You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CEH Practice Test 10 "
0 of 65 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CEH
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking on “View Answers” option. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Answered
Review
Question 1 of 65
1. Question
Identify the attack by description: This attack is performed at layer 7 to take down web infrastructure. During its execution, partial HTTP requests are sent to the web infrastructure or applications and upon receiving a partial request, the target server opens multiple connections and keeps waiting for the requests to complete.
Correct
https://en.wikipedia.org/wiki/Slowloris_(computer_security) Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine‘s web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to, but never completing, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. Incorrect answers: Desynchronization Attack A typical RFID related threat in which a tagÂ’s key stored in the back-end database and the tagÂ’s memory would not be the same, because of an attacker blocks the communication between the parties. Session splicing Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, smallsized packets to the target computer, making it very difficult for an IDS to detect the attack signatures. Phlashing Phlashing is a permanent denial of service (DoS) attack that exploits a vulnerability in network-based firmware updates. Such an attack is currently theoretical but if carried out could render the target device inoperable.
Incorrect
https://en.wikipedia.org/wiki/Slowloris_(computer_security) Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine‘s web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to, but never completing, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. Incorrect answers: Desynchronization Attack A typical RFID related threat in which a tagÂ’s key stored in the back-end database and the tagÂ’s memory would not be the same, because of an attacker blocks the communication between the parties. Session splicing Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, smallsized packets to the target computer, making it very difficult for an IDS to detect the attack signatures. Phlashing Phlashing is a permanent denial of service (DoS) attack that exploits a vulnerability in network-based firmware updates. Such an attack is currently theoretical but if carried out could render the target device inoperable.
Unattempted
https://en.wikipedia.org/wiki/Slowloris_(computer_security) Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine‘s web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to, but never completing, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. Incorrect answers: Desynchronization Attack A typical RFID related threat in which a tagÂ’s key stored in the back-end database and the tagÂ’s memory would not be the same, because of an attacker blocks the communication between the parties. Session splicing Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, smallsized packets to the target computer, making it very difficult for an IDS to detect the attack signatures. Phlashing Phlashing is a permanent denial of service (DoS) attack that exploits a vulnerability in network-based firmware updates. Such an attack is currently theoretical but if carried out could render the target device inoperable.
Question 2 of 65
2. Question
Which of the following describes ?ross-site request forgery?
Correct
https://owasp.org/www-community/attacks/csrf Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim. CSRF attacks target functionality that causes a state change on the server, such as changing the victim’s email address or password, or purchasing something. Forcing the victim to retrieve data doesn’t benefit an attacker because the attacker doesn’t receive the response, the victim does. As such, CSRF attacks target state-changing requests. It’s sometimes possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called “stored CSRF flaws”. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.
Incorrect
https://owasp.org/www-community/attacks/csrf Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim. CSRF attacks target functionality that causes a state change on the server, such as changing the victim’s email address or password, or purchasing something. Forcing the victim to retrieve data doesn’t benefit an attacker because the attacker doesn’t receive the response, the victim does. As such, CSRF attacks target state-changing requests. It’s sometimes possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called “stored CSRF flaws”. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.
Unattempted
https://owasp.org/www-community/attacks/csrf Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim. CSRF attacks target functionality that causes a state change on the server, such as changing the victim’s email address or password, or purchasing something. Forcing the victim to retrieve data doesn’t benefit an attacker because the attacker doesn’t receive the response, the victim does. As such, CSRF attacks target state-changing requests. It’s sometimes possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called “stored CSRF flaws”. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.
Question 3 of 65
3. Question
Johnny decided to gather information for identity theft from the target organization. He wants to redirect the organizationÂ’s web traffic to a malicious website. After some thought, he plans to perform DNS cache poisoning by exploiting the vulnerabilities in the DNS server software and wants to modify the original IP address of the target website to that of a malicious website. Which of the following techniques does Johnny plan to use?
