Chapter 1

Review Questions

1. B. The rules of engagement define what the penetration testing company can or cannot do. It lists the specific actions that are allowable. Answer A is incorrect because the NDA describes what can and cannot be discussed with others. Answer C is incorrect because the SLA defines a level of service. Answer D is incorrect because the project scope examines the time, scope, and cost of the project.

2. B. Confidentiality addresses the secrecy and privacy of information. Physical examples of confidentiality include locked doors, armed guards, and fences. Logical examples of confidentiality include passwords, encryption, and firewalls. Answer A is incorrect because integrity deals with the correctness of the information. Answer C is incorrect because availability deals with the issue that services and resources should be available when legitimate users need them. Answer D is incorrect because authentication is the means of proving someone is who he says he is. Authentication is usually verified by passwords, PINs, tokens, or biometrics.

3. C. The ALE is calculated by the following: ALE = SLE × ARO, or $2,500 × .4 = $1000. Therefore, answers A, B, and D are incorrect.

4. A. Gray hat hackers are individuals who cross the line between ethical and unethical behavior. Answer B is incorrect because ethical hackers do not violate ethics or laws. Answer C is incorrect because crackers are criminal hackers. Answer D is incorrect because white hat hacker is another term for ethical hacker.

5. B. Obtain written permission to hack. Ethical hackers must always obtain legal, written permission before beginning any security tests. Answer A is incorrect because ethical hackers should not hack web servers. Answer C is incorrect because, although ethical hackers should gather information about the target, this is not the most important step. D is incorrect because obtaining verbal permission is not enough to approve the test; permission must come in written form.

6. D. Ethical hackers use the same methods but strive to do no harm. Answer A is incorrect because malicious hackers might use the same tools and techniques that ethical hackers use. Answer B is incorrect because malicious hackers might be less advanced; even script kiddies can launch attacks. Answer C is incorrect because ethical hackers try not to bring down servers, and they do not steal credit card databases.

7. C. A stolen equipment test is performed to determine what type of information might be found. The equipment could be the CEO’s laptop or the organization’s backup media. Answer A is incorrect because insider attack tests seek to determine what malicious insiders could accomplish. Answer B is incorrect because physical entry attack tests seek to test the physical controls of an organization such as doors, locks, alarms, and guards. Answer D is incorrect because outsider attack tests are focused on what outsiders can access and given that access, what level of damage or control they can command.

8. A. Integrity provides for the correctness of information. Integrity allows users of information to have confidence in its correctness. Integrity can apply to paper documents as well as electronic ones. Answer B is incorrect because an attack that exposes sensitive information could be categorized as an attack on confidentiality. Answer C is incorrect because availability deals with the issue that services and resources should be available when legitimate users need them. Answer D is incorrect because authentication is the means of proving someone is who he says he is. Authentication is usually verified by passwords, PINs, tokens, or biometrics.

9. D. Hacktivists seek to promote social change; they believe that defacing websites and hacking servers is acceptable as long as it promotes their goals. Regardless of their motives, hacking remains illegal, and they are subject to the same computer crime laws as any other criminal. Answer A is incorrect because ethical hackers work within the boundaries of laws and ethics. Answer B is incorrect because gray hat hackers are those individuals who cross the line between legal and questionable behavior. Answer C is incorrect because black hat hackers are criminal hackers and might be motivated to perform illegal activities for many different reasons.

10. D. It is impossible to eliminate all risk. The remaining risk—after the controls are put in place—is known as the residual risk. Answers A, B, and C do not properly describe residual risk. A gap analysis is a process of determining the differences between a business’s information systems or software applications to determine whether business requirements are being met, and if not, what steps should be taken to ensure they are successfully met. Total risk is the total amount of risk, and inherent risk is the risk posed by an error or omission in a financial statement due to a factor other than a failure of control.

11. A. A penetration test can be described as an assessment in which the security tester takes on an adversarial role and looks to see what an outsider can access and control. Answer B is incorrect because a high-level evaluation examines policies and procedures. Answer C is incorrect because a network evaluation consists of policy review, some scanning, and execution of vulnerability assessment tools. Answer D is incorrect because a policy assessment is another name for a high-level evaluation.

12. D. To recover, you would need the last full backup and both incremental backups. Answers A, B, and C are incorrect because backup recovery is based on the method that is used. Incremental backup requires the least time each day but takes the most time to restore. Differential backup requires more time but only requires the last differential if an outage occurs. Full backups require even more time each day and take the longest to restore.

13. A. If no current practices or procedures exist, you should evaluate what type of security practices are actually in place so that you can recommend the correct changes. Answers B, C, and D are incorrect because you should not create practices during the assessment, change the level of testing, or stop the security assessment. With no documentation in place, it is more important than ever that the assessment continue.

14. C. Finding any kind of PII on an employee’s computer, such as credit card numbers and Social Security numbers, is a serious issue and should be dealt with before continuing the penetration test or audit. Answers A, B, and D are incorrect because you should not contact the employee, copy the data, or continue the pen test.

15. D. The portion of the penetration test where you would be tasked with building the team, identifying roles, and testing the communication system is during notification. Therefore, answers A, B, and C are incorrect.

16. C. Creating an exploit for which there is no known patch is known as a zero day. Answers A, B, and D are incorrect. Clark is not a suicide hacker, he has not violated any laws by simply creating the exploit, and he is not a white hat hacker.

17. A. The NDA sets limits on what can or cannot be discussed with others. Answer B is incorrect because PCI-DSS pertains to credit card security. Answer C is incorrect because an MOU pertains to an agreement between two companies that are working together. Answer B is incorrect because the terms of engagement address what can or cannot be done during the engagement.

18. D. A risk management framework is a complete framework used to secure the enterprise, identify risk, build controls, and provide reasonable assurance that objectives will be achieved. Answer A is incorrect because NIST SP 800-37 is a guide to applying the Risk Management Framework (RMF) to federal information systems. Answer B is incorrect because risk management may be able to be applied qualitatively. Answer C is incorrect because PCI-DSS deals with credit card data.

19. D. The scope of the activity is defined by the terms of engagement. Therefore, answers A, B, and C are incorrect.

20. C. PCI-DSS is a proprietary information security standard that requires organizations to follow security best practices and use 12 high-level requirements, aligned across 6 goals. Answer A is incorrect because SOX deals with financial data. Answer B is incorrect because FISMA applies to U.S. federal agencies. Answer D is incorrect because the Risk Management Framework does not have 12 high-level goals.

Chapter 2

Review Questions

1. C. Each zone is a collection of structured resource records. Answer A is incorrect because it is not a collection of domains; zones are a collection of resource records that can include an SOA record, A record, CNAME record, NS record, PTR record, and the MX record. Answer B is incorrect because it does not describe a zone namespace; that is the purpose of the SOA record. Answer D is incorrect because a collection of aliases is a CNAME.

2. B. Reconnaissance includes the act of reviewing an organization’s website to gather as much information as possible. Answer A is incorrect because scanning and enumeration is not a passive activity. Answer C is incorrect because fingerprinting is performed to identify a systems OS. Answer D is incorrect because gaining access is the equivalent of breaking and entering.

3. D. Dumpster diving is the act of going through someone’s trash. All other answers are incorrect because they do not describe dumpster diving. Reconnaissance is information gathering, intelligence gathering is another name for reconnaissance, and social engineering is the art of manipulating people.

4. D. The OUI of the MAC address shown maps to Brother printer. Also, port 515 is open, which is associated with printers. Therefore, answers A, B, and C are incorrect.

5. C. TCP uses sequence numbers. Session hijacking is possible because it takes advantage of the fact that these sequence numbers can be predicted. By submitting the correct sequence number at the right time, the attacker can take control of the session. Answers A, B, and D are incorrect because these protocols do not use sequence numbers.

