majority of attacks come from insiders, people who have direct access to a company's computer system as part of their job function or a business relationship. Who is considered an insider?

A competitor to the company because they can directly benefit from the publicity generated by making such an attack

Disgruntled employee, customers, suppliers, vendors, business partners, contractors, temps, and consultants

The CEO of the company because he has access to all of the computer systems

A government agency since they know the company's computer system strengths and weaknesses

Insiders refer to individuals who have direct access to a company's computer system as part of their job function or a business relationship. This includes disgruntled employees, customers, suppliers, vendors, business partners, contractors, temps, and consultants. These individuals have the potential to carry out attacks due to their knowledge of the system and their proximity to sensitive information.

Explanation

Insiders refer to individuals who have direct access to a company's computer system as part of their job function or a business relationship. This includes disgruntled employees, customers, suppliers, vendors, business partners, contractors, temps, and consultants. These individuals have the potential to carry out attacks due to their knowledge of the system and their proximity to sensitive information.

2. What do you call a pre-computed hash?

Sun tables

Apple tables

Rainbow tables

Moon tables

A pre-computed hash is commonly referred to as a "Rainbow table". Rainbow tables are used in cryptography to speed up the process of cracking hashed passwords by storing pre-computed hash chains. These tables contain a list of possible plaintext passwords and their corresponding hash values, allowing for quick lookup and comparison to the target hash. By using rainbow tables, attackers can significantly reduce the time and computational resources required to crack hashed passwords.

Explanation

A pre-computed hash is commonly referred to as a "Rainbow table". Rainbow tables are used in cryptography to speed up the process of cracking hashed passwords by storing pre-computed hash chains. These tables contain a list of possible plaintext passwords and their corresponding hash values, allowing for quick lookup and comparison to the target hash. By using rainbow tables, attackers can significantly reduce the time and computational resources required to crack hashed passwords.

3. Oregon Corp is fighting a litigation suit with Scamster Inc. Oregon has assigned a private investigative agency to go through garbage, recycled paper, and other rubbish at Scamster's office site in order to find relevant information. What would you call this kind of activity?

CI Gathering

Scanning

Dumpster Diving

Garbage Scooping

Dumpster diving refers to the activity of searching through someone's trash or garbage in order to find useful or valuable information. In this case, Oregon Corp has hired a private investigative agency to search through Scamster Inc's garbage and other rubbish at their office site to gather relevant information for their litigation suit. Dumpster diving is a common practice used by investigators to obtain evidence or gather intelligence.

Explanation

Dumpster diving refers to the activity of searching through someone's trash or garbage in order to find useful or valuable information. In this case, Oregon Corp has hired a private investigative agency to search through Scamster Inc's garbage and other rubbish at their office site to gather relevant information for their litigation suit. Dumpster diving is a common practice used by investigators to obtain evidence or gather intelligence.

4. Why attackers use proxy servers?

To ensure theexploits used in the attacks always flip reverse vectors

Faster bandwidth performance and increase in attack speed

Interrupt the remote victim's network traffic and reroute the packets to attackers machine

To hide the source IP address so that anattacker can hack without any legal corollary

Attackers use proxy servers to hide their source IP address so that they can carry out their hacking activities without facing any legal consequences. By routing their network traffic through a proxy server, the attacker's true IP address is masked, making it difficult for authorities to trace back the attack to its source. This anonymity provides a layer of protection for the attacker and allows them to operate without being easily identified or held accountable for their actions.

Explanation

Attackers use proxy servers to hide their source IP address so that they can carry out their hacking activities without facing any legal consequences. By routing their network traffic through a proxy server, the attacker's true IP address is masked, making it difficult for authorities to trace back the attack to its source. This anonymity provides a layer of protection for the attacker and allows them to operate without being easily identified or held accountable for their actions.

5. Paul has just finished setting up his wireless network. He has enabled numerous security features such as changing the default SSID, enabling WPA encryption, and enabling MAC filtering on his wireless router. Paul notices that when he uses his wireless connection, the speed is sometimes 54 Mbps and sometimes it is only 24Mbps or less. Paul connects to his wireless router's management utility and notices that a machine with an unfamiliar name is connected through his wireless connection. Paul checks the router's logs and notices that the unfamiliar machine has the same MAC address as his laptop. What is Paul seeing here?

MAC spoofing

Macof

ARP spoofing

DNS spoofing

Paul is experiencing MAC spoofing. MAC spoofing is a technique where an attacker changes their device's MAC address to match the MAC address of another device on the network, in this case, Paul's laptop. This allows the attacker to impersonate Paul's laptop and gain unauthorized access to the network. This can explain why Paul is seeing a machine with an unfamiliar name connected to his wireless network and why the speed of his connection varies.

Explanation

Paul is experiencing MAC spoofing. MAC spoofing is a technique where an attacker changes their device's MAC address to match the MAC address of another device on the network, in this case, Paul's laptop. This allows the attacker to impersonate Paul's laptop and gain unauthorized access to the network. This can explain why Paul is seeing a machine with an unfamiliar name connected to his wireless network and why the speed of his connection varies.

6. You are trying to package a RAT Trojan so that Anti-Virus software will not detect it. Which of the listed technique will NOT be effective in evading Anti-Virus scanner?

Convert the Trojan.exe file extension to Trojan.txt disguising as text file

Break the Trojan into multiple smaller files and zip the individual pieces

Change the content of the Trojan using hex editor and modify the checksum

Encrypt the Trojan using multiple hashing algorithms like MD5 and SHA-1

Converting the Trojan.exe file extension to Trojan.txt will not be effective in evading the Anti-Virus scanner. Although changing the file extension may make it appear as a text file, Anti-Virus software is designed to analyze the content of the file rather than just relying on the file extension. The scanner will still be able to detect the malicious code within the file, regardless of the file extension.

Explanation

Converting the Trojan.exe file extension to Trojan.txt will not be effective in evading the Anti-Virus scanner. Although changing the file extension may make it appear as a text file, Anti-Virus software is designed to analyze the content of the file rather than just relying on the file extension. The scanner will still be able to detect the malicious code within the file, regardless of the file extension.

7. Jane wishes to forward X-Windows traffic to a remote host as well as POP3 traffic. She is worried that adversaries might be monitoring the communication link and could inspect captured traffic. She would like to tunnel the information to the remote end but does not have VPN capabilities to do so. Which of the following tools can she use to protect the link?

MD5

PGP

RSA

SSH

SSH (Secure Shell) can be used to protect the link. SSH is a cryptographic network protocol that provides secure communication over an insecure network. It encrypts the data being transmitted, preventing adversaries from intercepting and inspecting the traffic. By using SSH, Jane can tunnel the X-Windows and POP3 traffic to the remote host securely, even without VPN capabilities.

Explanation

SSH (Secure Shell) can be used to protect the link. SSH is a cryptographic network protocol that provides secure communication over an insecure network. It encrypts the data being transmitted, preventing adversaries from intercepting and inspecting the traffic. By using SSH, Jane can tunnel the X-Windows and POP3 traffic to the remote host securely, even without VPN capabilities.

8. Neil is an IT security consultant working on contract for Davidson Avionics. Neil has been hired to audit the network of Davidson Avionics. He has been given permission to perform any tests necessary. Neil has created a fake company ID badge and uniform. Neil waits by one of the company's entrance doors and follows an employee into the office after they use their valid access card to gain entrance. What type of social engineering attack has Neil employed here?

Neil has used a tailgating social engineering attack to gain access to the offices

He has used a piggybacking technique to gain unauthorized access

This type of social engineering attack is called man trapping

Neil is using the technique of reverse social engineering to gain access to the offices of Davidson Avionics

Neil has used a tailgating social engineering attack to gain access to the offices. Tailgating refers to the act of following someone who has legitimate access into a secure area without proper authorization. In this case, Neil used a fake company ID badge and uniform to blend in and gain entry by following an employee who used their valid access card. This type of attack exploits the trust and natural tendency of people to hold doors open for others, allowing unauthorized individuals to gain entry.

