1. Jason works in the sales and marketing department for a very large advertising agency located in Atlanta.

Jason is working on a very important marketing campaign for his company’s largest client. Before the project could be completed and implemented, a competing advertising company comes out with the exact same marketing materials and advertising, thus rendering all the work done for Jason’s client unusable. Jason is questioned about this and says he has no idea how all the material ended up in the hands of a competitor. Without any proof, Jason’s company cannot do anything except move on. After working on another high profile client for about a month, all the marketing and sales material again ends up in the hands of another competitor and is released to the public before Jason’s company can finish the project. Once again, Jason says that he had nothing to do with it and does not know how this could have happened. Jason is given leave with pay until they can figure out what is going on. Jason’s supervisor decides to go through his email and finds a number of emails that were sent to the competitors that ended up with the marketing material. The only items in the emails were attached jpg files, but nothing else. Jason’s supervisor opens the picture files, but cannot find anything out of the ordinary with them. What technique has Jason most likely used?

A. Snow Hiding Technique B. Stealth Rootkit Technique C. ADS Streams Technique D. Image Steganography Technique *

2.Sam is using Firewalk to test the security of his network’s firewall. Sam is also utilizing a sniffer located in a subnet that resides deep inside the network. After analyzing the sniffer’s logs, he does not see any of the traffic produced by Firewalk. Why is that? A. Firewalk cannot pass through firewalls. B. Sam is not seeing any of the Firewalk traffic because it sets all packets with a TTL of one. * C. He cannot see that traffic because Firewalk sets all packets with a TTL of zero. D. Firewalk cannot be detected by network sniffers so that is why none of the traffic appears.

3. Bob has set up three web servers on Windows Server 2008 IIS 7.0. Bob has followed all the recommendations for securing the operating system and IIS. These servers are going to run numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is still concerned about the security of these servers because of the potential for financial loss. Bob has asked his company’s firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no malicious data is getting into the network. Why will this not be possible?

A. Firewalls cannot inspect traffic at all, they can only block or allow certain ports *

He can use the tool OpUtils. Running "ifconfig -a" produces the following: # ifconfig -a lo0: flags=849<UP. Firewalls can only inspect outbound traffic C. The company has a Windows Active directory network. C. He should navigate to %systemroot%\repair * C. He needs to go to %systemroot%\LSA D. He has been tasked with scanning the company’s network to try and find weaknesses.LOOPBACK. What tool can Korhan use to enumerate items from their Active Directory? A. Joseph the Hacker breaks into Hackcme Corporation's Linux system and plants a wiretap (keylogging) program in order to sniff passwords and user accounts off the wire. Where should Neil navigate to on the computer to find the file? A.Korhan was brought in as a consultant for Theason Brothers. 6. C. Neil will need to go to %systemroot%\system32\drivers\etc 7. Firewalls cannot inspect traffic coming through port 80 D. Joseph is worried that network administrator might detect the wiretap program by querying the interfaces to see if they are running in promiscuous mode. B. He can use Enum4 to enumerate information from their Active Directory. B. Neil wants to setup a protocol analyzer on his network that will receive a copy of every packet that passes through the main office switch. He should setup a MODS port which will copy all network traffic. Neil will need to setup SPAN port that will copy all network traffic to the protocol analyzer. a securities broker in the US. Firewalls cannot inspect traffic coming through port 443 4.Neil is a network administrator working in Istanbul. He will have to setup an Etherchannel port to get a copy of all network traffic to the analyzer.RUNNING. Korhan can use Jxplorer to enumerate LDAP. Neil will have to configure a Bridged port that will copy all packets to the protocol analyzer. Korhan can use LDAPxplorer to enumerate their Active directory. Neil is a network administrator who has just run the rdisk /s command to grab the backup SAM file on a computer running Windows XP.B. * D. He should navigate to %systemroot%\system32\LSA B.MULTICAST> mtu 8232 . * 5. What type of port will Neil need to setup in order to accomplish this? A. The wiretap program is embedded as a trojan in one of the network utilities. D.