6. D. SNMP is UDP based and uses two separate ports: 161 and 162. It is vulnerable because it can send the community strings in clear text. Answer A is incorrect because port 69 is TFTP. Answer B is incorrect because SNMP is not TCP based. Answer C is incorrect because TCP 69 is not used for SNMP.

7. B. Hping can perform traceroute as well as a variety of other mapping functions. Answer A is incorrect because Tracert is simply Windows traceroute. Answer B is incorrect because ping uses ICMP and would also be blocked. Answer D is incorrect because a port scanner by itself does not denote what program is used, and their functionality will vary.

8. B. The second step of the three-step handshake sets the SYN ACK flags. Answer A is incorrect because the SYN flag is set on the first step. Answer C is incorrect because the ACK flag occurs to acknowledge data. Answer D is incorrect because the ACK PSH flags are not set on the second step of the handshake.

9. D. Grep is a Unix command used to search files for the occurrence of a string of characters that matches a specified pattern. Answers A and B are used for Windows. Answer C is a distracter.

10. A. Deny all means that by default all ports and services are turned off; then only when a service or application is needed to accomplish a legitimate function of the organization is the service turned on. Answer B is incorrect because the principle of least privilege means that you give employees only the minimum services needed to perform a task. Answer C is incorrect because an access control list is used for stateless inspection and can be used to block or allow approved services. Answer D is incorrect because defense in depth is the design of one security mechanism layered on top of another.

11. D. The last fragmented packet will have the more bit set to 0 to indicate that no further packets will follow. Answer A is incorrect because it must be the last packet in the series if the more bit is set to 0. Answer B is incorrect because the more bit indicates that it must be the last packet. Answer C is incorrect because it cannot be the first packet with the more bit set to 0.

12. C. ICMP type 11 is the correct code for time exceeded. All other answers are incorrect because type 3 is for destination unreachable, type 5 is for redirects, and type 13 is for time stamp requests. RFC 792 is a good resource for information on ICMP.

13. B. ARP poisoning occurs at the data link layer. Answer A is incorrect because the network layer is associated with IP addresses. Answer C is incorrect because the session layer is in charge of session management. Answer D is incorrect because the transport layer is associated with TCP and UDP.

14. B. DNS cache poisoning is a technique that tricks your DNS server into believing it has received authentic information when in reality, it has been deceived. Answer A is incorrect because a DoS attack’s primary goal is to disrupt service. Answer C is incorrect because DNS pharming is used to redirect users to an incorrect DNS server. Answer D is incorrect because an illegal zone transfer is an attempt to steal the zone records, not to poison them.

15. D. The transport layer is the correct answer. TCP can be the target for SYN attacks, which are a form of DoS. Answer A is incorrect because the network layer is not associated with TCP. Answer B is incorrect because the data link layer is responsible for frames. Answer C is incorrect because the physical layer is the physical media on which the bits or bytes are transported.

16. A. ARP spoofing is used to redirect traffic on a switched network. Answer B is incorrect because setting this MAC address to be the same as the co-worker would not be effective. Answer C is incorrect because DNS spoofing would not help in this situation because DNS resolves FQDNs to unknown IP addresses. Answer D is incorrect because ARP poisoning requires a hacker to set his MAC address to be the same as the default gateway, not his IP address.

17. D. The Start of Authority record gives information about the zone, such as the administrator contact. Answer A is incorrect because CNAME is an alias. Answer B is incorrect because MX records are associated with mail server addresses, and answer C is incorrect because an A record contains IP addresses and names of specific hosts.

18. B. Source routing was designed to enable individuals to specify the route that a packet should take through a network or to allow users to bypass network problems or congestion. Answer A is incorrect because routing is the normal process of moving packets from node to node. Answer C is incorrect because RIP is a routing protocol. Answer D is incorrect because traceroute is the operation of sending trace packets to determine node information and to trace the route of UDP packets for the local host to a remote host. Normally, traceroute displays the time and location of the route taken to reach its destination computer.

19. C. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private networks: Class A network IP address range = 10.0.0.0–10.255.255.255, Class B network IP address range = 172.31.0.0–172.31.255.255, and Class C network IP address range = 192.168.255.0–192.168.255.255. Check out RFC 1918 to learn more about private addressing. Answers A, B, and D are incorrect because they do not fall within the ranges shown here.

20. 20. A. The correct syntax to find a domain name is -t a. Answers B, C, and D are incorrect as zone transfer (AXFR), mail exchanges (MX), name servers (NS), start of authority (SOA).

Chapter 3

Review Questions

1. D. Running nmap -O would execute OS guessing. Answer A is incorrect because nmap -P0 means do not ping before scanning. Answer B is incorrect because nmap -sO would perform an IP scan. Answer C is incorrect because nmap -sS would execute a TCP stealth scan. Keep in mind that scanning IPv4 networks is much easier than scanning IPv6 networks because of the much greater number of IP addresses in IPv6.

2. D. Using Wireshark to examine the traffic is considered passive OS fingerprinting. Answer A is incorrect because vulnerability mapping looks for vulnerabilities. Answer B is incorrect because port scanning looks for open ports. Answer C is incorrect because active OS fingerprinting injects traffic to see how a host responds. In this situation, you are simply passively listening.

3. B. Ping is the most common ICMP type. A ping request is a type 8, and a ping reply is a type 0. All other answers are incorrect because a request is always a type 8 and a reply is always a type 0. An ICMP type 5 is redirect, and a type 3 is destination unreachable. For a complete listing of ICMP types and codes, see RFC 792.

4. A. Shellshock is a collection of security bugs in the widely used UNIX Bash shell. Answers B and D are incorrect because they target SSH vulnerabilities. Answer C is a distracter.

5. B. The -sX command means you are running an Xmas tree scan. Per RFC 793, Linux systems will send no response to an open port. Therefore, answers A, C, and D are incorrect.

6. D. The proper syntax for a UDP scan using Netcat is netcat -u -v -w2< host > 1-1024. Netcat is considered the Swiss-army knife of hacking tools because it is so versatile. Answers A, B, and C are incorrect because they do not correctly specify the syntax used for UDP scanning with Netcat.

7. B. Running the -sL switch checks DNS for a list of IP addresses but does not scan the IP addresses. This technique provides a list of valid IP addresses to scan. Answer A is incorrect because the system is not scanned during a list scan. Answer C is incorrect because the syntax is correct. Answer D is incorrect because the scan was not blocked.

8. A. Running an -sn scan sets all the TCP flags to off (0). Answer B is incorrect because -null is not the correct syntax. Answer C is incorrect because it is an Xmas tree scan. Answer D is incorrect because it is an idle scan.

9. B. Active fingerprinting works by examining the unique characteristics of each OS. One difference between competing platforms is the datagram length. On a Linux computer, this value is usually 84, whereas Microsoft computers default to 60. Therefore, answers A, C, and D are incorrect because they are all Windows operating systems.

10. D. With a network mask of .224, the first three subnets would include the .0 subnet, the .32 subnet, and the .64 subnet. The IP address of .24 and .35 would fall into different subnet ranges. See Table A-1.

11. C. UDP scanning is harder to perform because of the lack of response from open services and because packets could be lost due to congestion or a firewall blocking ports. Answer A is incorrect because a stealth scan is a TCP-based scan and is much more responsive than UDP scans. Answer B is incorrect because an ACK scan is again performed against TCP targets to determine firewall settings. Answer D is incorrect because FIN scans also target TCP and seek to elicit an RST from a Windows-based system.

12. B. The -sC option runs a script, and the correct port would be 22 because that is the default port that SSH runs on. Answer A is incorrect because port 21 is FTP. Answer C is incorrect because the option -sL is a list scan. Answer D is incorrect because the option -sI is an idle scan.