Explanation

Neil has used a tailgating social engineering attack to gain access to the offices. Tailgating refers to the act of following someone who has legitimate access into a secure area without proper authorization. In this case, Neil used a fake company ID badge and uniform to blend in and gain entry by following an employee who used their valid access card. This type of attack exploits the trust and natural tendency of people to hold doors open for others, allowing unauthorized individuals to gain entry.

9. The SNMP Read-Only Community String is like a password. The string is sent along with each SNMP Get-Request and allows (or denies) access to a device. Most network vendors ship their equipment with a default password of "public". This is the so-called "default public community string". How would you keep intruders from getting sensitive information regarding the network devices using SNMP? (Select 2 answers)

Enable SNMPv3 whichencrypts username/password authentication

Use your company name as the public community string replacing the default 'public'

Enable IP filtering to limit access to SNMP device

The default configuration provided by device vendors is highly secureand you don't need to change anything

To keep intruders from getting sensitive information regarding the network devices using SNMP, enabling SNMPv3 which encrypts username/password authentication is important. SNMPv3 provides secure access to devices by encrypting the authentication credentials. Additionally, enabling IP filtering to limit access to SNMP devices adds an extra layer of security by allowing only specific IP addresses to access the devices. This helps to prevent unauthorized access and protect sensitive information.

Explanation

To keep intruders from getting sensitive information regarding the network devices using SNMP, enabling SNMPv3 which encrypts username/password authentication is important. SNMPv3 provides secure access to devices by encrypting the authentication credentials. Additionally, enabling IP filtering to limit access to SNMP devices adds an extra layer of security by allowing only specific IP addresses to access the devices. This helps to prevent unauthorized access and protect sensitive information.

Submit

10. Jeremy is web security consultant for Information Securitas. Jeremy has just been hired to perform contract work for a large state agency in Michigan. Jeremy's first task is to scan all the company's external websites. Jeremy comes upon a login page which appears to allow employees access to sensitive areas on the website. James types in the following statement in the username field: SELECT * from Users where username='admin' ?AND password='' AND email like '%@testers.com%' What will the SQL statement accomplish?

If the page is susceptible to SQL injection, it will look in theUsers table for usernames of admin

This statement will look for users with the name of admin, blank passwords, and email addresses that end in @testers.com

This Select SQL statement will log James in if there are any users with NULL passwords

James will be able to see if there are any default user accounts in the SQL database

The SQL statement will look for users with the name of admin, blank passwords, and email addresses that end in @testers.com. This implies that James is attempting to exploit a potential vulnerability in the login page by using SQL injection. By inputting this statement, James is trying to retrieve information from the Users table that matches the specified conditions.

Explanation

The SQL statement will look for users with the name of admin, blank passwords, and email addresses that end in @testers.com. This implies that James is attempting to exploit a potential vulnerability in the login page by using SQL injection. By inputting this statement, James is trying to retrieve information from the Users table that matches the specified conditions.

11. Type question hereNTP allows you to set the clocks on your systems very accurately, to within 100ms and sometimes-even 10ms. Knowing the exact time is extremely important for enterprise security. Various security protocols depend on an accurate source of time information in order to prevent "playback" attacks. These protocols tag their communications with the current time, to prevent attackers from replaying the same communications, e.g., a login/password interaction or even an entire communication, at a later date. One can circumvent this tagging, if the clock can be set back to the time the communication was recorded. An attacker attempts to try corrupting the clocks on devices on your network. You run Wireshark to detect the NTP traffic to see if there are any irregularities on the network. What port number you should enable in Wireshark display filter to view NTP packets?

TCP Port 124

UDP Port 125

UDP Port 123

TCP Port 126

NTP (Network Time Protocol) is used to synchronize the clocks on systems accurately. In this scenario, the user is running Wireshark to detect any irregularities in NTP traffic on the network. To view NTP packets, they should enable UDP Port 123 in the Wireshark display filter. NTP uses UDP (User Datagram Protocol) as its transport protocol, and Port 123 is the designated port for NTP traffic. By enabling this port in Wireshark, the user will be able to capture and analyze NTP packets for any signs of irregularities or attacks on the network.

Explanation

NTP (Network Time Protocol) is used to synchronize the clocks on systems accurately. In this scenario, the user is running Wireshark to detect any irregularities in NTP traffic on the network. To view NTP packets, they should enable UDP Port 123 in the Wireshark display filter. NTP uses UDP (User Datagram Protocol) as its transport protocol, and Port 123 is the designated port for NTP traffic. By enabling this port in Wireshark, the user will be able to capture and analyze NTP packets for any signs of irregularities or attacks on the network.

12. You want to perform advanced SQL Injection attack against a vulnerable website. You are unable to perform command shell hacks on this server. What must be enabled in SQL Server to launch these attacks?

System services

EXEC master access

Xp_cmdshell

RDC

In order to perform advanced SQL Injection attacks on a vulnerable website without being able to perform command shell hacks on the server, the xp_cmdshell feature must be enabled in SQL Server. This feature allows the execution of command shell commands from within SQL Server, providing the attacker with the ability to execute arbitrary commands on the server. By enabling xp_cmdshell, the attacker can gain further control and exploit the vulnerabilities in the website.

Explanation

In order to perform advanced SQL Injection attacks on a vulnerable website without being able to perform command shell hacks on the server, the xp_cmdshell feature must be enabled in SQL Server. This feature allows the execution of command shell commands from within SQL Server, providing the attacker with the ability to execute arbitrary commands on the server. By enabling xp_cmdshell, the attacker can gain further control and exploit the vulnerabilities in the website.

13. A company is legally liable for the content of email that is sent from its systems, regardless of whether the message was sent for private or business-related purposes. This could lead to prosecution for the sender and for the company's directors if, for example, outgoing email was found to contain material that was pornographic, racist, or likely to incite someone to commit an act of terrorism. You can always defend yourself by "ignorance of the law" clause.

True

False

A company is not legally liable for the content of email that is sent from its systems, regardless of whether the message was sent for private or business-related purposes. However, if outgoing email was found to contain material that was pornographic, racist, or likely to incite someone to commit an act of terrorism, the sender and the company's directors could still face prosecution. The "ignorance of the law" clause cannot be used as a defense in this situation. Therefore, the statement is false.

Explanation

A company is not legally liable for the content of email that is sent from its systems, regardless of whether the message was sent for private or business-related purposes. However, if outgoing email was found to contain material that was pornographic, racist, or likely to incite someone to commit an act of terrorism, the sender and the company's directors could still face prosecution. The "ignorance of the law" clause cannot be used as a defense in this situation. Therefore, the statement is false.

14. What command would you type to OS fingerprint a server using the command line?

Option A

Option B

Option C

Option D

To OS fingerprint a server using the command line, you would type the command specified in Option C.

Explanation

To OS fingerprint a server using the command line, you would type the command specified in Option C.

15. Wayne is the senior security analyst for his company. Wayne is examining some traffic logs on a server and came across some inconsistencies. Wayne finds some IP packets from a computer purporting to be on the internal network. The packets originate from 192.168.12.35 with a TTL of 15. The server replied to this computer and received a response from 192.168.12.35 with a TTL of 21. What can Wayne infer from this traffic log?

The initial traffic from 192.168.12.35 was being spoofed.

The traffic from 192.168.12.25 is from a Linux computer.

The TTL of 21 means that the client computer ison wireless.

The client computer at 192.168.12.35 is a zombie computer.

Wayne can infer that the initial traffic from 192.168.12.35 was being spoofed. This is because the TTL (Time to Live) value of the packets originating from 192.168.12.35 is lower (15) than the TTL value of the response received from the same IP address (21). A lower TTL value indicates that the packets have traveled a shorter distance, suggesting that the source IP address was likely forged or spoofed to make it appear as if it originated from the internal network.

Explanation

Wayne can infer that the initial traffic from 192.168.12.35 was being spoofed. This is because the TTL (Time to Live) value of the packets originating from 192.168.12.35 is lower (15) than the TTL value of the response received from the same IP address (21). A lower TTL value indicates that the packets have traveled a shorter distance, suggesting that the source IP address was likely forged or spoofed to make it appear as if it originated from the internal network.