asp | default.cgi | upload. Trevor is a security analyst and he wants to ensure his company’s external website is secure.NOTRAILERS.5.James runs a Nessus scan against an IP range in a remote office and can see some hosts are listening on ports 1521. Tlisrv uses ports 1521. * 9. "index of /" ( upload.0. Is there anyway you can retrieve information from a website that is outdated? A. Trevor needs to perform a Google search that will look for scripts that will let a hacker upload files.0.asp | upload. It is evident that MySQL is running on these hosts. Block output to the console whenever the user runs ifconfig command by running screen capture utility 8.2.pl ) * 10.MULTICAST> mtu 1500 inet 192.inet 127.php | default.cfm | upload. Visit the company’s partners and customers website for this information . What Google search would accomplish this? A. B.pl ) D.cgi | upload. and 5540. 3938. Replace original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information from being displayed on the console * C. 5540 as well as others. related:inurl ( default.jsp | upload.asp | default. D.jsp | upload. You cannot disable Promiscuous mode detection on Linux systems B.1 netmask ff000000hme0: flags=863<UP. Run the wiretap program in stealth mode from being detected by the ifconfig command D. Visit Archive.RUNNING.0.php | upload.cgi | default.jsp | default.cfm | default.BROADCAST.PROMISC. related:inurl ( upload. Crawl the entire website and store them into your computer D.php | upload.php | default.org web site to retrieve the Internet archive of the company’s website * C. "upload /" ( default.jsp | default. 3938. James can deduce that Oracle is running from these listening ports. which would then in turn allow them to execute programs on the file server. You know they had the entire staff directory listed on their website 12 months ago but now it is not there.cfm | upload.cfm | default. Visit google’s search engine and view the cached copy B. These ports are used exclusively by Microsoft SQL server.pl ) C. What can James deduce from these listening ports? A. You are footprinting an organization and gathering competitive intelligence.pl ) B. You visit the company’s website for contact information and telephone numbers but do not find them listed there.255 ether 8:0:20:9c:a2:35 What can Joseph do to hide the wiretap program from being detected by ifconfig command? A.asp | upload.cgi | default. C.2.99 netmask ffffff00 broadcast 134.

SQL injection attacks will be possible to carry out against this application. Nathan finds instances of printf/fprint/sprintf. Simon received a false-positive from Tripwire since Eventlog. Nathan is currently performing a security audit of all the software that his company uses. If you would use both brute force and dictionary combined together to have variations of words. B.though slow.11. With these functions. According to his boss. Thorough Attack C.pl. This program will be susceptible to format string attacks. Simon saw an attacker attempting to daisy chain his way out of the attack. The alert says that a user account. 14. Simon is sent an alert from one of the company’s web servers running Tripwire.syslog() and setproctitle functions. it tries every possible letter and number combination in its automated exploration. C. He was alerted by Tripwire of a silent-line attack. BruteDict Attack D. the more effective the dictionary attack is. Full Blown Attack B.TCP/IP Session Hijacking is carried out in which OSI layer? . D. a marketing firm based in London. 13. are open to query string attacks. “SalesMgr”. * B. Usually. what would you call such an attack? A. * C. especially the setproctitle function. Simon quickly checks out his logs that track user creation and he notices that this SalesMgr user account was only created an hour ago. In the context of password security: a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper. Simon then quickly disables the SalesMgr user account on the network and checks all the Tripwire logs that monitor their web server. neither he nor any of the other IT personnel created the account. What was Simon alerted to when he came to work this morning? A. Those functions. Simon was alerted of an attempted Vishing attack. The brute force method is the most inclusive . what types of attacks will the program be susceptible to? A. attempted to run a Perl script called Eventlog. The larger the word and word fragment selection. Simon calls his boss to ask regarding the identified user account. Simon is the network security administrator for his company. The Payroll application will be vulnerable to buffer overflow attacks. D.pl is an automatically run program on servers. and running it against user accounts located by the application. Hybrid Attack * 12. Soon after arriving at work one day. Nathan is the chief security analyst for his company. While checking a custom Payroll application.