13. A. An ICMP type 3 code 13 is administratively filtered. This type of response is returned from a router when the protocol has been filtered by an ACL. Answer B is incorrect because the ACK scan provides only a filtered or unfiltered response; it never connects to an application to confirm an open state. Answer C is incorrect because port knocking requires you to connect to a certain number of ports in a specific order. Answer D is incorrect because, again, an ACK scan is not designed to report a closed port; its purpose is to determine the router’s or firewall’s rule set. Although this might appear limiting, the ACK scan can characterize the capability of a packet to traverse firewalls or packet-filtered links.

14. B. Regional Internet Registries (RIR) maintain records from the areas from which they govern. ARIN is responsible for domains served within North and South America, and therefore, is the logical starting point for that .com domain. Answer A is incorrect because AfriNIC is the RIR for Africa. Answer C is incorrect because APNIC is the RIR for Asia and Pacific Rim countries. Answer D is incorrect because RIPE is the RIR for European-based domains.

15. C. With no flags set, a NULL scan is being performed. Therefore, answer A is incorrect because it is not a SYN scan. Answer B is incorrect because an IPID scan is used to bounce the scan off of a third party. Answer D is incorrect because an XMAS scan has three flags set high.

16. A. The -sn option tells Nmap not to do a port scan after host discovery and only print out the available hosts that responded to the host discovery probes. This is often known as a “ping scan,” but you can also request that traceroute and NSE host scripts be run. Answers B, C, and D are all incorrect because they actually perform a scan against the targeted system.

17. B. Running -p- scans all 65,535 ports on the targeted systems. Answers A, C, and D are all incorrect syntax.

18. B. Running an ACK scan attempts to determine access control list (ACL) rule sets or identify whether firewall inspection or simply stateless inspection is being used. A stateful firewall should return no response. If an ICMP destination is unreachable or a communication administratively prohibited message is returned, the port is considered to be filtered. If an RST is returned, no firewall is present. Answer A is incorrect because no flags are set. Answer B is incorrect because malformed TCP flags are used to probe a target. Answer D is incorrect because firewalking is not port scanning but alters TTLs to map what traffic is allowed or blocked.

19. A. Type 0 is a ping reply and type 8 is a ping request. Answers B, C, and D are incorrect because type 3 is destination unreachable, type 5 is a redirect, and type 11 is time exceeded. Make sure you know the range of ICMP types for the exam.

20. C. The pen tester will typically continue to explore the service that has been identified, which means that an attempt to banner grab would be the next step. Answer A is incorrect because your next step would not be to examine the source code of the web page. Answer B is incorrect because you would not next FTP to port 80. Answer D is incorrect because you would not next attempt to connect to port 443.

Chapter 4

Review Questions

1. D. When examining biometric systems, one item to consider is the crossover error rate (CER). The lower the CER, the more accurate the system. Answer A is incorrect because a high false acceptance rate (FAR) means many unauthorized users were accepted by the biometric system. Answer B is incorrect because a high false rejection rate (FRR) means many authorized users were rejected by the biometric system. Answer C is incorrect because a high FAR and high FRR indicates a high CER, making it the worst choice when selecting a biometric system.

2. D. The string shown in the question was designed to exploit Shellshock and access the passwd file. Notice the command seeks to cat the file, which is an attempt to view it. Answers A and C are incorrect because Heartbleed targets SSL, not Bash. Answer B is incorrect because the script is attempting to read the file, not view it.

3. D. One important goal of enumeration is to determine the true administrator. In the output, the true administrator is Joe. Answer A is incorrect because the Joe account has a RID of 500, not a SID of 500. Answer B is incorrect because the commands issued do not show that the account is disabled, which is not the purpose of the tool. Answer C is incorrect because the commands do not show that the guest account has been disabled.

4. B. Moving from one local admin account to another local admin account would be an example of horizontal privilege escalation. Answer A is incorrect because the question states that you have no access. Answer C is incorrect because a RID of 501 indicates a guest account, not an admin account, which would be 500. Answer D is incorrect because vertical privilege escalation of access is defined as moving to a higher level of access, such as from local admin to domain admin.

5. D. If a rootkit is discovered, you will need to rebuild the OS and related files from known-good media. This usually means performing a complete reinstall. Answer A is incorrect because copying system files will do nothing to replace infected files. Answer B is incorrect because performing a trap and trace might identify how the attacker entered the system, but will not fix the damage done. Answer C is incorrect because deleting the files will not ensure that all compromised files have been cleaned. You will also want to run some common rootkit detection tools such as chkrootkit.

6. D. Most modern OSs use a ring model where the inner ring, 0, has the most privilege and the outer ring, 3, has the least privilege. Therefore, answers A, B, and C are incorrect.

7. C. Most SNMP devices are configured with public and private as the default community strings. These are sent in clear text. Answer A is incorrect because SNMP is not enabled on all devices by default. Answer B is incorrect because SNMP is not based on TCP; it is UDP based. Answer D is incorrect because anyone can sniff SNMP while in clear text. The community strings are required to connect.

8. C. Microsoft Windows computers have used different methods to store user passwords over the years. The oldest and least secure method uses LM passwords. These passwords are a maximum of 14 characters and store the password in two 7-character fields. Answers A, B, and D are incorrect because NTLMv1, NTLMv2, and Kerberos are all more secure than LM.

9. B. ELSave is used to clear the log files. Other tools used to remove evidence and clear logs include Winzapper and Evidence Eliminator. Answer A is incorrect because Auditpol is used to disable auditing. Answer C is incorrect because PWdump is used to extract the hash. Answer D is incorrect because, although Cain and Abel is used for a host of activities, such as password cracking, clearing the logs is not one of them.

10. C. John the Ripper cannot differentiate between uppercase and lowercase passwords. Answer A is incorrect because it can crack NTLM passwords. Answer B is incorrect because separating the NTLM passwords into two halves actually speeds cracking. Answer D is incorrect because John the Ripper can perform brute-force cracks.

11. B. Alternate data streams are another type of named data stream that can be present within each file. The command streams Netcat behind readme.txt on an NTFS drive. Answers A, C, and D are incorrect because the command does not start a Netcat listener, does not open a command shell, and is not used to unstream Netcat.

12. A. Rainbow tables use the faster time-memory trade-off technique and work by precomputing all possible passwords in advance. Answers B, C, and D are all incorrect because they are the traditional methods used to crack passwords.

13. C. The SMB protocol is used for file sharing in Windows 2000. In 2000 and newer systems, Microsoft added the capability to run SMB directly over TCP port 445. Answer A is incorrect because a scan probably will not attempt a DoS attack on the server. Answer B is incorrect because it is not the most correct answer. Answer D is incorrect because Windows NT systems do not run port 445 by default.

14. B. Biometric systems are not all equal when it comes to accuracy. Iris-scanning biometric systems are considered the most accurate. Answers A, B, and C are incorrect because fingerprint, voice, and palm scans are not as accurate.

15. A. The proper syntax is net use \IP_addressIPC$ “” /u:“”. Therefore, answers B, C, and D are incorrect.

16. D. SNMP is a network management tool that is used for collecting information about the status of network devices. Versions 1 and 2 of SNMP use default community strings of public and private. Answers A, B, and C are incorrect because the default community strings are not user/password, abc123/passw0rd, or Password/administrator.

17. B. Streams allow files to contain more than one stream of data. In the Windows OS when the NTFS file system is being used, this default data stream is called an alternate data stream, and it allows one file to be hidden behind another. Answers A, C, and D are incorrect because the only file system this is possible on is NTFS.