16. After a client sends a connection request (SYN) packet to the server, the server will respond (SYN-ACK) with a sequence number of its choosing, which then must be acknowledged (ACK) by the client. This sequence number is predictable; the attack connects to a service first with its own IP address, records the sequence number chosen, and then opens a second connection from a forged IP address. The attack doesn't see the SYN-ACK (or any other packet) from the server, but can guess the correct responses. If the source IP address is used for authentication, then the attacker can use the one-sided communication to break into the server. What attacks can you successfully launch against a server using the above technique?

Denial of Service attacks

Session Hijacking attacks

Web page defacement attacks

IP spoofing attacks

By recording the sequence number chosen by the server and then opening a second connection from a forged IP address, an attacker can successfully launch Session Hijacking attacks. In this type of attack, the attacker can impersonate the legitimate client by guessing the correct responses and gain unauthorized access to the server. This allows the attacker to hijack the established session and potentially perform malicious actions on behalf of the legitimate client.

Explanation

By recording the sequence number chosen by the server and then opening a second connection from a forged IP address, an attacker can successfully launch Session Hijacking attacks. In this type of attack, the attacker can impersonate the legitimate client by guessing the correct responses and gain unauthorized access to the server. This allows the attacker to hijack the established session and potentially perform malicious actions on behalf of the legitimate client.

17. WWW wanderers or spiders are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. Search engines like Google, frequently spider web pages for indexing. How will you stop web spiders from crawling certain directories on your website?

Place robots.txt file in the root of your website with listing of directories that you don't want to be crawled

Place authentication on root directories that will prevent crawling from these spiders

Nable SSL on the restricted directories which will block these spiders from crawling

Place "HTTP:NO CRAWL" on the html pages that you don't want the crawlers to index

not-available-via-ai

Explanation

not-available-via-ai

18. The traditional traceroute sends out ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets take to reach the destination. The problem is that with the widespread use of firewalls on the Internet today, many of the packets that traceroute sends out end up being filtered, making it impossible to completely trace the path to the destination. How would you overcome the Firewall restriction on ICMP ECHO packets?

\> JOHNTHETRACER www.eccouncil.org -F -evade

By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters. Firewalls typically permit inbound TCP packets to specific ports that hosts behind the firewall are listening for connections. Therefore, by using TCP SYN packets, which are typically used to establish a TCP connection, traceroute can mimic legitimate traffic and bypass the firewall restrictions on ICMP ECHO packets. This allows traceroute to successfully trace the path packets take to reach the destination, even in the presence of firewalls.

Explanation

By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters. Firewalls typically permit inbound TCP packets to specific ports that hosts behind the firewall are listening for connections. Therefore, by using TCP SYN packets, which are typically used to establish a TCP connection, traceroute can mimic legitimate traffic and bypass the firewall restrictions on ICMP ECHO packets. This allows traceroute to successfully trace the path packets take to reach the destination, even in the presence of firewalls.

19. What will the following command produce on a website's login page if executed successfully? SELECT email, passwd, login_id, full_name FROM members WHERE email = '[email protected]'; DROP TABLE members; --'

This code will insert the [email protected] email address into the members table.

This command will delete the entire members table.

It retrieves the password for the first user in the members table.

This command will not produce anything since the syntax is incorrect.

The given command is a SQL injection attack that aims to delete the entire members table. The command starts with a SELECT statement to retrieve the email, password, login ID, and full name from the members table where the email is equal to '[email protected]'. However, the command is maliciously crafted to include a DROP TABLE statement, which will delete the members table. The semicolon and double hyphen at the end are used to comment out the rest of the command, making it effective in deleting the table.

Explanation

The given command is a SQL injection attack that aims to delete the entire members table. The command starts with a SELECT statement to retrieve the email, password, login ID, and full name from the members table where the email is equal to '[email protected]'. However, the command is maliciously crafted to include a DROP TABLE statement, which will delete the members table. The semicolon and double hyphen at the end are used to comment out the rest of the command, making it effective in deleting the table.

20. John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the log files to investigate the attack. Take a look at the following Linux log file snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here?

The hacker is attempting to compromise more machines on the network

The hacker is planting a rootkit

The hacker is running a buffer overflow exploit to lock down the system

The hacker is trying to cover his tracks

The given log file snippet suggests that the hacker is trying to cover his tracks. This can be inferred from the fact that the hacker has compromised a Linux machine and is likely attempting to erase any evidence of their presence or actions on the compromised system.

Explanation

The given log file snippet suggests that the hacker is trying to cover his tracks. This can be inferred from the fact that the hacker has compromised a Linux machine and is likely attempting to erase any evidence of their presence or actions on the compromised system.

21. Blake is in charge of securing all 20 of his company's servers. He has enabled hardware and software firewalls, hardened the operating systems, and disabled all unnecessary services on all the servers. Unfortunately, there is proprietary AS400 emulation software that must run on one of the servers that requires the telnet service to function properly. Blake is especially concerned about this since telnet can be a very large security risk in an organization. Blake is concerned about how this particular server might look to an outside attacker so he decides to perform some footprinting, scanning, and penetration tests on the server. Blake telnets into the server using Port 80 and types in the following command: HEAD / HTTP/1.0 After pressing enter twice, Blake gets the following results: What has Blake just accomplished?

Downloaded a file to his local computer

Submitted a remote command to crash the server

Poisoned the local DNS cache of the server

Grabbed the Operating System banner

By typing the command "HEAD / HTTP/1.0" and receiving the results, Blake has successfully grabbed the Operating System banner. The command is commonly used to retrieve information about the web server, including the version and type of operating system it is running on. This information can be useful for an attacker to identify vulnerabilities and plan further attacks.

Explanation

By typing the command "HEAD / HTTP/1.0" and receiving the results, Blake has successfully grabbed the Operating System banner. The command is commonly used to retrieve information about the web server, including the version and type of operating system it is running on. This information can be useful for an attacker to identify vulnerabilities and plan further attacks.

22. Which type of password cracking technique works like dictionary attack but adds some numbers and symbols to the words from the dictionary and tries to crack the password?

Dictionary attack

Brute forcing attack

Hybrid attack

Syllable attack

Rule-based attack

A hybrid attack is a type of password cracking technique that combines elements of a dictionary attack and a brute force attack. It starts with a dictionary of common words and then adds numbers and symbols to those words to create variations. These variations are then used to try and crack the password. This technique is effective because it takes advantage of the fact that many people use common words as their passwords, but also adds complexity by incorporating numbers and symbols.

Explanation

A hybrid attack is a type of password cracking technique that combines elements of a dictionary attack and a brute force attack. It starts with a dictionary of common words and then adds numbers and symbols to those words to create variations. These variations are then used to try and crack the password. This technique is effective because it takes advantage of the fact that many people use common words as their passwords, but also adds complexity by incorporating numbers and symbols.

23. Web servers are often the most targeted and attacked hosts on organizations' networks. Attackers may exploit software bugs in the Web server, underlying operating system, or active content to gain unauthorized access.

Identify the correct statement related to the above Web Server installation?

Lack of proper security policy, procedures and maintenance

Bugs in server software, OS and web applications

Installing the server with default settings

Unpatched security flaws in the server software, OS and applications

Installing the server with default settings can be a correct statement related to the above web server installation. This is because using default settings may leave the server vulnerable to attacks as it may not have the necessary security configurations in place. It is important to customize the server settings and apply security measures to protect against potential exploits.

Explanation

Installing the server with default settings can be a correct statement related to the above web server installation. This is because using default settings may leave the server vulnerable to attacks as it may not have the necessary security configurations in place. It is important to customize the server settings and apply security measures to protect against potential exploits.

