ADDITIONAL QUESTIONS AND ANSWERS
1. Why wouldn’t it be surprising to find Netcat on a Trojaned computer?
a) Netcat can be used to block any port from proper operation.
b) Netcat is used by system administrators to detect remote access Trojans.
c) Netcat can be used to perform port scanning.
d) Netcat encrypts all communications.
2. Why is tunneling-based Trojan software so useful for hackers if it is installed inside a corporate network?
a) Tunneling software uses ports that are not well known, e.g. 12345.
b) Stateful inspection firewalls can only filter server ports of 1-1023.
c) It makes network penetration trivial – the tunneling occurs using whichever port(s) the firewall is configured to allow.
d) Anti-Trojan software does not have signatures for tunneling Trojans and, therefore, it is easy for end-users to install tunneling Trojans.
3. What technology has made Trojans easy to distribute?
a) Digitally signed software
b) Legacy assembly language code
c) Personal firewall software
4. What built-in Windows® command can be used to help find remote-access Trojans?
a) Netstat -a
b) Ipconfig /displaydns
c) Nbtstat -c
d) Netdiag.
5. Which of the following ports is most frequently associated with a Trojan on a Windows® computer?
a) 53
b) 135
c) 3389
d) 31337.
6. What type of software is used by an administrator to detect modified files or executables (system or otherwise) by comparing the new hash to the hash on the original, trusted file?
a) AES
b) WPA2
c) Traceroute
d) Integrity checkers.
7. What sniffer program is capable of reconstructing associated TCP packets into a session showing application layer data from the client to the server and vice-versa?
a) Packetyzer
b) EtherApe®
c) Wireshark
d) Arpwatch.
8. The process of flooding a local segment with thousands of random MAC addresses can result in some switches behaving like a hub. What is the goal of the hacker?
a) Denial of service
b) ARP cache poisoning
c) Sniffing in a switched network
d) SYN flood.
9. What process does a Cisco switch use to prevent or detect ARP cache poisoning?
a) ARP watch
b) Dynamic ARP inspection
c) VLANs
d) IPSec-ready.
10. Which of the following protocols send data in cleartext, and is thus insecure?
a) SSH
b) SNMPv3
c) POP3
d) WEP.
11. What technology can be deployed at the network layer to protect against sniffing?
a) SSL
b) Certificates
c) IPsec
d) SSH.
12. Which protocol contains encrypted versions of telnet, file transfer protocol (FTP), and file copy for both Linux and Windows® computers?
a) SSL
b) Open SSH
c) IEEE 802.1X
d) SPF.
13. What technologies could a company deploy to protect all data passing from an employee’s home computer to the corporate intranet?
a) IPsec
b) DNSSEC
c) WEP
d) IKE.
14. By spoofing an IP address and inserting the attacker’s MAC address into an unsolicited ARP reply packet, an attacker is performing what kind of attack?
a) Denial of service
b) Sniffing in a switched network via ARP poisoning
d) Birthday.
15. Why is passive sniffing much harder to detect than active sniffing (if not impossible)?
a) Passive sniffing injects fewer packets into the switch.
b) Passive sniffing can be done only via software – not via hardware.
c) A device that only receives packets is undetectable.
d) Active sniffing requires a unique signature to log network data.
16. What hashed authentication credentials can be sniffed and possibly cracked offline (assuming time is not an issue)?
a) SHA-1
b) Diffie-Hellman
c) Kerberos®
d) EAP-TLS.
17. A direct attack on a database system is one that attacks what?
a) The application code of the database system
b) The data residing on the database tables
c) The web front-end to the database
d) The first user account created on the database server.
18. Which of the following options most closely represents a typical format for a Microsoft SQL injection script?
a) ‘ OR ‘a’=’a
b) AND 1=1
c) ‘ OR 1=1; - -
d) ‘; SELECT * FROM *.
19. What is one way an attacker can determine if a database front-end application is vulnerable to SQL injection?
a) Entering a single star (*) in the username field
b) Checking all outgoing TCP connections after browsing the web application
c) Just attempting an attack (there is no way to check)
d) Entering a single quotation mark (‘) in the password field.