18. D. The inner layer of the OS is ring 0. It is at this layer that kernel rootkits are found. Answers A, B, and C are incorrect because these do not represent rootkits found at ring 0.

19. A. The /etc folder is the location of many important files in Linux. Two of those files are the passwd and shadow files. Answer B is incorrect because /sbin contains executable programs. Answer C is incorrect because /etc is a nonexistent folder. Answer D is incorrect because /var contains files to which the system writes data.

20. A. Syslog is used for network devices to send event messages to a logging server known as a syslog server. The syslog protocol is supported by a wide range of devices and can be used to log different types of events. Answer B is incorrect because NetBIOS is used by Windows computers. Answer C is incorrect because Finger displays information about a user. Answer D is incorrect because LDAP is used for directory services.

Chapter 5

Review Questions

1. C. A watering hole attack can be described as a means to trick a victim into visiting a website that is infected. The website would be one that the attacker knows the victim visits on a regular basis. Eventually, when the victim visits the website, he or she becomes infected. Answer A is incorrect because a phishing attack is a general attack in which the hacker is attempting to trick the user out of their credentials. Answer B is incorrect because a spear phishing attack is a targeted phishing attack. Answer D is incorrect because SMiShing is a phishing attack carried out over an SMS text message.

2. D. A threat actor redirects a victim from a valid website or resource to a malicious one that could be made to look like the valid site to the user. From there, an attempt is made to extract confidential information from the user or to install malware in the victim’s system. Pharming can be done by altering the hosts file on a victim’s system, through DNS poisoning, or by exploiting a vulnerability in a DNS server.

3. A. Malvertising is similar to pharming, but it involves using malicious ads. In other words, malvertising is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware.

4. B. Spear phishing is a phishing attempt that is constructed in a very specific way and directly targeted to specific individuals or companies. The attacker studies a victim and the victim’s organization to be able to make the emails look legitimate and perhaps make them appear to come from trusted users within the corporation.

5. C. SMS phishing is a type of social engineering attack that involves using Short Message Service (SMS) to send malware or malicious links to mobile devices; it is not carried over email.

6. B. It is possible to use scarcity to create a feeling of urgency in a decision-making context. Specific language can be used to heighten urgency and manipulate the victim. Salespeople often use scarcity to manipulate clients.

7. C. Covert communication can best be described as a means of sending and receiving unauthorized information or data by using a protocol, service, or server to transmit information in a way in which it was not intended to be used. Answers A, B, and D are incorrect because they do not meet the definition of a covert channel.

8. B. Netcat is considered the Swiss army knife of hacking tools because it will do so many different things, such a shovel a shell, port scan, banner grabbing, and file transfer. It works with Windows and Linux. Answer A is incorrect because Netcat is not a more powerful version of Snort. Answers C and D are incorrect because Netcat is not a Windows-only or Linux-only utility; it runs on both platforms.

9. C. If a system that has financial data has been breached, you would want to back that data up to another system. If not, the attacker may delete or modify the existing data. Answers A, B, and D are incorrect because, although acceptable recommendations, they would not be the first step. Strengthening passwords, hardening the web server, and budgeting for a new firewall are important but would come as later action items.

10. B. When a system gets ready to go to a website, the first resource that is used to resolve a domain name is the local hosts file. If nothing is found there, then DNS is queried. Answer A is incorrect because it provides the location of the hosts file on a Linux computer. Answer C is incorrect because the boot.ini file deals with what is loaded when the Windows system is booted. Answer D is incorrect because config.ini is a configuration file and is not associated with domain name lookup.

11. B. There are three ways that banking Trojans typically function. When additional fields are added, it’s known as HTML injection. Answers A and C are incorrect because, although both are possible banking Trojan techniques, a form grabber grabs information from forms and a TAN grabber captures the transaction authentication number. Answer D is incorrect because a SID grabber is not a valid banking Trojan technique.

12. B. AckCmd uses TCP ACK packets to bypass ACL rules on firewalls. Answers A, B, and C are incorrect because Loki is an ICMP tool, Stealth Tools is a malware wrapper, and Firekiller disables antivirus.

13. D. Netcat is a very versatile hacking tool. Running the command shown would open a listener on port 25. Answers A, B, and C are incorrect because the command would not allow the hacker to send spam from the mail server, forward email, or block traffic on port 25.

14. B. Netcat is known for its many uses, such as file transfer and banner grabbing. Netcat can be used to maintain access because it supports the capability to redirect the input and output of a shell to a service so that it can be remotely accessed. Answer A is incorrect because installing spyware would not give you access. Answer C is incorrect because disabling IPchains would remove filtering rules. Answer D is incorrect because etc/hosts is simply a text file that associates IP addresses with hostnames, one line per IP address.

15. A. A sheep dip computer is a dedicated, standalone computer that is used to test and evaluate suspicious files. Answer B is incorrect because it’s not called a live analysis system. Analysis can be static or live. Answer C is incorrect because a honeypot is a fake system set up to lure attackers away from real assets. Answer D is incorrect because Tripwire is used for integrity verification.

16. D. Ransomware is a type of malware that encrypts all files until a payment is made. Answer A is incorrect because a crypter is used to encrypt malware. Answer B is incorrect because a Trojan is a file, application, or item that appears to be legitimate but is actually malicious. Answer C is incorrect because the goal of spyware is to gather information about a person or organization without his or her knowledge and perhaps send such information to another entity.

17. C. Packers are similar to programs such as WinZip, Rar, and Tar in that they compress the file yet are used to hide the true function of malware. Answer A is incorrect because it is just a distracter. Answer B is incorrect because wrappers are used to combine legitimate and malicious files. Answer D is incorrect because crypters are used to encrypt malware.

18. D. CurrPorts is not used for static analysis; it is used to examine what ports are open and running on an active machine. Answers A, B, and C are incorrect because they all are tools used for static analysis.

19. B. The correct command is c:compmgmt.msc. Answer A is incorrect because services.msc opens the Services console. Answer C is incorrect because ps -aux is used to display running services on a Linux system. Answer D is incorrect because msconfig opens MSConfig (System Configuration), a system utility to troubleshoot the Microsoft Windows startup process.

20. B. The Common Vulnerability Scoring System (CVSS) is an industry standard created by security practitioners in the Forum of Incident Response and Security Teams (FIRST) to provide a means to score the risk of a security vulnerability. You can find detailed information about the standard at https://first.org/cvss. In CVSS, a vulnerability is evaluated under three groups, and a score is assigned to each of them: The base group represents the intrinsic characteristics of a vulnerability that are constant over time and do not depend on a user-specific environment. This is the most important information and the only one that’s mandatory to obtain a vulnerability score. The temporal group assesses the vulnerability as it changes over time. The environmental group represents the characteristics of a vulnerability, taking into account the organizational environment. Answer A is not correct because CVE is a standard to provide an identifier to a vulnerability. Answer C is incorrect because Common Vulnerability Reporting Framework (CVRF), also known as the Common Security Advisory Framework (CSAF), is a machine-readable representation of a security advisory. Answer D is not correct because the Common Weakness Enumeration (CWE) is a list of software weaknesses.

Chapter 6

Review Questions

1. C. TShark is a command-line packet analyzer. Answer A is incorrect because John the Ripper is a password-cracking program. Answer B is incorrect because Ethereal is the previous name of Wireshark. Answer D is incorrect because Snort is a network-based IDS.

2. C. ARP cache poisoning can be used to bypass the functionality of a switch and could be used if you cannot SPAN the port. Answer A is incorrect because ARP cache poisoning would not result in a broadcast storm. Answer B is incorrect because ARP cache poisoning would not flood the network with fake MAC addresses. Answer D is incorrect because DHCP snooping is used to prevent rogue DHCP servers.