Correct
https://en.wikipedia.org/wiki/Pharming Pharming is a scamming practice in which malicious code is installed on a personal computer (PC) or server, misdirecting users to fraudulent websites without their knowledge or consent. The aim is for users to input their personal information. Once information, such as a credit card number, bank account number or password, has been entered at a fraudulent website, criminals have it, and identity theft can be the end result. Pharming exploits the foundation of how internet browsing works — namely, that the sequence of letters that form an internet address, such as http://www.google.com, have to be converted into an IP address by a DNS server for the connection to proceed. Pharming attacks this process in one of two ways: 1. First, a hacker may send malicious code in an email which installs a virus or Trojan on a user‘s computer. This malicious code changes the computerÂ’s hosts file to direct traffic away from its intended target and toward a fake website instead. In this form of pharming – known as malware-based pharming – regardless of whether you type the correct internet address, the corrupted hosts file will take you to the fraudulent site instead. 2. Second, the hacker may use a technique called DNS poisoning. DNS stands for “Domain Name System” – pharmers can modify the DNS table in a server, causing multiple users to visit fake websites instead of legitimate ones inadvertently. Pharmers can use the fake websites to install viruses or Trojans on the user‘s computer or attempt to collect personal and financial information for use in identity theft. Incorrect answers: Skimming https://www.nist.gov/itl/smallbusinesscyber/cybersecurity-basics/case-study-series Skimming in cybersecurity refers to cybercriminalsÂ’ strategies for capturing and stealing cardholderÂ’s personal payment information. Identity thieves use various approaches to obtain card data. One of the most advanced methods is using a small skimming device designed to read a credit cardÂ’s microchip or magnetic strip information. Criminals can execute skimming attacks whenever a cardholder opts for electronic payment methods in a physical location. Digital skimming methods are also widespread. Often referred to as e-skimming, digital skimming is similar to card skimming. The main difference is that hackers can execute e-skimming remotely and collect card information in real-time. Pretexting https://en.wikipedia.org/wiki/Pretexting Pretexting is form of social engineering in which an attacker tries to convince a victim to give up valuable information or access to a service or system. The distinguishing feature of this kind of attack is that the scam artists comes up with a story — or pretext — in order to fool the victim. The pretext generally casts the attacker in the role of someone in authority who has the right to access the information being sought, or who can use the information to help the victim. Wardriving https://en.wikipedia.org/wiki/Wardriving Wardriving consists of physically searching for wireless networks with vulnerabilities from a moving vehicle and mapping the wireless access points. Wardrivers will use hardware and software to find WiFi signals in a particular area. They may intend to only find a single network or every network within an area. Once networks are located, wardrivers will record the locations of vulnerable networks and may submit the information to third-party websites and apps to create digital maps. There are three primary reasons wardrivers look for unsecured WiFi. The first is to steal personal and banking information. The second is to use your network for criminal activity that you, as the owner of the network, would be liable for. The final reason is to find the security flaws of a network. Ethical hackers do this via wardriving for the purpose of finding vulnerabilities in order to improve overall security.