24. Bank of Timbuktu is a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web application recently. Customers can access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser. John Stevens is in charge of information security at Bank of Timbuktu. After one month in production, several customers have complained about the Internet enabled banking application. Strangely, the account balances of many of the bank's customers had been changed! However, money hasn't been removed from the bank; instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries:

What kind of attack did the Hacker attempt to carry out at the bank?

Brute force attack in which the Hacker attempted guessing login ID and password from password cracking tools.

The Hacker used a generator module to pass results to the Web server and exploited Web application CGI vulnerability.

The correct answer is that the hacker first attempted logins with suspected usernames, then used SQL injection to gain access to valid bank login IDs. This is evident from the statement that the account balances of many customers were changed and money was transferred between accounts. SQL injection is a common attack technique where malicious SQL statements are inserted into an entry field, allowing the attacker to manipulate the database. In this case, the hacker likely used SQL injection to bypass the login system and gain access to valid login IDs, which they then used to transfer money between accounts.

Explanation

The correct answer is that the hacker first attempted logins with suspected usernames, then used SQL injection to gain access to valid bank login IDs. This is evident from the statement that the account balances of many customers were changed and money was transferred between accounts. SQL injection is a common attack technique where malicious SQL statements are inserted into an entry field, allowing the attacker to manipulate the database. In this case, the hacker likely used SQL injection to bypass the login system and gain access to valid login IDs, which they then used to transfer money between accounts.

25. What type of port scan is represented here?

Stealth Scan

Full Scan

XMAS Scan

FIN Scan

A stealth scan is a type of port scan where the attacker tries to hide their presence and avoid detection. They do this by sending packets to the target system without completing the full TCP handshake. In a stealth scan, the attacker sends SYN packets to the target, but does not send the final ACK packet to complete the handshake. This allows them to gather information about open ports without alerting the target system's security measures.

Explanation

A stealth scan is a type of port scan where the attacker tries to hide their presence and avoid detection. They do this by sending packets to the target system without completing the full TCP handshake. In a stealth scan, the attacker sends SYN packets to the target, but does not send the final ACK packet to complete the handshake. This allows them to gather information about open ports without alerting the target system's security measures.

26. Which of the following Exclusive OR transforms bits is NOT correct?

0 xor 0 = 0

1 xor 0 = 1

1 xor 1 = 1

0 xor 1 = 1

The given XOR transforms for bits are all correct except for "1 xor 1 = 1". The XOR operation returns 1 only when the two input bits are different, but in the case of "1 xor 1", both bits are the same (both are 1), so the correct result should be 0.

Explanation

The given XOR transforms for bits are all correct except for "1 xor 1 = 1". The XOR operation returns 1 only when the two input bits are different, but in the case of "1 xor 1", both bits are the same (both are 1), so the correct result should be 0.

27. June, a security analyst, understands that a polymorphic virus has the ability to mutate and can change its known viral signature and hide from signature-based antivirus programs. Can June use an antivirus program in this case and would it be effective against a polymorphic virus?

The correct answer states that June cannot use an antivirus program because it compares the signatures of executable files to the database of known viral signatures, and in the case of polymorphic viruses, they cannot be detected by a signature-based antivirus program. Polymorphic viruses have the ability to mutate and change their known viral signature, making it difficult for signature-based antivirus programs to identify and detect them. Therefore, using an antivirus program that relies on signature matching would not be effective against polymorphic viruses.

Explanation

The correct answer states that June cannot use an antivirus program because it compares the signatures of executable files to the database of known viral signatures, and in the case of polymorphic viruses, they cannot be detected by a signature-based antivirus program. Polymorphic viruses have the ability to mutate and change their known viral signature, making it difficult for signature-based antivirus programs to identify and detect them. Therefore, using an antivirus program that relies on signature matching would not be effective against polymorphic viruses.

28. Jacob is looking through a traffic log that was captured using Wireshark. Jacob has come across what appears to be SYN requests to an internal computer from a spoofed IP address. What is Jacob seeing here?

Jacob is seeing a Smurf attack.

Jacob is seeing a SYN flood.

He is seeing a SYN/ACK attack.

He has found evidence of an ACK flood.

Jacob is seeing a SYN flood. A SYN flood is a type of denial-of-service (DoS) attack where an attacker sends a large number of SYN requests to a target computer in order to overwhelm its resources and make it unable to respond to legitimate requests. In this case, Jacob has identified that the SYN requests are coming from a spoofed IP address, indicating that the attacker is disguising their identity.

Explanation

Jacob is seeing a SYN flood. A SYN flood is a type of denial-of-service (DoS) attack where an attacker sends a large number of SYN requests to a target computer in order to overwhelm its resources and make it unable to respond to legitimate requests. In this case, Jacob has identified that the SYN requests are coming from a spoofed IP address, indicating that the attacker is disguising their identity.

29. Which of the following LM hashes represents a password of less than 8 characters?

0182BD0BD4444BF836077A718CCDF409

44EFCE164AB921CQAAD3B435B51404EE

BA810DBA98995F1817306D272A9441BB

CEC52EB9C8E3455DC2265B23734E0DAC

B757BF5C0D87772FAAD3B435B51404EE

E52CAC67419A9A224A3B108F3FA6CB6D

The LM hash is a password hashing algorithm used in older versions of Windows operating systems. It breaks the password into two 7-character halves and hashes them separately. Therefore, any LM hash that has less than 8 characters represents a password of less than 8 characters. In this case, the hashes "44EFCE164AB921CQAAD3B435B51404EE" and "B757BF5C0D87772FAAD3B435B51404EE" both have 7 characters, indicating passwords of less than 8 characters.

Explanation

The LM hash is a password hashing algorithm used in older versions of Windows operating systems. It breaks the password into two 7-character halves and hashes them separately. Therefore, any LM hash that has less than 8 characters represents a password of less than 8 characters. In this case, the hashes "44EFCE164AB921CQAAD3B435B51404EE" and "B757BF5C0D87772FAAD3B435B51404EE" both have 7 characters, indicating passwords of less than 8 characters.

Submit

30. Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security-related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the position. Harold is currently trying to run a Sniffer on the agency's network to get an idea of what kind of traffic is being passed around, but the program he is using does not seem to be capturing anything. He pours through the Sniffer's manual, but cannot find anything that directly relates to his problem. Harold decides to ask the network administrator if he has any thoughts on the problem. Harold is told that the Sniffer was not working because the agency's network is a switched network, which cannot be sniffed by some programs without some tweaking. What technique could Harold use to sniff his agency's switched network?

ARP spoof the default gateway

Conduct MiTM against the switch

Launch smurf attack against the switch

Flood the switch with ICMP packets

Harold can use the technique of ARP spoofing the default gateway to sniff his agency's switched network. By ARP spoofing, Harold can trick the network into sending all the traffic to his machine instead of the actual default gateway. This way, he can capture and analyze the network traffic using the Sniffer program. ARP spoofing involves manipulating the ARP (Address Resolution Protocol) tables to associate his machine's MAC address with the IP address of the default gateway. This allows Harold to intercept and analyze the network traffic passing through the switched network.

Explanation

Harold can use the technique of ARP spoofing the default gateway to sniff his agency's switched network. By ARP spoofing, Harold can trick the network into sending all the traffic to his machine instead of the actual default gateway. This way, he can capture and analyze the network traffic using the Sniffer program. ARP spoofing involves manipulating the ARP (Address Resolution Protocol) tables to associate his machine's MAC address with the IP address of the default gateway. This allows Harold to intercept and analyze the network traffic passing through the switched network.

31. Botnets are networks of compromised computers that are controlled remotely and surreptitiously by one or more cyber criminals. How do cyber criminals infect a victim's computer with bots? (Select 4 answers)

Attackers physically visit every victim's computer to infect them with malicious software

Home computers that have security vulnerabilities are prime targets for botnets

Spammers scan the Internet looking for computers that are unprotected and use these "open- doors" to install malicious software

Attackers use phishing or spam emails that contain links or attachments

Attackers use websites to host the bots utilizing Web Browser vulnerabilities

Cyber criminals infect a victim's computer with bots by targeting home computers that have security vulnerabilities, scanning the internet for unprotected computers and using them as entry points to install malicious software. They also use phishing or spam emails that contain links or attachments to trick users into downloading malware. Additionally, attackers exploit web browser vulnerabilities by hosting the bots on websites, allowing them to infect computers when users visit these compromised sites.