3. D. Session fixation is not launched on the client, and the fixed ID must be provided by the attacker. Answers A, B, and C are incorrect because malicious JavaScript codes, cross-site scripting (XSS), and cross-site request forgery (CSRF) are client-side session hijacking techniques.

4. D. The filter tcp.window_size == 0 && tcp.flags.reset != 1 would check whether the window size is 0 and whether the RST flag is not set to 1, because this would indicate some form of DDoS attack. Answer A is incorrect because it looks for traffic equal to port 80. Answer B is incorrect because it looks for a source not equal to 255.255.255.255. Answer C filters on traffic that does not have the RST flag on.

5. A. Answer A is the only filter that shows the source port set to 80 (from the web server) and the source IP set to that of the web server. Answers B, C, and D are incorrect because they do not meet these conditions.

6. B. The only DoS attack that uses the DC protocol is the peer-to-peer attack, which targets older versions of the hub software to instruct registered clients to disconnect from the P2P network and connect to a system at the intended target’s location. Therefore, answers A, C, and D are incorrect.

7. A. Only black hole filtering can dynamically drop packets at the routing level. Answers B, C, and D are incorrect because, although each can be used to address DoS attacks, they can’t dynamically drop packets at the routing level.

8. D. Passive Sniffing is considered intercepting traffic via a hub. Hubs pass all traffic to all physical ports on the hub, so no additional activity is required. Answers A, B, and C are considered incorrect because switches, bridges, and routers sequence traffic.

9. C. The only protocol listed that uses sequence numbers is TCP. Therefore, answers A, B, and D are incorrect.

10. D. Capture filters allow you to specify what traffic is captured. If something is excluded from a capture filter, the traffic is not available. Therefore, answers A, B, and C are incorrect because review is not possible.

11. B. The ARP process is a two-step process that consists of an ARP request and an ARP reply. Answers A, C, and D are incorrect because the ARP process is not one, three, or four steps.

12. D. Passive sniffing is all that is required to listen to traffic on a hub. Answer A is incorrect because active sniffing is performed on switches. Answers B and C are incorrect because ARP poisoning and MAC flooding are both forms of active sniffing, and these activities are not required when using a switched network.

13. C. A Smurf attack uses ICMP to send traffic to the broadcast address and spoof the source address to the system under attack. Answer A is incorrect because a SYN attack would not be indicated by traffic to a broadcast address. Answer B is incorrect because a Land attack is to and from the same address. Answer D is incorrect because a Chargen attack loops between Chargen and Echo.

14. A. Here is what the command-line option flags do:

• -T tells Ettercap to use the text interface.

• -q tells Ettercap to be quieter.

• -F tells Ettercap to use a filter (in this case, cd.ef).

• -M tells Ettercap the MITM (man-in-the-middle) method of ARP poisoning.

Answers B, C, and D are incorrect because this command does not detach Ettercap and log sniffed passwords, does not check to see if someone else is performing ARP poisoning, and does not scan for NICs in promiscuous mode.

15. C. MAC flooding is the act of attempting to overload the switches content-addressable memory (CAM) table. By sending a large stream of packets with random addresses, the CAM table of the switch will evenly fill up and the switch can hold no more entries; some switches might divert to a “fail open” state. This means that all frames start flooding out all ports of the switch. Answer A is incorrect because active sniffing is not the specific type described in the question. Answer B is incorrect because ARP poisoning is characterized by spoofing an address in the ARP request or response. Answer D is incorrect because passive sniffing is usually performed only on hubs.

16. A. Trinity uses TCP port 6667. Trinoo and Shaft do not use port 6667, and DDoSPing is a scanning tool; therefore, answers B, C, and D are incorrect.

17. C. Authentication should be unique for each time that it occurs. If not, the credentials used to log in could be captured and replayed. This describes a session replay attack. Answer A is incorrect because cross-site scripting (XSS) works by enticing users to click a link with a script embedded. Answer B is incorrect because a man-in-the-browser attack is a Trojan. Answer D is incorrect because cross-site request forgery (CSRF) exploits the fact that a user is logged in to a legitimate site and a malicious site at the same time.

18. B. LOIC is a DDoS program. Answers A, C, and D are incorrect because Smurf, Land, and Fraggle are DoS programs.

19. A. A SYN flood is detectable because a large number of SYN packets will appear on the network without the corresponding reply. Answer B is incorrect because all ports will not be the same. Answer C is incorrect because there would be no FIN packets. Answer D is incorrect because there will not be a large amount of ACK packets.

20. B. Session fixation is an attack that permits an attacker to take control of a valid user session. The attacker must trick the victim into authenticating with a fixed session ID that is given to the victim before he or she authenticates. Answers A, C, and D are incorrect because all three are after authentication and not before.

Chapter 7

Review Questions

1. C. SQL injection is the attack shown in the exhibit.

2. A. Burp Suite is a web application proxy and a web application security assessment tool that can be used to analyze requests and responses to and from a web application. Hashcat is a password cracking tool. DMitry (Deepmagic Information Gathering Tool) is a Linux-based tool used to gather possible subdomains, email addresses, uptime information, and perform TCP port scans. HTTPrint is a web server fingerprinting tool.

3. D. Sometimes, parameters are passed in a URL. If this is being done, these values may be vulnerable to unauthorized changes; therefore, answers A, B, and C are incorrect. Session hijacking would be used to take over an active connection. XSS enables attackers to inject client-side scripts into web pages viewed by other users, and attackers use cookie tampering to modify application data, such as user credentials and permissions and price and quantity of products that are sometimes stored in cookies.

4. B. The CEH exam will expect you to understand basic Nmap commands and scripts. Answer B searches to see if the web server is vulnerable to directory traversal. Answer A is incorrect because the command checks for OS version. Answers C and D are incorrect because each is an incorrect syntax.

5. A. Cross-site request forgery is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Answer B is incorrect because XSS enables attackers to inject client-side scripts into web pages viewed by other users. Answer C is incorrect because SQL injection targets SQL servers. Answer D is incorrect because code injection is the exploitation of a computer bug that is caused by processing invalid data. Injection is used by an attacker to introduce (or “inject”) code into a vulnerable computer program and change the course of execution.

6. A. Service-oriented architecture (SOA) is a style of software design where services are provided to the other components by application components, through a communication protocol over a network. Therefore, answers B, C, and D are incorrect.

7. B. A DNS amplification attack is a type of DDoS that relies on the use of publicly accessible open DNS servers to overwhelm a victim system with DNS response traffic. Answer A is incorrect because DNS cache poisoning fills the cache with bogus content. Answer C is incorrect because DNS spoofing returns fake responses. Answer D is incorrect because DNS server hijacking takes control of the DNS server.

8. D. Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Answer A is incorrect because cross-site request forgery (CSRF) is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Answer B is incorrect because cross-site scripting (XSS) enables attackers to inject client-side scripts into web pages viewed by other users. Answer C is incorrect because file injection allows an attacker to include a file that the web application uses as input.

9. B. Session management is a very important part of web application design. As such, cookies should be deleted upon session termination to prevent hackers from obtaining authenticated credentials. Answers A, C, and D are incorrect because deleting all browser cookies upon session termination doesn’t prevent hackers from tracking a user’s browsing activities, prevent unauthorized access to the SQL database, or prevent hackers from gaining access to system passwords.

10. A. The heap is a dynamically allocated buffer. Heap overflows seek to overwrite internal structures. Answers B, C, and D are incorrect because stack-based buffer overflows do not overflow a buffer placed on the lower part of the heap, a fixed-length buffer, or a buffer placed on the upper part of the heap.

11. D. The purpose of the entry was an attempt to install Netcat as a listener on port 8080 to shovel a command shell back to the attacker. Answers A, B, and C are incorrect because the attacker was not attempting to replace cmd.exe, exploit double decode, or execute the Linux xterm command.