20. SQL injection is defined as:
a) The gaining of access to a database management system by injecting code into a system process.
b) The insertion of invalidated SQL code into an input field, which is used to directly build an SQL statement.
c) The process of placing new data into a database by inserting malicious code.
d) Altering data on a victim’s database server to that of a hacker’s choice.
21. Which of the following SQL scripts will cause the SQL server to cease operations?
a) ‘; NET STOP SQLSERVER –
b) ‘ OR 1=1; CLOSE WITHNOWAIT;
c) ‘; NET STOP SQLSERVERAGENT—
d) ‘; SHUTDOWN WITH NOWAIT; --.
22. When conducting a TCP scan for SQL servers on a given network address range, which port is being interrogated?
a) 443
b) 1334
c) 1433
d) 433.
23. Which ports should be blocked on the perimeter and internal firewall to best protect the Microsoft SQL database server from unauthorized inbound connections?
a) 1433, 1434
b) 443, 434
c) 1443, 1444
d) 80, 139.
24. Types of potential vulnerabilities that are commonly scanned for using a rainbow table include:
a) Password vulnerabilities
b) Weak operating system and application default settings
c) Common configuration and coding mistakes
d) Protocol vulnerabilities (such as the TCP/IP stack vulnerabilities).
25. Which vulnerability assessment tools have the option to perform dangerous/destructive scans?
a) Microsoft Baseline Security Analyzer
b) Nessus
c) Snort®
d) Løphtcrack.
26. Henry and Paul are debating the purchase of a $15000 automated vulnerability assessment software package. What is the main disadvantage regarding the automated tool compared with manual assessments?
a) A result indicting a false negative may cause the organization to overreact to a security problem that does not exist.
b) False positives may require further investigation that the administrator is not qualified to perform.
c) The administrators may not be addressing the output of the automated tests.
d) Use of the tool may cost more than the cost of conducting manual assessments.
27. Which of these methods would be considered an example of passive reconnaissance?
b) Social engineering through the use of public internet sites
c) Tailgating through an identification checkpoint
d) Running HTTPRINT to determine the version of the remote web server.
28. Which of these methods would be considered an example of active reconnaissance?
a) War dialing
b) Whois lookup
c) Google hacking
d) Capturing wireless transmissions.
29. Which of these methods would help protect DNS records from access by unauthorized users?
a) Obscuring DNS registry information by using generic registration data.
b) Using Active Directory integrated zones on publicly-available DNS servers.
c) Blocking incoming UDP port 53 requests to a DMZ hosting a DNS server.
d) Using two DNS servers: an internal DNS server with internal resource records and an external DNS server with DMZ-based resource records.
30. Which of the following pieces of information can be obtained from a Whois query?
b) Private IP address block
c) Webserver platform
d) Uptime of server.
31. Why would an administrator block outbound “ICMP TTL Exceeded” error messages at the external gateways of the network?
a) To reduce the workload on the routers
b) To prevent Smurf (ICMP) attacks
c) To prevent traceroute software from revealing information about the internal topology
d) To prevent fragment-based denial-of-service attacks.
32. Which of the following is the most effective way to reduce the threat of social engineering?
a) Require employees to sign an acceptable computer/internet usage policy.
b) Prevent employees from accessing social networks from the office.
c) Require employees to communicate using encrypted e-mails.
d) Repeated user education on the nature of social engineering.
33. What technology is often used by employees to get access to web sites that are blocked by their corporate proxy server?
b) ARP poisoning
c) SSL proxy
d) Anonymous IP address allocation.
34. Why is it more difficult to sanitize information about a company that has publicly-traded stock?
a) The company wants to promote itself as much as possible.
b) The company must regularly submit financial information to regulatory bodies (such as the Securities and Exchange Commission (SEC)), which is then made public.
c) It is impossible to remove cached information from search engines’ databases.
d) The company must hire a security consultant with the expertise to sanitize the information.
35. Which of the following actions can often be used as countermeasures to port scans?
a) Blocking unassigned port traffic
b) Disabling protocols that support cleartext authentication
c) Blocking access to TCP port 53
d) Only using encrypted services, such as SSH and SSL/TLS.