Incorrect
https://en.wikipedia.org/wiki/Pharming Pharming is a scamming practice in which malicious code is installed on a personal computer (PC) or server, misdirecting users to fraudulent websites without their knowledge or consent. The aim is for users to input their personal information. Once information, such as a credit card number, bank account number or password, has been entered at a fraudulent website, criminals have it, and identity theft can be the end result. Pharming exploits the foundation of how internet browsing works — namely, that the sequence of letters that form an internet address, such as http://www.google.com, have to be converted into an IP address by a DNS server for the connection to proceed. Pharming attacks this process in one of two ways: 1. First, a hacker may send malicious code in an email which installs a virus or Trojan on a user‘s computer. This malicious code changes the computerÂ’s hosts file to direct traffic away from its intended target and toward a fake website instead. In this form of pharming – known as malware-based pharming – regardless of whether you type the correct internet address, the corrupted hosts file will take you to the fraudulent site instead. 2. Second, the hacker may use a technique called DNS poisoning. DNS stands for “Domain Name System” – pharmers can modify the DNS table in a server, causing multiple users to visit fake websites instead of legitimate ones inadvertently. Pharmers can use the fake websites to install viruses or Trojans on the user‘s computer or attempt to collect personal and financial information for use in identity theft. Incorrect answers: Skimming https://www.nist.gov/itl/smallbusinesscyber/cybersecurity-basics/case-study-series Skimming in cybersecurity refers to cybercriminalsÂ’ strategies for capturing and stealing cardholderÂ’s personal payment information. Identity thieves use various approaches to obtain card data. One of the most advanced methods is using a small skimming device designed to read a credit cardÂ’s microchip or magnetic strip information. Criminals can execute skimming attacks whenever a cardholder opts for electronic payment methods in a physical location. Digital skimming methods are also widespread. Often referred to as e-skimming, digital skimming is similar to card skimming. The main difference is that hackers can execute e-skimming remotely and collect card information in real-time. Pretexting https://en.wikipedia.org/wiki/Pretexting Pretexting is form of social engineering in which an attacker tries to convince a victim to give up valuable information or access to a service or system. The distinguishing feature of this kind of attack is that the scam artists comes up with a story — or pretext — in order to fool the victim. The pretext generally casts the attacker in the role of someone in authority who has the right to access the information being sought, or who can use the information to help the victim. Wardriving https://en.wikipedia.org/wiki/Wardriving Wardriving consists of physically searching for wireless networks with vulnerabilities from a moving vehicle and mapping the wireless access points. Wardrivers will use hardware and software to find WiFi signals in a particular area. They may intend to only find a single network or every network within an area. Once networks are located, wardrivers will record the locations of vulnerable networks and may submit the information to third-party websites and apps to create digital maps. There are three primary reasons wardrivers look for unsecured WiFi. The first is to steal personal and banking information. The second is to use your network for criminal activity that you, as the owner of the network, would be liable for. The final reason is to find the security flaws of a network. Ethical hackers do this via wardriving for the purpose of finding vulnerabilities in order to improve overall security.
Unattempted
https://en.wikipedia.org/wiki/Pharming Pharming is a scamming practice in which malicious code is installed on a personal computer (PC) or server, misdirecting users to fraudulent websites without their knowledge or consent. The aim is for users to input their personal information. Once information, such as a credit card number, bank account number or password, has been entered at a fraudulent website, criminals have it, and identity theft can be the end result. Pharming exploits the foundation of how internet browsing works — namely, that the sequence of letters that form an internet address, such as http://www.google.com, have to be converted into an IP address by a DNS server for the connection to proceed. Pharming attacks this process in one of two ways: 1. First, a hacker may send malicious code in an email which installs a virus or Trojan on a user‘s computer. This malicious code changes the computerÂ’s hosts file to direct traffic away from its intended target and toward a fake website instead. In this form of pharming – known as malware-based pharming – regardless of whether you type the correct internet address, the corrupted hosts file will take you to the fraudulent site instead. 