12. D. Although HTTP uses TCP as a transport, it is considered a stateless connection because the TCP session does not stay open waiting for multiple requests and their responses. Answer A is incorrect because HTTP is not based on UDP; it is TCP based. Answer B is incorrect because HTTP is considered stateless. Answer C is incorrect because HTTP is not based on ICMP.

13. C. A brute-force attack attempts every single possibility until you exhaust all possible combinations of words and characters or discover the password. Answer A is incorrect because it describes a dictionary attack. Answer B is incorrect because using a rainbow table created from a dictionary is not an example of a brute-force attack. Answer D is incorrect because threatening someone with bodily harm is not a brute-force attack.

14. D. This command returns the banner of the website specified by the IP address. Answers A, B, and C are incorrect because this command does not open a backdoor Telnet session on the client, it does not start a Netcat listener, and it does not return a banner from a URL because an IP address is specified in the command.

15. A. 0xde.0xaa.0xce.0x1a hexadecimal converted to base 10 gives 222.170.206.26. Answers B, C, and D are therefore incorrect.

16. A. Message digest authentication uses the username, the password, and a nonce value to create an encrypted value that is passed to the server. Answer B is incorrect because Password Authentication Protocol (PAP) sends information in clear text. Answer C is incorrect because certificate-based authentication uses the PKI infrastructure. Answer D is incorrect because forms-based authentication is based on the use of a cookie.

17. B. When attackers discover the hidden price field, they might attempt to alter it and reduce the price. To avoid this problem, hidden price fields should not be used. However, if they are used, the value should be confirmed before processing. Answer A is incorrect because the value in the name field will not affect the fact that someone might attempt to lower the price of the item. Answer C is incorrect because, again, the PID has no effect on this price-altering possibility. Answer D is incorrect because the hidden field should not be expanded. If attackers can change the hidden field to a larger value and submit a long string, there is a possibility that they can crash the server.

18. A. File traversal will not work from one logical drive to another; therefore, the attack would be unsuccessful. Answer B would not prevent an attacker from exploiting the Unicode vulnerability. Answer C is incorrect because no TFTP server is required on the IIS system for the attack to be successful. Answer D is a possibility, and renaming the file would slow down the attacker; however, there is still the chance that he might guess the new name. Security by obscurity should never be seen as a real defense.

19. D. SQL injection is a type of exploit whereby hackers can execute SQL statements via an Internet browser. You can test for it using logic such as 1=1 or inserting a single ’. Answer A is incorrect because this is not an Oracle database. Answer B is incorrect because it is not a MySQL database. Answer C is incorrect because 80004005 indicates a potential for SQL injection.

20. B. Changing the hidden tag value from a local copy of the web page would allow an attacker to alter the prices without tampering with the SQL database and without any alerts being raised on the IDS. Therefore, answers A, C, and D are incorrect.

Chapter 8

Review Questions

1. A. An attacker can cause some modification on the Initialization Vector (IV) of a wireless packet that is encrypted during transmission. The goal of the attacker is to obtain a lot of information about the plain text of a single packet and generate another encryption key that then can be used to decrypt other packets using the same IV. WEP is susceptible to many different attacks, including IV attacks.

2. C. The attack performed in the command shown is a deauthentication attack.

3. D. Frequency-hopping spread spectrum (FHSS) hops between subchannels and sends out short bursts of data on each subchannel for a short period of time. Answer A is incorrect because direct-sequence spread spectrum (DSSS) uses a stream of information that is divided into small pieces and transmitted, each of which is allocated to a frequency channel across the spectrum. Answer B is incorrect because plesiochronous digital hierarchy (PDH) is a technology used in telecommunications networks to transport large quantities of data over digital transport equipment such as fiber-optic cable. Answer C is incorrect because time-division multiplexing (TDM) is used in circuit-switched networks such as the public switched telephone network (PSTN).

4. C. Bluetooth operates at 2.45 GHz. It is available in three classes: 1, 2, and 3. It divides the bandwidth into narrow channels to avoid interference with other devices that use the same frequency. Answers A, B, and D are incorrect because they do not specify the correct frequency.

5. A. MAC addresses can be spoofed; therefore, used by itself, MAC filtering is not an adequate defense. Answer B is incorrect because MAC addresses can be spoofed. Answer C is incorrect because IP addresses, like MAC addresses, can be spoofed. Answer D is incorrect because MAC filtering will not prevent unauthorized devices from using the wireless network. All a hacker must do is spoof a MAC address.

6. D. The SSID is still sent in packets exchanged between the client and the wireless AP; therefore, it is vulnerable to sniffing. Tools such as Kismet can be used to discover the SSID. Answer A is incorrect because turning off the SSID will make it harder to find the wireless AP, but whether it’s in ad hoc mode or infrastructure mode will not make a difference. Answer B is incorrect because the SSID has been changed and, therefore, the default will no longer work. Answer C is incorrect because running DHCP or assigning IP addresses will not affect the SSID issue.

7. D. Kismet is used to sniff wireless traffic and can be used for troubleshooting. Void11 is a wireless DoS tool. RedFang is used for Bluetooth. THC-Wardrive is used to map wireless networks and perform war driving.

8. A. A strong password authentication protocol, such as Kerberos, strong authentication, defense in depth, and the EAP is a good choice to increase security on wired networks. Answer B is incorrect because PAP, passwords, and Cat 5 cabling are not the best choices for wired security. PAP sends passwords in clear text. Answer C is incorrect because 802.1x and WPA are used on wireless networks. Answer D is also incorrect because WEP, MAC filtering, and no broadcast SSID are all solutions for wireless networks.

9. D. EAP-MD5 does not provide server authentication. Answers A, B, and C are incorrect because they do provide this capability. EAP-TLS does so by public key certificate or smart card. PEAP can use a variety of types, including CHAP, MS-CHAP, and public key. EAP-TTLS uses PAP, CHAP, and MS-CHAP.

10. C. WPA2 uses AES, a symmetric block cipher. Answer A is incorrect because WPA2 does not use RC4, although WEP does use it. Answer B is incorrect because WPA2 does not use RC5. Answer D is incorrect because MD5 is a hashing algorithm and is not used for encryption.

11. B. BlackBerry is the only platform vulnerable to Java Application Descriptor (JAD) file exploits. Therefore, answers A, C, and D are incorrect.

12. D. Chambers provide a security boundary in which processes are created and executed. Capabilities represent security-sensitive resources or features that can be granted to code that runs in a chamber. OEM-defined drivers, applications, and services must be designed to work properly in the context of this security model. Answers A, B, and C are incorrect because Android, BlackBerry, and Apple iOS do not make use of chambers and capabilities.

13. D. Bluedriving is not a legitimate attack and is a distracter. Answers A, B, and C are incorrect because bluesnarfing, bluejacking, and BlueBugging are all legitimate attacks.

14. B. Rooting applies to Android devices and refers to when users attain privileged control within Android’s subsystem. Jailbreaking is associated with Apple devices and allows the user to obtain full access to the OS of Apple devices and permits download of third-party applications.

15. A. Mobile device management can be defined as security software designed to monitor, manage, and secure employees’ mobile devices that are deployed by end users and used in the organization. Answer B is incorrect because code signing is used to verify the source of the application. Answer C is incorrect because sandboxing is used to restrict access. Answer D is incorrect because cellular device management is a distracter.

Chapter 9

Review Questions

1. D. Wireshark requires you to set the filter correctly to capture traffic. In this situation you are capturing traffic going to .150 and port 514, so the correct filter is D. Answer A is incorrect because it shows port 514 as the source port, not the destination port. Answer B is incorrect because it shows 514 as the source port, not the destination port, and the destination IP address of .99 is not the syslog server. Answer C is incorrect because it shows the correct destination port (514) but the incorrect IP address, .99 instead of .150.