Explanation

Cyber criminals infect a victim's computer with bots by targeting home computers that have security vulnerabilities, scanning the internet for unprotected computers and using them as entry points to install malicious software. They also use phishing or spam emails that contain links or attachments to trick users into downloading malware. Additionally, attackers exploit web browser vulnerabilities by hosting the bots on websites, allowing them to infect computers when users visit these compromised sites.

Submit

32. Blane is a security analyst for a law firm. One of the lawyers needs to send out an email to a client but he wants to know if the email is forwarded on to any other recipients. The client is explicitly asked not to re-send the email since that would be a violation of the lawyer's and client's agreement for this particular case. What can Blane use to accomplish this?

He can use a split-DNS service to ensure the email is not forwarded on.

A service such as HTTrack would accomplish this.

Blanecould use MetaGoofil tracking tool.

Blane can use a service such as ReadNotify tracking tool.

Blane can use a service such as ReadNotify tracking tool to accomplish this. This tool allows the sender to track the email and receive notifications when it is opened, forwarded, or printed. By using ReadNotify, Blane can monitor if the email is forwarded to any other recipients, ensuring compliance with the lawyer's and client's agreement.

Explanation

Blane can use a service such as ReadNotify tracking tool to accomplish this. This tool allows the sender to track the email and receive notifications when it is opened, forwarded, or printed. By using ReadNotify, Blane can monitor if the email is forwarded to any other recipients, ensuring compliance with the lawyer's and client's agreement.

33. The GET method should never be used when sensitive data such as credit card is being sent to a CGI program. This is because any GET command will appear in the URL, and will be logged by any servers. For example, let's say that you've entered your credit card information into a form that uses the GET method. The URL may appear like this: https://www.xsecurity-bank.com/creditcard.asp?cardnumber=453453433532234 The GET method appends the credit card number to the URL. This means that anyone with access to a server log will be able to obtain this information. How would you protect from this type of attack?

Never include sensitive information in a script

Use HTTPS SSLv3 to send the data instead of plain HTTPS

Replace the GET with POST method when sending data

Encrypt the data before you send using GET method

Using the GET method to send sensitive data such as credit card information is not secure because the data is appended to the URL and can be logged by servers. To protect against this type of attack, the best approach is to replace the GET method with the POST method when sending data. Unlike GET, the POST method sends data in the body of the HTTP request rather than appending it to the URL, making it more secure and less prone to interception or logging.

Explanation

Using the GET method to send sensitive data such as credit card information is not secure because the data is appended to the URL and can be logged by servers. To protect against this type of attack, the best approach is to replace the GET method with the POST method when sending data. Unlike GET, the POST method sends data in the body of the HTTP request rather than appending it to the URL, making it more secure and less prone to interception or logging.

34. You ping a target IP to check if the host is up. You do not get a response. You suspect ICMP is blocked at the firewall. Next you use hping2 tool to ping the target host and you get a response. Why does the host respond to hping2 and not ping packet?

Ping packets cannot bypass firewalls

You must use ping 10.2.3.4 switch

Hping2 uses stealth TCP packets to connect

Hping2 uses TCP instead of ICMP by default

Hping2 uses TCP instead of ICMP by default, which allows it to bypass the firewall that may be blocking ICMP packets. While ping packets use ICMP, which can be blocked by firewalls, hping2's use of TCP packets enables it to establish a connection with the target host and receive a response even if ICMP is blocked.

Explanation

Hping2 uses TCP instead of ICMP by default, which allows it to bypass the firewall that may be blocking ICMP packets. While ping packets use ICMP, which can be blocked by firewalls, hping2's use of TCP packets enables it to establish a connection with the target host and receive a response even if ICMP is blocked.

35. Bill is a security analyst for his company. All the switches used in the company's office are Cisco switches. Bill wants to make sure all switches are safe from ARP poisoning. How can Bill accomplish this?

Bill can use the command: ip dhcp snooping.

Bill can use the command:no ip snoop.

Bill could use the command: ip arp no flood.

He could use the command: ip arp no snoop.

Bill can use the command "ip dhcp snooping" to ensure that all switches are safe from ARP poisoning. This command enables the switch to validate DHCP messages received from untrusted sources and ensure that only valid DHCP messages are allowed. By enabling DHCP snooping, Bill can prevent unauthorized DHCP servers from distributing incorrect IP addresses and protect against ARP poisoning attacks.

Explanation

Bill can use the command "ip dhcp snooping" to ensure that all switches are safe from ARP poisoning. This command enables the switch to validate DHCP messages received from untrusted sources and ensure that only valid DHCP messages are allowed. By enabling DHCP snooping, Bill can prevent unauthorized DHCP servers from distributing incorrect IP addresses and protect against ARP poisoning attacks.

36. You are performing a port scan with nmap. You are in hurry and conducting the scans at the fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an issue, what type of scan should you run to get very reliable results?

Stealth scan

Connect scan

Fragmented packet scan

XMAS scan

A connect scan is the most reliable type of scan to use in this scenario. It establishes a full TCP connection with the target host, which allows for more accurate results. This scan sends a SYN packet to the target host and waits for a response. If the target responds with a SYN/ACK packet, it means the port is open. If the target responds with a RST packet, it means the port is closed. This method is more reliable because it completes the full TCP handshake, ensuring that the results are accurate.

Explanation

A connect scan is the most reliable type of scan to use in this scenario. It establishes a full TCP connection with the target host, which allows for more accurate results. This scan sends a SYN packet to the target host and waits for a response. If the target responds with a SYN/ACK packet, it means the port is open. If the target responds with a RST packet, it means the port is closed. This method is more reliable because it completes the full TCP handshake, ensuring that the results are accurate.

37. SSL has been seen as the solution to a lot of common security problems. Administrator will often time make use of SSL to encrypt communications from points A to point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between point A and B?

SSL is redundant if you already have IDS's in place

SSL will trigger rules at regular interval and force the administrator to turn them off

SSL will slow down the IDS while it is breaking the encryption to see the packet content

SSL will blind the content of the packet and Intrusion Detection Systems will not be able to detect them

SSL encrypts the communication between point A and B, making it difficult for an Intrusion Detection System (IDS) to analyze the packet content. The IDS relies on inspecting the packet content to detect any malicious activity or potential threats. However, when SSL is used, the content of the packets becomes obscured, and the IDS is unable to effectively analyze them. This can result in the IDS failing to detect any intrusions or security threats, making SSL a bad idea in this scenario.

Explanation

SSL encrypts the communication between point A and B, making it difficult for an Intrusion Detection System (IDS) to analyze the packet content. The IDS relies on inspecting the packet content to detect any malicious activity or potential threats. However, when SSL is used, the content of the packets becomes obscured, and the IDS is unable to effectively analyze them. This can result in the IDS failing to detect any intrusions or security threats, making SSL a bad idea in this scenario.

38. Harold just got home from working at Henderson LLC where he works as an IT technician. He was able to get off early because they were not too busy. When he walks into his home office, he notices his teenage daughter on the computer, apparently chatting with someone online. As soon as she hears Harold enter the room, she closes all her windows and tries to act like she was playing a game. When Harold asks her what she was doing, she acts very nervous and does not give him a straight answer. Harold is very concerned because he does not want his daughter to fall victim to online predators and the sort. Harold doesn't necessarily want to install any programs that will restrict the sites his daughter goes to, because he doesn't want to alert her to his trying to figure out what she is doing. Harold wants to use some kind of program that will track her activities online, and send Harold an email of her activity once a day so he can see what she has been up to. What kind of software could Harold use to accomplish this?