2. Second, the hacker may use a technique called DNS poisoning. DNS stands for “Domain Name System” – pharmers can modify the DNS table in a server, causing multiple users to visit fake websites instead of legitimate ones inadvertently. Pharmers can use the fake websites to install viruses or Trojans on the user‘s computer or attempt to collect personal and financial information for use in identity theft. Incorrect answers: Skimming https://www.nist.gov/itl/smallbusinesscyber/cybersecurity-basics/case-study-series Skimming in cybersecurity refers to cybercriminalsÂ’ strategies for capturing and stealing cardholderÂ’s personal payment information. Identity thieves use various approaches to obtain card data. One of the most advanced methods is using a small skimming device designed to read a credit cardÂ’s microchip or magnetic strip information. Criminals can execute skimming attacks whenever a cardholder opts for electronic payment methods in a physical location. Digital skimming methods are also widespread. Often referred to as e-skimming, digital skimming is similar to card skimming. The main difference is that hackers can execute e-skimming remotely and collect card information in real-time. Pretexting https://en.wikipedia.org/wiki/Pretexting Pretexting is form of social engineering in which an attacker tries to convince a victim to give up valuable information or access to a service or system. The distinguishing feature of this kind of attack is that the scam artists comes up with a story — or pretext — in order to fool the victim. The pretext generally casts the attacker in the role of someone in authority who has the right to access the information being sought, or who can use the information to help the victim. Wardriving https://en.wikipedia.org/wiki/Wardriving Wardriving consists of physically searching for wireless networks with vulnerabilities from a moving vehicle and mapping the wireless access points. Wardrivers will use hardware and software to find WiFi signals in a particular area. They may intend to only find a single network or every network within an area. Once networks are located, wardrivers will record the locations of vulnerable networks and may submit the information to third-party websites and apps to create digital maps. There are three primary reasons wardrivers look for unsecured WiFi. The first is to steal personal and banking information. The second is to use your network for criminal activity that you, as the owner of the network, would be liable for. The final reason is to find the security flaws of a network. Ethical hackers do this via wardriving for the purpose of finding vulnerabilities in order to improve overall security.
Question 4 of 65
4. Question
Justin, the evil hacker, wants to steal Joanna‘s data. He sends Joanna an email with a malicious link that looks legitimate. Joanna unknowingly clicks on the link, and it redirects her to a malicious web page, and John steals Joanna‘s data. Which of the following attacks is described in this scenario?
Correct
https://en.wikipedia.org/wiki/Phishing Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack, or the revealing of sensitive information. An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft. Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data. An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on the scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering. Incorrect answers: Vishing https://en.wikipedia.org/wiki/Voice_phishing Voice phishing, or vishing, is the use of telephony (often Voice over IP telephony) to conduct phishing attacks. DDoS https://en.wikipedia.org/wiki/Denial-of-service_attack A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. Spoofing https://en.wikipedia.org/wiki/Spoofing_attack In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage.
Incorrect
https://en.wikipedia.org/wiki/Phishing Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack, or the revealing of sensitive information. An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft. Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data. An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on the scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering. Incorrect answers: Vishing https://en.wikipedia.org/wiki/Voice_phishing Voice phishing, or vishing, is the use of telephony (often Voice over IP telephony) to conduct phishing attacks. DDoS https://en.wikipedia.org/wiki/Denial-of-service_attack A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. Spoofing https://en.wikipedia.org/wiki/Spoofing_attack In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage.
Unattempted
https://en.wikipedia.org/wiki/Phishing Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack, or the revealing of sensitive information. An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft. Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data. An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on the scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering. Incorrect answers: Vishing https://en.wikipedia.org/wiki/Voice_phishing Voice phishing, or vishing, is the use of telephony (often Voice over IP telephony) to conduct phishing attacks. DDoS https://en.wikipedia.org/wiki/Denial-of-service_attack A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. Spoofing https://en.wikipedia.org/wiki/Spoofing_attack In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage.
Question 5 of 65
5. Question
As usual, you want to open your online banking from your home computer. You enter the URL http://www.yourbanksite.com into your browser. The website is displayed and prompts you to re-enter your credentials as if you have never visited the site before. You decide to check the URL of the website and notice that the site is not secure and the web address appears different. Which of the following types of attacks have you been exposed to?
Correct
https://en.wikipedia.org/wiki/DNS_hijacking DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer‘s TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards. These modifications may be made for malicious purposes such as phishing, for self-serving purposes by Internet service providers (ISPs). A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites. Most users depend on DNS servers automatically assigned by their ISPs. Zombie computers use DNS-changing trojans to invisibly switch the automatic DNS server assignment by the ISP to manual DNS server assignment from rogue DNS servers.