2. C. The $ in front of the nmap command indicates that you are not running as root. Nmap requires root access for many of its functions. Answer A is incorrect because a stateless firewall is not blocking the response. Answer B is incorrect because Firewalk is a different tool. Answer D is incorrect because a stateful firewall is not blocking the response.

3. C. Although signature detection is a valid IDS technique, attackers can use polymorphic shellcode to vary the attack so that signature matching is not effective, thereby avoiding detection. Although answers A, B, and D are all valid IDS evasion techniques, they are incorrect because they do not function as described in the question. ASCII is used to avoid signature detection but uses only ASCII characters. Fragmentation breaks up packets to make it harder for the IDS to detect and decode the reassembled packet’s contents. Insertion attacks vary what packets the IDS and victim see so that there are two different data streams.

4. B. A network-based IDS (NIDS) would allow you to capture all traffic. Answer A is incorrect because a honeypot is used to jail an attacker. Answer C is incorrect because a firewall is typically used to filter and block specific types of traffic. Answer D is incorrect because a host-based IDS (HIDS) would only see what is on a single host.

5. C. All the tools listed are valid tunneling tools, but only Cryptcat encrypts the traffic. Answers A, B, and C are incorrect because Netcat, Loki, and AckCmd all send data via clear text and thus will be detected by a NIDS.

6. A false positive is a “false” alarm. In the scenario described herein, the scanner provides a false report and erroneously fingerprinted the application hosted in the targeted system. A false negative is when a security device or application misses a true security attack, vulnerability, or misconfiguration. Positive and negative exploitation are invalid cybersecurity terms for this scenario.

7. D. It is important that you understand the way in which Snort allows you to define ranges. A range of :1024 means ports less than or equal to 1024, whereas 666: means ports equal to or greater than 666. Answer A is incorrect because it defines source ports that are greater than 1024. Answer B is incorrect because it defines source ports that are greater than 1024 and defines destination ports that are less than or equal to port 666. Answer C is incorrect because it defines destination ports that are less than or equal to port 666.

8. A. Whisker is the only tool listed that allows you to perform session splicing. Answer B is incorrect because Netcat is used for tunneling. Answer C is incorrect because Snort is used as an IDS. Answer D is incorrect because Loki is also a tunneling tool.

9. B. A post-connection SYN attempts to desynchronize the IDS from the actual sequence number that the kernel is honoring. Answer A is incorrect because an invalid RST sends an RST with a low TTL to the IDS to trick it into believing communication has ended. Answer C is incorrect because it breaks up packets and tweaks the offset of each fragment. Answer D is incorrect because this attack calls bind to get the kernel to assign a local port to the socket.

10. D. Event messages are typically transported by the syslog service, which uses UDP as the transport. Answers A and C are incorrect because syslog does not use TCP. Answer B is incorrect because it lists SNMP, not syslog.

11. A. Pattern matching is the act of matching packets against known signatures. Answer B is incorrect because anomaly detection looks for patterns of behavior that are out of the ordinary. Answer C is incorrect because protocol analysis analyzes the packets to determine if they are following established rules. Answer D is incorrect because stateful inspection is used for firewalls, not IDSs.

12. C. Snort cannot analyze Internet Group Management Protocol (IGMP), a routing protocol. Answers A, B, and D are incorrect because Snort can analyze TCP, IP, and UDP (and ICMP).

13. C. Session splicing works by delivering the payload over multiple packets, which defeats simple pattern matching without session reconstruction. Answer A is incorrect because evasion is a technique that might attempt to flood the IDS to evade it. Answer B is incorrect because IP fragmentation is a general term that describes how IP handles traffic when faced with smaller MTUs. Answer D is incorrect because session hijacking describes the process of taking over an established session.

14. D. Snort -ix -dev -lsnortlog is the correct entry to run Snort as an IDS on a Windows computer. Answers A, B, and C are incorrect because the syntax of each is invalid for starting Snort on Windows, although all three will start Snort on a Linux computer.

15. C. Filtering data on the source port of a packet isn’t secure because a skilled hacker can easily change a source port on a packet, which could then pass through the filter. Therefore, answers A, B, and D are incorrect.

16. D. The scan that was detected in this Snort alert is on port 1745, which is associated with Microsoft Proxy Server. Answer A is incorrect because the ACK flag is not turned on in the scan. Answer B is incorrect because the XMAS scan would show FIN, PSH, and URG flags on. Answer C is incorrect because port 1745 is not associated with Check Point FireWall-1.

17. B. WinPcap is a program that will allow the capture and sending of raw data from a network card. Answer A is incorrect because LibPcap is used by Linux, not Windows. Answer C is incorrect because IDScenter is a GUI for Snort, not a packet driver. Answer D is incorrect because ADMutate is a tool for bypassing IDS.

18. B. The purpose is to conduct an Nmap XMAS scan because a XMAS scans with the Urgent, Push, and FIN flags set. Answer A is not correct because an ACK scan would show an ACK flag. Answer C is incorrect because 27444 would be displayed. Answer D is incorrect because in a NetBus scan, port 12345 is scanned.

19. C. Cisco used a proprietary Vigenere cipher to encrypt all passwords on the router except the enable secret password, which uses MD5. The Vigenere cipher is easy to break. Answers A, B, and D are incorrect because the password is not MD5, DES, or AES.

20. B. Proxy servers have the capability to maintain state. Answer A is incorrect because packet filters do not maintain state. Answers C and D are incorrect because honeypots and bastion servers do not maintain a state table or answer the question.

Chapter 10

Review Questions

1. B. The easiest way to keep up with XOR is to remember that XOR is true only when an odd number of inputs are true. Therefore, answers A, C, and D are incorrect.

2. B. Asymmetric encryption can provide users both confidentiality and authentication. Authentication is usually provided through digital certificates and digital signatures. Answer A is incorrect because steganography is used for file hiding and provides a means to hide information in the whitespace of a document, a sound file, or a graphic. Answer C is incorrect because a hash can provide integrity but not confidentiality. Answer D is incorrect because symmetric encryption only provides confidentiality.

3. D. Jake should compare the tool’s hash value to the one found on the vendor’s website. Answer A is incorrect because having a copy of the vendor’s digital certificate only proves the identity of the vendor; it does not verify the validity of the tool. Answer B is incorrect because having the digital certificate of his friend says nothing about the tool. Digital certificates are used to verify identity, not the validity of the file. Answer C is incorrect and the worst possible answer because loading the tool could produce any number of results, especially if the tool has been Trojaned.

4. A. bcrypt is more robust and as such, it is harder to find collisions. Answer B is incorrect because the algorithm is not secret. Hashing algorithms like MD5 are weak and can be broken given enough processing power and time. Answer C is incorrect because it does not use their level of symmetric encryption. Answer D is incorrect because the MD5 algorithm has always been public.

5. C. Because the question asks what the RA cannot do, the correct answer is that the RA cannot generate a certificate. All other answers are incorrect because they are functions that the RA can provide, including reducing the load on the CA, verifying an owner’s identity, and passing along the information to the CA for certificate generation.

6. B. The known plain-text attack requires the hacker to have both the plain text and cipher text of one or more messages. For example, if a WinZip file is encrypted and the hacker can find one of the files in its unencrypted state, the two-form plain text and cipher text. Together, these two items can be used to extract the cryptographic key and recover the remaining encrypted zipped files. Answer A is incorrect because cipher-text attacks don’t require the hacker to have the plain text; they require a hacker to obtain encrypted messages that have been encrypted using the same encryption algorithm. Answer C is incorrect because a chosen cipher-text attack occurs when a hacker can choose the cipher text to be decrypted and can then analyze the plain-text output of the event. Answer D is incorrect because a replay attack occurs when the attacker tries to repeat or delay a cryptographic transmission.