Install hardware Keylogger on her computer

Install screen capturing Spyware on her computer

Enable Remote Desktop on her computer

Install VNC on her computer

Harold can use screen capturing spyware to track his daughter's online activities. This software will capture screenshots of her computer screen at regular intervals, allowing Harold to see what she has been doing online. By installing this spyware, Harold can monitor his daughter's activities without her knowledge or alerting her to his intentions. This will help him ensure her safety and protect her from potential online predators.

Explanation

Harold can use screen capturing spyware to track his daughter's online activities. This software will capture screenshots of her computer screen at regular intervals, allowing Harold to see what she has been doing online. By installing this spyware, Harold can monitor his daughter's activities without her knowledge or alerting her to his intentions. This will help him ensure her safety and protect her from potential online predators.

39. What type of port scan is shown below?

Idle Scan

Windows Scan

XMAS Scan

SYN Stealth Scan

The correct answer is XMAS Scan. An XMAS Scan is a type of port scan where a packet with the FIN, URG, and PSH flags set is sent to the target system. This scan is used to determine if a port is open, closed, or filtered by the firewall. If the target system responds with a RST packet, the port is closed. If there is no response, the port is open. This scan is called XMAS Scan because the combination of the FIN, URG, and PSH flags resembles the blinking lights of a Christmas tree.

Explanation

The correct answer is XMAS Scan. An XMAS Scan is a type of port scan where a packet with the FIN, URG, and PSH flags set is sent to the target system. This scan is used to determine if a port is open, closed, or filtered by the firewall. If the target system responds with a RST packet, the port is closed. If there is no response, the port is open. This scan is called XMAS Scan because the combination of the FIN, URG, and PSH flags resembles the blinking lights of a Christmas tree.

40. Here is the ASCII Sheet.

You want to guess the DBO username juggyboy (8 characters) using Blind SQL Injection technique. What is the correct syntax?

Option A

Option B

Option C

Option D

not-available-via-ai

Explanation

not-available-via-ai

41. Hayden is the network security administrator for her company, a large finance firm based in Miami. Hayden just returned from a security conference in Las Vegas where they talked about all kinds of old and new security threats; many of which she did not know of. Hayden is worried about the current security state of her company's network so she decides to start scanning the network from an external IP address. To see how some of the hosts on her network react, she sends out SYN packets to an IP range. A number of IPs responds with a SYN/ACK response. Before the connection is established she sends RST packets to those hosts to stop the session. She does this to see how her intrusion detection system will log the traffic. What type of scan is Hayden attempting here?

Hayden is attempting to find live hosts on her company's network byusing an XMAS scan

She is utilizing a SYN scan to find live hosts that are listening on her network

The type of scan, she is using is called a NULL scan

Hayden is using a half-open scan to find live hosts on her network

Hayden is using a half-open scan to find live hosts on her network. In a half-open scan, Hayden sends SYN packets to an IP range and receives SYN/ACK responses from the hosts that are listening. However, before the connection is fully established, she sends RST packets to stop the session. This allows her to see how her intrusion detection system will log the traffic and identify any potential security vulnerabilities or threats on the network.

Explanation

Hayden is using a half-open scan to find live hosts on her network. In a half-open scan, Hayden sends SYN packets to an IP range and receives SYN/ACK responses from the hosts that are listening. However, before the connection is fully established, she sends RST packets to stop the session. This allows her to see how her intrusion detection system will log the traffic and identify any potential security vulnerabilities or threats on the network.

42. While investigating a claim of a user downloading illegal material, the investigator goes through the files on the suspect's workstation. He comes across a file that is just called "file.txt" but when he opens it, he finds the following:

What can he infer from this file?

A picture that has been renamed with a .txt extension

An encrypted file

An encoded file

A buffer overflow

The investigator can infer that the file is a buffer overflow. This is because a buffer overflow occurs when a program or process tries to store more data in a buffer than it can hold, causing the excess data to overflow into adjacent memory. In this case, the file may have been given a .txt extension to make it appear as a harmless text file, but its contents are actually causing a buffer overflow. This suggests that the suspect may be attempting to exploit a vulnerability in a program or system.

Explanation

The investigator can infer that the file is a buffer overflow. This is because a buffer overflow occurs when a program or process tries to store more data in a buffer than it can hold, causing the excess data to overflow into adjacent memory. In this case, the file may have been given a .txt extension to make it appear as a harmless text file, but its contents are actually causing a buffer overflow. This suggests that the suspect may be attempting to exploit a vulnerability in a program or system.

43. __________ is found in all versions of NTFS and is described as the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer.

Alternate Data Streams

Merge Streams

Steganography

NetBIOS vulnerability

Alternate Data Streams is a feature found in all versions of NTFS that allows file data to be forked into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. This means that additional data can be stored within a file without altering its appearance or behavior, making it a useful tool for hiding information or adding metadata to files.

Explanation

Alternate Data Streams is a feature found in all versions of NTFS that allows file data to be forked into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. This means that additional data can be stored within a file without altering its appearance or behavior, making it a useful tool for hiding information or adding metadata to files.

44. You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this?

There is no way to completely block tracerouting into this area

Block UDP at the firewall

Block TCP at the firewall

Block ICMP at the firewall

Blocking UDP, TCP, or ICMP at the firewall can help to prevent traceroute to some extent, but it cannot completely block tracerouting into the DMZ area. Traceroute uses a combination of ICMP, UDP, and TCP packets to determine the network path to a destination. By blocking these protocols, the firewall can make it more difficult for attackers to perform traceroute, but determined attackers may still find ways to bypass these restrictions. Therefore, there is no foolproof way to completely block tracerouting into the DMZ area.

Explanation

Blocking UDP, TCP, or ICMP at the firewall can help to prevent traceroute to some extent, but it cannot completely block tracerouting into the DMZ area. Traceroute uses a combination of ICMP, UDP, and TCP packets to determine the network path to a destination. By blocking these protocols, the firewall can make it more difficult for attackers to perform traceroute, but determined attackers may still find ways to bypass these restrictions. Therefore, there is no foolproof way to completely block tracerouting into the DMZ area.

45. Kevin is an IT security analyst working for Emerson Time Makers, a watch manufacturing company in Miami. Kevin and his girlfriend Katy recently broke up after a big fight. Kevin believes that she was seeing another person. Kevin, who has an online email account that he uses for most of his mail, knows that Katy has an account with that same company. Kevin logs into his email account online and gets the following URL after successfully logged in: https://www.youremailhere.com/mail.asp?mailbox=Kevin&Smith=121%22 Kevin changes the URL to: https://www.youremailhere.com/mail.asp?mailbox=Katy&Sanchez=121%22 Kevin is trying to access her email account to see if he can find out any information. What is Kevin attempting here to gain access to Katy's mailbox?

This type of attempt is called URL obfuscation when someone manually changes aURL to try and gain unauthorized access

By changing the mailbox's name in the URL, Kevin is attempting directory transversal

Kevin is trying to utilize query string manipulation to gain access to her email account

He is attempting a path-string attack to gain access to her mailbox

Kevin is attempting to gain unauthorized access to Katy's email account by manipulating the query string in the URL. The query string manipulation involves changing the parameters in the URL to try and bypass authentication and gain access to the desired mailbox. This type of attack is known as query string manipulation and is a common method used by attackers to exploit vulnerabilities in web applications.

Explanation

Kevin is attempting to gain unauthorized access to Katy's email account by manipulating the query string in the URL. The query string manipulation involves changing the parameters in the URL to try and bypass authentication and gain access to the desired mailbox. This type of attack is known as query string manipulation and is a common method used by attackers to exploit vulnerabilities in web applications.

46. You are trying to hijack a telnet session from a victim machine with IP address 10.0.0.5 to Cisco router at 10.0.0.1. You sniff the traffic and attempt to predict the sequence and acknowledgement numbers to successfully hijack the telnet session. Here is the captured data in tcpdump.

What are the next sequence and acknowledgement numbers that the router will send to the victim machine?

Sequence number: 82980070 Acknowledgement number: 17768885A.

Sequence number: 17768729 Acknowledgement number: 82980070B.

Sequence number: 87000070 Acknowledgement number: 85320085C.