Incorrect
https://en.wikipedia.org/wiki/DNS_hijacking DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer‘s TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards. These modifications may be made for malicious purposes such as phishing, for self-serving purposes by Internet service providers (ISPs). A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites. Most users depend on DNS servers automatically assigned by their ISPs. Zombie computers use DNS-changing trojans to invisibly switch the automatic DNS server assignment by the ISP to manual DNS server assignment from rogue DNS servers.
Unattempted
https://en.wikipedia.org/wiki/DNS_hijacking DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer‘s TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards. These modifications may be made for malicious purposes such as phishing, for self-serving purposes by Internet service providers (ISPs). A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites. Most users depend on DNS servers automatically assigned by their ISPs. Zombie computers use DNS-changing trojans to invisibly switch the automatic DNS server assignment by the ISP to manual DNS server assignment from rogue DNS servers.
Question 6 of 65
6. Question
What of the following is a file which is the rich target to discover the structure of a website during web-server footprinting?
Correct
In the case of this question, it is worth paying attention to the word “file“. Based on this, the correct answer will be robot.txt, and not document root since this is a folder and not a file. – Robots.txt is used to control crawling access. It is an easy means to exclude certain resources such as unimportant images, style, or script files from search engines. The document root is the folder where the website files for a domain name are stored. This folder contains the index file (index.php, index.html, or default.html) and is often named public_html, htdocs, www, or wwwroot. How the root folder of a specific website is named depends on the web host and the settings chosen. The first folder is in a hierarchy that can be pictured as an upside-down tree, hence the name root. In the root directory of a website, the robots.txt file, which is relevant for search engine optimization, is stored, as is sitemap.xml for large websites.
Incorrect
In the case of this question, it is worth paying attention to the word “file“. Based on this, the correct answer will be robot.txt, and not document root since this is a folder and not a file. – Robots.txt is used to control crawling access. It is an easy means to exclude certain resources such as unimportant images, style, or script files from search engines. The document root is the folder where the website files for a domain name are stored. This folder contains the index file (index.php, index.html, or default.html) and is often named public_html, htdocs, www, or wwwroot. How the root folder of a specific website is named depends on the web host and the settings chosen. The first folder is in a hierarchy that can be pictured as an upside-down tree, hence the name root. In the root directory of a website, the robots.txt file, which is relevant for search engine optimization, is stored, as is sitemap.xml for large websites.
Unattempted
In the case of this question, it is worth paying attention to the word “file“. Based on this, the correct answer will be robot.txt, and not document root since this is a folder and not a file. – Robots.txt is used to control crawling access. It is an easy means to exclude certain resources such as unimportant images, style, or script files from search engines. The document root is the folder where the website files for a domain name are stored. This folder contains the index file (index.php, index.html, or default.html) and is often named public_html, htdocs, www, or wwwroot. How the root folder of a specific website is named depends on the web host and the settings chosen. The first folder is in a hierarchy that can be pictured as an upside-down tree, hence the name root. In the root directory of a website, the robots.txt file, which is relevant for search engine optimization, is stored, as is sitemap.xml for large websites.
Question 7 of 65
7. Question
You come to a party with friends and ask the apartment owner about access to his wireless network. It tells you the name of the wireless point and its password, but when you try to connect to it, the connection occurs without asking for a password. Which of the following attacks could have occurred?
Correct
https://en.wikipedia.org/wiki/Evil_twin_(wireless_networks) An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a legitimate access point to steal victimsÂ’ sensitive details. Most often, the victims of such attacks are ordinary people like you and me. The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is used to eavesdrop on users and steal their login credentials or other sensitive information. Because the hacker owns the equipment being used, the victim will have no idea that the hacker might be intercepting things like bank transactions. An evil twin access point can also be used in a phishing scam. In this type of attack, victims will connect to the evil twin and will be lured to a phishing site. It will prompt them to enter their sensitive data, such as their login details. These, of course, will be sent straight to the hacker. Once the hacker gets them, they might simply disconnect the victim and show that the server is temporarily unavailable. ADDITION:Â It may not seem obvious what happened. The problem is in the question statement. The attackers were not Alice and John, who were able to connect to the network without a password, but on the contrary, they were attacked and forced to connect to a fake network, and not to the real network belonging to Jane.