7. C. The secring.skr file contains the PGP secret key. PGP is regarded as secure because a strong passphrase is used, and the secret key is protected. The easiest way to break into an unbreakable box is with the key. Therefore, anyone who wants to attack the system will attempt to retrieve the secring.skr file before attempting to crack PGP itself. Answer A is incorrect because the Windows passwords are kept in the SAM file. Answer B is incorrect because Linux passwords are generally kept in the passwd or shadow file. Answer D is incorrect because secring.skr is a real file and holds the user’s PGP secret key.

8. D. Examples of symmetric algorithms include DES, 3DES, and Rijndael. All other answers are incorrect because ElGamal, Diffie-Hellman, and ECC are all asymmetric algorithms.

9. B. 3DES has a key length of 168 bits. Answer A is incorrect because 3DES does not have a key length of 192 bits. Answer C is incorrect because 3DES does not have a key length of 64 bits. Answer D is incorrect because 56 bits is the length of DES, not 3DES.

10. D. A digital certificate binds a user’s identity to a public key. Answer A is incorrect because a digital signature is electronic and not a written signature. Answer B is incorrect because a hash value is used to verify integrity. Answer C is incorrect because a private key is not shared and does not bind a user’s identity to a public key.

11. A. An inference attack involves taking bits of nonsecret information, such as the flow of traffic, and making certain assumptions from noticeable changes. Answer B is incorrect because cipher-text attacks don’t require the hacker to have the plain text; they require a hacker to obtain messages that have been encrypted using the same encryption algorithm. Answer C is incorrect because a chosen cipher-text attack occurs when a hacker can choose the cipher text to be decrypted and then analyze the plain-text output of the event. Answer D is incorrect because a replay attack occurs when the attacker tries to repeat or delay a cryptographic transmission.

12. C. DES processes 64 bits of plain text at a time. Answer A is incorrect because 192 bits is not correct. Answer B is incorrect, but it does specify the key length of 3DES. Answer D is incorrect because 56 bits is the key length of DES.

13. B. Collisions occur when two message digests produce the same hash value. This is a highly undesirable event and was proven with MD5 in 2005 when two X.509 certificates were created with the same MD5Sum in just a few hours. Answer A is incorrect because collisions address hashing algorithms, not asymmetric encryption. Answer C is incorrect because collisions address hashing algorithms, not symmetric encryption. Answer D is incorrect because the goal of steganography is to produce two images that look almost identical, yet text is hidden in one.

14. C. John the Ripper is a password-cracking tool available for Linux and Windows. Answer A is incorrect because John is not used to crack PGP public keys. Also, because the key is public, there would be no reason to attempt a crack. Answer B is incorrect because John the Ripper is not a PGP-cracking tool. Answer D is incorrect because John the Ripper is not used to crack EFS files.

15. B. DES uses a 56-bit key, and the remaining 8 bits are used for parity. Answer A is incorrect because 32 bits is not the length of the DES key. Answer C is incorrect; 64 bits is not the length of the DES key, because 8 bits are used for parity. Answer D is incorrect because 128 bits is not the length of the DES key; it is 56 bits.

16. D. The correct steps are: 1) Create the message to be sent; 2) Create a hash of the message; 3) Encrypt the hash with your private key, and 4) Encrypt the message with the recipient’s public key.

17. A. Cross-certification can be described as allowing participants to trust other participants’ PKI. Answer B is incorrect because a web of trust is used with PGP. Answer C is incorrect because a hierarchy of trust begins with at least one certification authority that is trusted by all entities in the certificate chain. Answer D is incorrect because shared trust is a distracter.

18. B. RC4 is an older symmetric algorithm that can be used for streaming voice communication. Answers A, C, and D are incorrect because DES is a symmetric algorithm and both MD5 and Tiger are hashing algorithms.

19. D. If having no fees is a requirement, the only real option is PGP. Although the fees might not be huge, there are administrative costs of maintaining self-produced certs. Or if you buy the solutions from a service, there is the cost of buying certificates and renewal fees. All other answers are therefore incorrect.

20. C. When using digital signatures, the public key is used by the recipient when verifying the validity of the message. Answers A and D are incorrect because the secret key and private key are not shared. Answer B is incorrect because a session key is an encryption and decryption key that is randomly generated to ensure the security of a communication session between a user and another computer or between two computers.

Chapter 11

Review Questions

1. B. With a Software as a Service (SAAS) model, the cloud provider has complete control of the stack. Answers A, C, and D are incorrect because each of the models leaves the client in control of some portions of the stack.

2. C. IP header size is not used for traceback. Answers A, B, and D are incorrect because they identify the three valid options for botnet traceback.

3. C. A cross-site scripting (XSS) attack allows an attacker to inject client-side scripts into web pages viewed by other users. Answer A is incorrect because SYN cookies are used as a defense against SYN floods. Answer B is incorrect because cross-site request forgery (CSFR) occurs when the victim connects to both a legitimate site and a malicious site at the same time. Answer D is incorrect because a wrapping attack deals with SOAP transactions.

4. D. Wireshark is one of the most well-known packet-sniffing tools. Answer A is incorrect because NetworkMiner is a network forensics tool. Answer B is incorrect because Netstat is used to provide network statistics. Answer C is incorrect because Tripwire is used for integrity verification.

5. C. A side channel extracts information from a victim virtual machine running on the same physical computer. Answer A is an invalid option. Answer B is incorrect because a wrapping attack deals with SOAP transactions. Answer D is incorrect because passive sniffing uses a tool such as Wireshark.

6. B. Tripwire is an integrity verification tool that can be used on Linux and Windows systems. Answer A is incorrect because Wireshark is used for packet capture. Answer C is incorrect because IPTables is used to set ingress and egress rules on network interfaces. Answer D is incorrect because TCP wrappers are used to set permissions on TCP services.

7. A. Crimeware is a type of malicious software designed to carry out a range of illegal hacking activity. Answer B is incorrect because a distributed botnet may or may not be paid. Answer C is incorrect because a logic bomb is a form of malware hidden in the code. Answer D is incorrect because crimeware is correct.

8. A. Ngrep is a tool that will allow you to specify extended regular expressions to match against the data part of packets on the network. Answer B is incorrect because Type prints out information to the screen. Answer C is incorrect because NSlookup is used to perform a DNS query. Answer D is incorrect because Grep is a Unix command used to search files.

9. D. HTML injection adds elements to the web pages. Answer A is incorrect because a TAN grabber seeks to grab a valid transaction authentication number and replace it with an invalid number to be used by the client. Answer B is incorrect because TAN injection is a distractor. Answer C is incorrect because a form grabber captures information entered into a form.

10. A. A TAN grabber seeks to grab a valid transaction authentication number and replace it with an invalid number to be used by the client. The attacker uses the valid number to perform banking transactions. Answer B is incorrect because a fast-flux botnet is a DNS technique used by botnets to hide phishing and malware sites by hiding them behind a network of quickly changing hosts that act as proxies. Answer C is incorrect because a form grabber captures and modifies POST requests. Answer D is incorrect because HTML injection adds elements to the web pages.

11. C. Universal interface tools like JTAG, SWD, I2C, and SPI tools can be used to perform IoT hardware research. Hopper, IDA, and Binary Ninja are examples of software reverse-engineering tools.

12. A. Bluetooth Smart enabled devices default to “sleep mode” and “wake up” only when needed. It operates in the 2.4 GHz frequency range. Bluetooth Smart implements high-rate frequency-hopping spread spectrum and supports AES encryption.