Sequence number: 82980010 Acknowledgement number: 17768885D.

not-available-via-ai

Explanation

not-available-via-ai

47. Simon is security analyst writing signatures for a Snort node he placed internally that captures all mirrored traffic from his border firewall. From the following signature, what will Snort look for in the payload of the suspected packets? alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "BACKDOOR SIG - SubSseven 22";flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;) alert

The payload of 485 is what this Snort signature will look for.

Snort will look for 0d0a5b52504c5d3030320d0a in the payload.

Packets that contain the payload of BACKDOOR SIG -SubSseven 22 will be flagged.

From this snort signature, packets with HOME_NET 27374 in the payload will be flagged.

This Snort signature is designed to look for the hexadecimal string "0d0a5b52504c5d3030320d0a" in the payload of the suspected packets. If this string is found in the payload, Snort will flag the packets as potentially containing the "BACKDOOR SIG - SubSseven 22" backdoor signature.

Explanation

This Snort signature is designed to look for the hexadecimal string "0d0a5b52504c5d3030320d0a" in the payload of the suspected packets. If this string is found in the payload, Snort will flag the packets as potentially containing the "BACKDOOR SIG - SubSseven 22" backdoor signature.

48. Which Windows system tool checks integrity of critical files that has been digitally signed by Microsoft?

Signverif.exe

Sigverif.exe

Msverif.exe

Verifier.exe

Sigverif.exe is a Windows system tool that checks the integrity of critical files that have been digitally signed by Microsoft. It verifies the digital signatures of these files to ensure that they have not been tampered with or modified in any way, providing an added layer of security and ensuring the trustworthiness of these files. This tool is commonly used to detect any unauthorized changes to system files, helping to maintain the overall stability and security of the Windows operating system.

Explanation

Sigverif.exe is a Windows system tool that checks the integrity of critical files that have been digitally signed by Microsoft. It verifies the digital signatures of these files to ensure that they have not been tampered with or modified in any way, providing an added layer of security and ensuring the trustworthiness of these files. This tool is commonly used to detect any unauthorized changes to system files, helping to maintain the overall stability and security of the Windows operating system.

49. If an attacker's computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response?

The zombie computer will respond with an IPID of 24334.

The zombie computer will respond with an IPID of 24333.

The zombie computer will notsend a response.

The zombie computer will respond with an IPID of 24335.

When an attacker's computer sends an IPID of 24333 to a zombie computer on a closed port using Idle Scanning, the zombie computer will respond with an IPID of 24334. This is because Idle Scanning involves sending a spoofed packet to the zombie computer, which then sends a response to the victim's IP address. The IPID of the response packet is typically incremented by 1 compared to the IPID of the packet sent by the attacker. Therefore, the correct answer is that the zombie computer will respond with an IPID of 24334.

Explanation

When an attacker's computer sends an IPID of 24333 to a zombie computer on a closed port using Idle Scanning, the zombie computer will respond with an IPID of 24334. This is because Idle Scanning involves sending a spoofed packet to the zombie computer, which then sends a response to the victim's IP address. The IPID of the response packet is typically incremented by 1 compared to the IPID of the packet sent by the attacker. Therefore, the correct answer is that the zombie computer will respond with an IPID of 24334.

50. Perimeter testing means determining exactly what your firewall blocks and what it allows. To conduct a good test, you can spoof source IP addresses and source ports. Which of the following command results in packets that will appear to originate from the system at 10.8.8.8? Such a packet is useful for determining whether the firewall is allowing random packets in or out of your network.

Hping3 -T 10.8.8.8 -S netbios -c 2 -p 80

Hping3 -Y 10.8.8.8 -S windows -c 2 -p 80

Hping3 -O 10.8.8.8 -S server -c 2 -p 80

Hping3 -a 10.8.8.8 -S springfield -c 2 -p 80

The correct answer is hping3 -a 10.8.8.8 -S springfield -c 2 -p 80. This command will spoof the source IP address as 10.8.8.8 and the source port as "springfield". By sending packets with these spoofed values, it will appear as if the packets are originating from the system at 10.8.8.8. This allows for testing whether the firewall is allowing or blocking these packets, helping to determine if random packets are being allowed in or out of the network.

Explanation

The correct answer is hping3 -a 10.8.8.8 -S springfield -c 2 -p 80. This command will spoof the source IP address as 10.8.8.8 and the source port as "springfield". By sending packets with these spoofed values, it will appear as if the packets are originating from the system at 10.8.8.8. This allows for testing whether the firewall is allowing or blocking these packets, helping to determine if random packets are being allowed in or out of the network.

51. You are writing security policy that hardens and prevents Footprinting attempt by Hackers. Which of the following countermeasures will NOT be effective against this attack?

Configure routers to restrict the responses to Footprinting requests

Configure Web Servers to avoid information leakage and disable unwanted protocols

Lock the ports with suitable Firewall configuration

Use an IDS that can be configured to refusesuspicious traffic and pick up Footprinting patterns

Evaluate the information before publishing it on the Website/Intranet

Monitor every employee computer with Spy cameras, keyloggers and spy on them

Perform Footprinting techniques and remove anysensitive information found on DMZ sites

Prevent search engines from caching a Webpage and use anonymous registration services

Disable directory and use split-DNS

not-available-via-ai

Explanation

not-available-via-ai

52. An attacker is attempting to telnet into a corporation's system in the DMZ. The attacker doesn't want to get caught and is spoofing his IP address. After numerous tries he remains unsuccessful in connecting to the system. The attacker rechecks that the target system is actually listening on Port 23 and he verifies it with both nmap and hping2. He is still unable to connect to the target system. What could be the reason?

The firewall is blocking port 23 to that system

He needs to use an automated tool to telnet in

He cannot spoof hisIP and successfully use TCP

He is attacking an operating system that does not reply to telnet even when open

The reason could be that he cannot successfully spoof his IP and use TCP. Spoofing his IP address means that he is altering the source IP address in the packets he sends to make it appear as if they are coming from a different IP address. However, TCP uses a three-way handshake process, which requires the attacker to receive a response from the target system in order to establish a connection. Since the attacker is spoofing his IP, the response from the target system will be sent to the spoofed IP address, not to the attacker's actual IP address. This means that the attacker will not receive the response and the connection will not be established.

Explanation

The reason could be that he cannot successfully spoof his IP and use TCP. Spoofing his IP address means that he is altering the source IP address in the packets he sends to make it appear as if they are coming from a different IP address. However, TCP uses a three-way handshake process, which requires the attacker to receive a response from the target system in order to establish a connection. Since the attacker is spoofing his IP, the response from the target system will be sent to the spoofed IP address, not to the attacker's actual IP address. This means that the attacker will not receive the response and the connection will not be established.

53. How do you defend against ARP Poisoning attack? (Select 2 answers)

Enable DHCP Snooping Binding Table

Restrict ARP Duplicates

Enable Dynamic ARP Inspection

Enable MAC snooping Table

To defend against ARP Poisoning attacks, enabling DHCP Snooping Binding Table and Dynamic ARP Inspection are effective measures. Enabling DHCP Snooping Binding Table allows the network to verify the legitimacy of DHCP messages, preventing attackers from spoofing IP addresses. Dynamic ARP Inspection, on the other hand, validates ARP packets by comparing them with the DHCP Snooping Binding Table, ensuring that only legitimate ARP requests are allowed. These two measures combined help in mitigating the risk of ARP Poisoning attacks by securing the network against unauthorized IP and MAC address spoofing.

Explanation

To defend against ARP Poisoning attacks, enabling DHCP Snooping Binding Table and Dynamic ARP Inspection are effective measures. Enabling DHCP Snooping Binding Table allows the network to verify the legitimacy of DHCP messages, preventing attackers from spoofing IP addresses. Dynamic ARP Inspection, on the other hand, validates ARP packets by comparing them with the DHCP Snooping Binding Table, ensuring that only legitimate ARP requests are allowed. These two measures combined help in mitigating the risk of ARP Poisoning attacks by securing the network against unauthorized IP and MAC address spoofing.