Incorrect
https://en.wikipedia.org/wiki/Evil_twin_(wireless_networks) An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a legitimate access point to steal victimsÂ’ sensitive details. Most often, the victims of such attacks are ordinary people like you and me. The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is used to eavesdrop on users and steal their login credentials or other sensitive information. Because the hacker owns the equipment being used, the victim will have no idea that the hacker might be intercepting things like bank transactions. An evil twin access point can also be used in a phishing scam. In this type of attack, victims will connect to the evil twin and will be lured to a phishing site. It will prompt them to enter their sensitive data, such as their login details. These, of course, will be sent straight to the hacker. Once the hacker gets them, they might simply disconnect the victim and show that the server is temporarily unavailable. ADDITION:Â It may not seem obvious what happened. The problem is in the question statement. The attackers were not Alice and John, who were able to connect to the network without a password, but on the contrary, they were attacked and forced to connect to a fake network, and not to the real network belonging to Jane.
Unattempted
https://en.wikipedia.org/wiki/Evil_twin_(wireless_networks) An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a legitimate access point to steal victimsÂ’ sensitive details. Most often, the victims of such attacks are ordinary people like you and me. The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is used to eavesdrop on users and steal their login credentials or other sensitive information. Because the hacker owns the equipment being used, the victim will have no idea that the hacker might be intercepting things like bank transactions. An evil twin access point can also be used in a phishing scam. In this type of attack, victims will connect to the evil twin and will be lured to a phishing site. It will prompt them to enter their sensitive data, such as their login details. These, of course, will be sent straight to the hacker. Once the hacker gets them, they might simply disconnect the victim and show that the server is temporarily unavailable. ADDITION:Â It may not seem obvious what happened. The problem is in the question statement. The attackers were not Alice and John, who were able to connect to the network without a password, but on the contrary, they were attacked and forced to connect to a fake network, and not to the real network belonging to Jane.
Question 8 of 65
8. Question
Which of the following methods can keep your wireless network undiscoverable and accessible only to those that know it?
Correct
The SSID (service set identifier) is the name of your wireless network. SSID broadcast is how your router transmits this name to surrounding devices. Its primary function is to make your network visible and easily accessible. Most routers broadcast their SSIDs automatically. To disable or enable SSID broadcast, you need to change your routerÂ’s settings. Disabling SSID broadcast will make your Wi-FI network name invisible to other users. However, this only hides the name, not the network itself. You cannot disguise the router‘s activity, so hackers can still attack it. With your network invisible to wireless devices, connecting becomes a bit more complicated. Just giving a Wi-FI password to your guests is no longer enough. They have to configure their settings manually by including the network name, security mode, and other relevant info. Disabling SSID might be a small step towards online security, but by no means should it be your final one. Before considering it as a security measure, consider the following aspects: – Disabling SSID broadcast will not hide your network completely Disabling SSID broadcast only hides the network name, not the fact that it exists. Your router constantly transmits so-called beacon frames to announce the presence of a wireless network. They contain essential information about the network and help the device connect. – Third-party software can easily trace a hidden network Programs such as NetStumbler or Kismet can easily locate hidden networks. You can try using them yourself to see how easy it is to find available networks – hidden or not. – You might attract unwanted attention. Disabling your SSID broadcast could also raise suspicion. Most of us assume that when somebody hides something, they have a reason to do so. Thus, some hackers might be attracted to your network.