36. Assuming SNMP agent devices are IPsec-capable, why would implementing IPsec help protect SNMP agents?
a) An insecure version of SNMPv3 is installed by default on most networking equipment.
b) SNMPv2 sends the community name in cleartext.
c) The method of authenticating with SNMPv1 and SNMPv2 is insecure because of its reliance on DES.
d) SNMPv2 doesn’t provide adequate integrity checks.
37. Which of the following are reasons why fragment-based port scans are often used by attackers?
a) Firewalls may be configured for high throughput, and thus don’t reassemble and inspect fragmented packets.
b) Firewalls are always set to reject non-fragmented port scans.
c) RFC 1121 requires that all routers pass fragmented packets.
d) Stateful inspection firewalls will not be able to detect a fragmented attack.
38. Which of the following are recommended practices to help counteract password-guessing attacks?
a) Ensure that UNIX passwords are stored in the /passwd file, not the shadow file.
b) Use two-factor authentication.
c) Set a password policy with a minimum password age of 30 days.
d) Allow the use of passwords of any length in order to make them more obscure.
39. What is a common countermeasure to prevent buffer overflow exploits?
a) Ensure all input to an application is validated before being processed.
b) Enable network-based IDS software.
c) Log all attempts by users, processes or applications to elevate privilege levels.
d) Always scan new media in an antivirus system before introducing it to internal PCs.
40. Keystroke loggers are usually used in which type of attack?
a) Aggressive
b) Semantic/syntactical
c) Passive
d) Active.
41. Which of the following statements explain why hardware-based keystroke loggers are so dangerous?
a) They can inject malicious code into running applications and processes.
b) They are transparent to both the operating system and the user applications.
c) They are frequently disguised as a legitimate program patch.
d) The data they contain can be easily retrieved, even if the attacker doesn’t have physical access to the machine.
42. Which of the following methods would allow an attacker to get access to the local SAM file if the attacker had physical access?
a) Rebooting with a Linux-based floppy or CD that can read NTFS filesystems.
b) Rebooting into Windows® using “safe mode”.
c) Compromising a system user through a browser exploit and pushing pwdump.
d) Installing a USB-based keystroke logger on a local machine.
43. Noah, a certified penetration tester, has been asked by Company XYZ to perform a security test against the company network from an internal location. The owner of company XYZ has provided Noah with a network diagram, documentation and assistance. Which of the following would best describe the type of test that Noah is about to perform?
a) Black box
b) Single blind
c) White box
d) Gray box.
44. A malicious hacker has been trying to penetrate company XYZ from an external network location. He has tried every trick in his bag, but still is not succeeding. From the choice presented below, which type of logical attempt is he most likely to attempt next?
a) Elevation of privileges
b) Pilfering of data
c) Denial of service
d) Installation of a backdoor.
45. The footprinting phase of a penetration test relies on a tester’s ability to collect information from different sources. Only about 35% to 40% of the information collected will be from technical sources. Which of the following is a common way for a security tester to collect information during this phase?
a) Physical access
b) Exploitation of vulnerabilities
c) Social engineering
d) Cracking administrator passwords.
46. What is traceroute used for?
a) To find network gateways that are vulnerable to ICMP-based attacks.
b) To find the best path to a specified destination address.
c) To find the path a packet traveled to get to the destination address.
d) To find the initial TTL value used within a packet.
47. A normal TCP connection is always established by using what is called a TCP three-way handshake. Which of the packet sequences below would represent a normal TCP connection establishment?
a) SYN, SYN/ACK, ACK
b) SYN, PSH, ACK
c) SYN, ACK
d) SYN, RST, SYN/ACK.
48. Which of the following scan types would be the least accurate, considering that many other network conditions could indicate that a port is open when it might not actually be?
a) Vanilla TCP port scan
b) UDP port scan
c) Half-open scan
d) Inverse TCP scan.