Submit

54. Lauren is performing a network audit for her entire company. The entire network is comprised of around 500 computers. Lauren starts an ICMP ping sweep by sending one IP packet to the broadcast address of the network, but only receives responses from around five hosts. Why did this ping sweep only produce a few responses?

Only Windows systems will reply to this scan.

A switched network will not respond to packets sent tothe broadcast address.

Only Linux and Unix-like (Non-Windows) systems will reply to this scan.

Only servers will reply to this scan.

This ping sweep only produced a few responses because only Linux and Unix-like systems will reply to this scan. Windows systems and servers will not respond, and a switched network will also not respond to packets sent to the broadcast address. Therefore, the majority of the 500 computers in the network are likely running Windows or are servers, which is why only a few hosts responded to the ping sweep.

Explanation

This ping sweep only produced a few responses because only Linux and Unix-like systems will reply to this scan. Windows systems and servers will not respond, and a switched network will also not respond to packets sent to the broadcast address. Therefore, the majority of the 500 computers in the network are likely running Windows or are servers, which is why only a few hosts responded to the ping sweep.

55. What two things will happen if a router receives an ICMP packet, which has a TTL value of 1, and the destination host is several hops away? (Select 2 answers)

The router will discard the packet

The router will send a time exceeded message to the source host

The router will send an ICMP Redirect Message to the source host

If a router receives an ICMP packet with a TTL value of 1 and the destination host is several hops away, two things will happen. Firstly, the router will discard the packet because the TTL value has reached 0 and the packet cannot be forwarded any further. Secondly, the router will send a time exceeded message to the source host to inform it that the packet could not reach its destination due to the TTL value being expired.

Explanation

If a router receives an ICMP packet with a TTL value of 1 and the destination host is several hops away, two things will happen. Firstly, the router will discard the packet because the TTL value has reached 0 and the packet cannot be forwarded any further. Secondly, the router will send a time exceeded message to the source host to inform it that the packet could not reach its destination due to the TTL value being expired.

Submit

56. Keystroke logging is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. Keystroke logging is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. How will you defend against hardware keyloggers when using public computers and Internet Kiosks? (Select 4 answers)

Alternate between typing the login credentials and typing characters somewhere else in the focus window

Type a wrong password first, later type the correct password on the login page defeating the keylogger recording

The correct answers provide strategies to defend against hardware keyloggers when using public computers and Internet kiosks. Alternating between typing the login credentials and typing characters somewhere else in the focus window can confuse the keylogger by mixing the actual password with random keystrokes. Typing a password beginning with the last letter and using the mouse to move the cursor for each subsequent letter can also confuse the keylogger as the recorded keystrokes will not match the actual password. Additionally, the technique of replacing selected text with dummy keys and then typing the actual password can further confuse the keylogger by recording incorrect information.

Explanation

The correct answers provide strategies to defend against hardware keyloggers when using public computers and Internet kiosks. Alternating between typing the login credentials and typing characters somewhere else in the focus window can confuse the keylogger by mixing the actual password with random keystrokes. Typing a password beginning with the last letter and using the mouse to move the cursor for each subsequent letter can also confuse the keylogger as the recorded keystrokes will not match the actual password. Additionally, the technique of replacing selected text with dummy keys and then typing the actual password can further confuse the keylogger by recording incorrect information.

Submit

57. Which of the following represent weak password? (Select 2 answers)

Passwords that contain letters, special characters, and numbers Example: ap1$%##f@52

Passwords that contain only numbers Example: 23698217

Passwords that contain only special characters Example: &*#@!(%)

Passwords that contain letters and numbers Example: meerdfget123

Passwords that contain only letters Example: QWERTYKLRTY

Passwords that contain only special characters and numbers Example: 123@$45

Passwords that contain only letters and special characters Example: bob@&ba

Passwords that contain Uppercase/Lowercase from a dictionary list Example: OrAnGe

Passwords that contain only letters and passwords that contain Uppercase/Lowercase from a dictionary list are considered weak passwords because they lack the complexity and randomness required to make a password secure. These types of passwords can be easily guessed or cracked by hackers using brute force or dictionary attacks. It is important to include a combination of letters, numbers, and special characters in a password to increase its strength and protect against unauthorized access.

Explanation

Passwords that contain only letters and passwords that contain Uppercase/Lowercase from a dictionary list are considered weak passwords because they lack the complexity and randomness required to make a password secure. These types of passwords can be easily guessed or cracked by hackers using brute force or dictionary attacks. It is important to include a combination of letters, numbers, and special characters in a password to increase its strength and protect against unauthorized access.

Submit

58. Trojan horse attacks pose one of the most serious threats to computer security. The image below shows different ways a Trojan can get into a system. Which are the easiest and most convincing ways to infect a computer?

IRC (Internet Relay Chat)

Legitimate "shrink-wrapped" software packaged by a disgruntled employee

NetBIOS (File Sharing)

Downloading files, games and screensavers from Internet sites

The easiest and most convincing way to infect a computer with a Trojan horse is through legitimate "shrink-wrapped" software packaged by a disgruntled employee. This method is effective because the software appears legitimate and trustworthy, making it easier to convince users to install it on their systems. Once installed, the Trojan can execute its malicious activities without the user suspecting any foul play.

Explanation

The easiest and most convincing way to infect a computer with a Trojan horse is through legitimate "shrink-wrapped" software packaged by a disgruntled employee. This method is effective because the software appears legitimate and trustworthy, making it easier to convince users to install it on their systems. Once installed, the Trojan can execute its malicious activities without the user suspecting any foul play.

59. If an attacker's computer sends an IPID of 31400 to a zombie (Idle Scanning) computer on an open port, what will be the response?

31400

31402

The zombie will not send a response

31401

When an attacker's computer sends an IPID of 31400 to a zombie computer on an open port using Idle Scanning technique, the response from the zombie computer will be 31402.

Explanation

When an attacker's computer sends an IPID of 31400 to a zombie computer on an open port using Idle Scanning technique, the response from the zombie computer will be 31402.

60. Which of the following Registry location does a Trojan add entries to make it persistent on Windows 7? (Select 2 answers)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\System32\CurrentVersion\ Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\System32\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

A Trojan adds entries to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry location to make it persistent on Windows 7. This registry location contains a list of programs that are automatically executed when the computer starts up. By adding an entry to this location, the Trojan ensures that it will be launched every time the computer is turned on. Additionally, the Trojan may also add entries to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry location, which contains a list of programs that are automatically executed when a user logs into their account. By adding an entry to this location, the Trojan ensures that it will be launched every time the user logs in.

Explanation

A Trojan adds entries to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry location to make it persistent on Windows 7. This registry location contains a list of programs that are automatically executed when the computer starts up. By adding an entry to this location, the Trojan ensures that it will be launched every time the computer is turned on. Additionally, the Trojan may also add entries to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry location, which contains a list of programs that are automatically executed when a user logs into their account. By adding an entry to this location, the Trojan ensures that it will be launched every time the user logs in.

Submit

61. You generate MD5 128-bit hash on all files and folders on your computer to keep a baseline check for security reasons? What is the length of the MD5 hash?

32 char

64 byte

48 char

128 byte

The length of the MD5 hash is 32 characters or 128 bytes. The MD5 algorithm generates a fixed-length hash value of 128 bits, which is then represented as a string of 32 hexadecimal characters. Each character in the hash represents 4 bits, resulting in a total of 32 characters. Alternatively, since each hexadecimal character represents 4 bits, multiplying 32 characters by 4 gives a total of 128 bits or 16 bytes.

Explanation

The length of the MD5 hash is 32 characters or 128 bytes. The MD5 algorithm generates a fixed-length hash value of 128 bits, which is then represented as a string of 32 hexadecimal characters. Each character in the hash represents 4 bits, resulting in a total of 32 characters. Alternatively, since each hexadecimal character represents 4 bits, multiplying 32 characters by 4 gives a total of 128 bits or 16 bytes.

Submit