Incorrect
The SSID (service set identifier) is the name of your wireless network. SSID broadcast is how your router transmits this name to surrounding devices. Its primary function is to make your network visible and easily accessible. Most routers broadcast their SSIDs automatically. To disable or enable SSID broadcast, you need to change your routerÂ’s settings. Disabling SSID broadcast will make your Wi-FI network name invisible to other users. However, this only hides the name, not the network itself. You cannot disguise the router‘s activity, so hackers can still attack it. With your network invisible to wireless devices, connecting becomes a bit more complicated. Just giving a Wi-FI password to your guests is no longer enough. They have to configure their settings manually by including the network name, security mode, and other relevant info. Disabling SSID might be a small step towards online security, but by no means should it be your final one. Before considering it as a security measure, consider the following aspects: – Disabling SSID broadcast will not hide your network completely Disabling SSID broadcast only hides the network name, not the fact that it exists. Your router constantly transmits so-called beacon frames to announce the presence of a wireless network. They contain essential information about the network and help the device connect. – Third-party software can easily trace a hidden network Programs such as NetStumbler or Kismet can easily locate hidden networks. You can try using them yourself to see how easy it is to find available networks – hidden or not. – You might attract unwanted attention. Disabling your SSID broadcast could also raise suspicion. Most of us assume that when somebody hides something, they have a reason to do so. Thus, some hackers might be attracted to your network.
Unattempted
The SSID (service set identifier) is the name of your wireless network. SSID broadcast is how your router transmits this name to surrounding devices. Its primary function is to make your network visible and easily accessible. Most routers broadcast their SSIDs automatically. To disable or enable SSID broadcast, you need to change your routerÂ’s settings. Disabling SSID broadcast will make your Wi-FI network name invisible to other users. However, this only hides the name, not the network itself. You cannot disguise the router‘s activity, so hackers can still attack it. With your network invisible to wireless devices, connecting becomes a bit more complicated. Just giving a Wi-FI password to your guests is no longer enough. They have to configure their settings manually by including the network name, security mode, and other relevant info. Disabling SSID might be a small step towards online security, but by no means should it be your final one. Before considering it as a security measure, consider the following aspects: – Disabling SSID broadcast will not hide your network completely Disabling SSID broadcast only hides the network name, not the fact that it exists. Your router constantly transmits so-called beacon frames to announce the presence of a wireless network. They contain essential information about the network and help the device connect. – Third-party software can easily trace a hidden network Programs such as NetStumbler or Kismet can easily locate hidden networks. You can try using them yourself to see how easy it is to find available networks – hidden or not. – You might attract unwanted attention. Disabling your SSID broadcast could also raise suspicion. Most of us assume that when somebody hides something, they have a reason to do so. Thus, some hackers might be attracted to your network.
Question 9 of 65
9. Question
You want to make your life easier and automate the process of updating applications. You decide to use a user-defined HTTP callback or push APIs that are raised based on trigger events. When this feature invokes, data is supplied to other applications so that users can instantly receive real-time information. What is the name of this technique?
Correct
https://en.wikipedia.org/wiki/Webhook A webhook in web development is a method of augmenting or altering the behavior of a web page or web application with custom callbacks. These callbacks may be maintained, modified, and managed by third-party users and developers who may not necessarily be affiliated with the originating website or application. The format is usually JSON. The request is done as an HTTP POST request.
Incorrect
https://en.wikipedia.org/wiki/Webhook A webhook in web development is a method of augmenting or altering the behavior of a web page or web application with custom callbacks. These callbacks may be maintained, modified, and managed by third-party users and developers who may not necessarily be affiliated with the originating website or application. The format is usually JSON. The request is done as an HTTP POST request.
Unattempted
https://en.wikipedia.org/wiki/Webhook A webhook in web development is a method of augmenting or altering the behavior of a web page or web application with custom callbacks. These callbacks may be maintained, modified, and managed by third-party users and developers who may not necessarily be affiliated with the originating website or application. The format is usually JSON. The request is done as an HTTP POST request.