49. In an ACK flag scan, the target host is sent TCP packets with the ACK flag set, and the reply is then analyzed. Which of the following items within the response packets would be used to determine if the port was open on the remote host?
a) The Time To Live (TTL) field
b) The source port
c) The destination port
d) The packet fragment indicator.
50. Which of the following statements would be true when referring to stream ciphers?
a) Stream ciphers encrypt one bit or character at a time.
b) Stream ciphers commonly use a frequently repeated key stream to encrypt the message.
c) Stream ciphers impose a high computational overhead on systems.
d) Stream ciphers can only be implemented in software.
51. Bob has just produced a very detailed penetration testing report for his client. Bob wishes to ensure that the report will not be changed in storage or in transit. What would be the best tool Bob could use to assure the integrity of the information and detect any changes that might have happened to the report while being transmitted or stored?
a) A symmetric encryption algorithm
b) An asymmetric encryption algorithm
c) A hashing algorithm
d) A stream-based algorithm.
52. Nathalie is exclusively making use of a public key cryptographic system to communicate with her peers. She would like to send information to Bob, while protecting the confidentiality of the content being sent over the public network. Which key will she use to encrypt the message content, before sending it?
a) Bob’s private key
b) A shared secret key
d) Nathalie’s private key.
53. Vulnerabilities scanners have large databases of known vulnerabilities and exposures that exist within a very large number of operating systems and applications. What is one of the biggest disadvantages of automated security scanners when remaining stealthy is an issue?
a) They can only test IP-based vulnerabilities and will be detected by an IDS.
b) They will only work if the correct ports are open on the firewall, and traffic on those ports will increase.
c) The scanner might require a large amount of memory, disk space and processing power, and cause the system to slow down or malfunction.
d) A very large amount of traffic will be sent against the target.
54. Julius has been hired to perform a test on company XYZ networks. Julius knows that company XYZ has a large team of security administrators, who are very proactive in their security approach. Most likely, there are some Intrusion Detection Systems (IDSs) in place that would quickly identify Julius’s IP address, and he would then be blocked from accessing the network he is supposed to test. Which of the following would be the most practical and easiest solution Julius could take to avoid having his IP address identified and then blocked?
a) Using public key encryption (the IDS cannot decipher encrypted traffic and determine the source of the probes).
b) Using Secure Socket Layer (SSL) to shield the intruder from the IDS and hide the signatures of the attack software.
c) Using only computers that have their IP address spoofed to IP addresses within the local network (the IDS will identify all the traffic as legitimate internal traffic and not log the traffic or alert the administrator).
d) Using an internet anonymizer instead of connecting directly to the target (the anonymizer will shield the real source of the probes and, if it is blocked, can simply be changed to another proxy).
55. One of the last steps taken by an attacker will be to configure a method of permanent access to a compromised system. However, the installation of a backdoor, new processes, and changes to key files could be very quickly detected by an administrator. Which tool would assist the attacker in preventing the administrator from detecting changes to files, new processes that are running, or other signs that the system might have been compromised?
a) A Trojan horse
b) A rootkit
c) A logic bomb
d) A privilege escalation tool.
56. Mae is a keen system administrator. She constantly monitors the mailing list for best practices that are being used out in the field. On the servers that she maintains, Mae has renamed the administrator account to avoid abuse from crackers. However, she found out that it was possible, using the “sid2user” tool, to find the new name she chose for the administrator account. Mae does not understand; she has not shared this name with anyone. How did the name get out? What is the most likely reason?
a) Her system admin account may have been compromised.
b) Renaming the administrator account does not change the SID.
c) She is running an unpatched system.
d) Someone used social engineering to manipulate her.
Answers
1. C
2. C
3. D
4. A
5. D
6. D
7. C
8. C
9. B
10. C
11. C
12. B
13. A
14. B
15. C
16. C
17. A
18. C
19. D
20. B
21. D
22. C
23. A
24. A
25. B
26. B
27. B
28. A
29. D
30. A
32. D
33. C
34. B
35. A
36. B
37. A
38. B
39. A
40. C
41. B
42. A
43. D
44. C
45. C
46. C
47. A
48. B
49. A
50. A
51. C
52. C
53. D
54. D
55. B
56. B.