She would be considered a suicide hacker. Which of the following is NOT an example of default installation? A. These friends frequently go out to sea to follow and harass fishing fleets that illegally fish in foreign waters. if caught. such as the sample programs on IIS web services B. Test the ability of a router to handle fragmented packets C. What would Ursula be considered? A. Ursula originally went to college to study engineering but later changed to marine biology after spending a month at sea with her friends. Transport layer * 15. Ursula decides to hack into the parent company’s computers and destroy critical data knowing fully well that. Ursula is a college student at a University in Amsterdam. Network Layer C. Ursula eventually wants to put companies practicing illegal fishing out of business. . Often. You should change the default settings to secure the system. Enabling port 80 on Web Servers for public access and asking your customers to visit your website 16. Test the ability of a WLAN to handle fragmented packets D. Most software is shipped with a default configuration that makes it easy to install and setup the application. Attacking well-known system defaults is one of the most common hacker attacks.A. Many software packages come with "samples" that can be exploited. Many systems come with default user accounts with well-known passwords that administrators forget to change C. Physical Layer D. Datalink layer B. Test ability of a router to handle over-sized packets * B. the default location of installation files can be exploited which allows a hacker to retrieve a file from the system D.What is the following nmap command trying to accomplish? A. Test the ability of a router to handle under-sized packets 17. she probably would be sent to jail for a very long time.

David is a security administrator working in Boston. which should be safely filed by the company. D. D. 18. From an external IP address. Information Security Policy (ISP) * B. He can send an IP packet with the SYN bit and the source address of his computer. David has been asked by the office's manager to block all POP3 traffic at the firewall because he believes employees are spending too much time reading personal email.Fred is the network administrator for his company. David can stop POP3 traffic by blocking all HELO requests that originate from inside the office. C. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine. What is this document called? A. David can block port 110 to block all POP3 traffic. How can David block POP3 at the firewall? A. * B. Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of his computer. Information Audit Policy (IAP) 19. No one should be allowed to use the company’s computer systems until they have signed the policy in acceptance of its terms. C. Fred wants to try and trick this switch into thinking it already has established a session with his computer. D. . 20. David can block all EHLO requests that originate from inside the office. * B. what is prohibited. and what will happen to them if they break the rules. Penetration Testing Policy (PTP) D. The employee should be asked to sign one copy. Fred can send an IP packet with the ACK bit set to zero and the source address of the switch. How can Fred accomplish this? A. Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company’s systems for. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization.B. Company Compliance Policy (CCP) C. C. Ursula would be considered a gray hat since she is performing an act against illegal activities. She would be called a cracker. Fred is testing an internal switch. David can block port 125 at the firewall. Ursula would be considered a black hat.

0.100. Verify that UDP port 445 is open for the 172. Fred can send an IP packet with the ACK bit set to zero and the source address of the switch.100.44 host.0 network C. C. Port 25 is open on the 192. 25. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine. B. David is scanning his internal subnets to see how many hosts are online and what ports they are listening on.0.168.168. Fred is the network administrator for his company. Port 25 is in shadow mode on the 192.16. He can send an IP packet with the SYN bit and the source address of his computer. D. David finds a host at 192. The host at 192.16.0. 24.44 which responds to a ping. Verify that TCP port 445 is open for the 172.16.0 network * B. What is the following command trying to accomplish? A. Fred is testing an internal switch.168. Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of his computer. From an external IP address.100. Fred wants to try and trick this switch into thinking it already has established a session with his computer.100.22. What can David infer from this response? A.100.168.44 host.44 is a Microsoft Exchange Server. Verify that Netbios is running for the 172. Port 25 is closed on the 192. * B.44 host. How can Fred accomplish this? A.168.0 network . C. He performs a UDP scan on port 25. but the host does not respond.

16.0 network . Verify that UDP port 445 is closed for the 172.0.D.

Sign up to vote on this title
UsefulNot useful