Question 10 of 65
10. Question
The attacker created a fake account on a dating site and wrote to John with an offer to get acquainted. Fake profile photos enthralled John, and he initiated a conversation with the attacker‘s fake account. After a few hours of communication, the attacker began asking about his company and eventually gathered all the essential information about the target company. What is the social engineering technique the attacker used in this scenario?
Correct
Honey trap An attacker pretends to be an attractive person and fakes an online relationship, in order to get sensitive information from their victim. NOTE: I chose this option instead of Baiting, since the question focuses on the charm of the photo and the fact that the communication lasted for several days before the attacker began trying to scout information. Incorrect answers: Piggybacking Tailgating or “piggybacking.” In these types of attacks, someone without the proper authentication follows an authenticated employee into a restricted area. The attacker might impersonate a delivery driver and wait outside a building to get things started. When an employee gains security’s approval and opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building. Tailgating does not work in all corporate settings, such as large companies whose entrances require the use of a keycard. However, in mid-size enterprises, attackers can strike up conversations with employees and use this show of familiarity to get past the front desk. Diversion theft Involve intercepting deliveries by persuading couriers to go to the wrong location. Online, they involve stealing confidential information by persuading victims to send it to the wrong recipient. Baiting As the name suggests, Baiting involves luring an unsuspecting victim with a highly attractive offer playing on fear, greed, and temptation to make them part with their personal sensitive data like log-in details. Through fraudulent, fake methods, both attempt to capture confidential, personal details such as a password or banking information such as a PIN so they can access your business networks and systems to install malware that executes ransomware.
Incorrect
Honey trap An attacker pretends to be an attractive person and fakes an online relationship, in order to get sensitive information from their victim. NOTE: I chose this option instead of Baiting, since the question focuses on the charm of the photo and the fact that the communication lasted for several days before the attacker began trying to scout information. Incorrect answers: Piggybacking Tailgating or “piggybacking.” In these types of attacks, someone without the proper authentication follows an authenticated employee into a restricted area. The attacker might impersonate a delivery driver and wait outside a building to get things started. When an employee gains security’s approval and opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building. Tailgating does not work in all corporate settings, such as large companies whose entrances require the use of a keycard. However, in mid-size enterprises, attackers can strike up conversations with employees and use this show of familiarity to get past the front desk. Diversion theft Involve intercepting deliveries by persuading couriers to go to the wrong location. Online, they involve stealing confidential information by persuading victims to send it to the wrong recipient. Baiting As the name suggests, Baiting involves luring an unsuspecting victim with a highly attractive offer playing on fear, greed, and temptation to make them part with their personal sensitive data like log-in details. Through fraudulent, fake methods, both attempt to capture confidential, personal details such as a password or banking information such as a PIN so they can access your business networks and systems to install malware that executes ransomware.
Unattempted
Honey trap An attacker pretends to be an attractive person and fakes an online relationship, in order to get sensitive information from their victim. NOTE: I chose this option instead of Baiting, since the question focuses on the charm of the photo and the fact that the communication lasted for several days before the attacker began trying to scout information. Incorrect answers: Piggybacking Tailgating or “piggybacking.” In these types of attacks, someone without the proper authentication follows an authenticated employee into a restricted area. The attacker might impersonate a delivery driver and wait outside a building to get things started. When an employee gains security’s approval and opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building. Tailgating does not work in all corporate settings, such as large companies whose entrances require the use of a keycard. However, in mid-size enterprises, attackers can strike up conversations with employees and use this show of familiarity to get past the front desk. Diversion theft Involve intercepting deliveries by persuading couriers to go to the wrong location. Online, they involve stealing confidential information by persuading victims to send it to the wrong recipient. Baiting As the name suggests, Baiting involves luring an unsuspecting victim with a highly attractive offer playing on fear, greed, and temptation to make them part with their personal sensitive data like log-in details. Through fraudulent, fake methods, both attempt to capture confidential, personal details such as a password or banking information such as a PIN so they can access your business networks and systems to install malware that executes ransomware.
Question 11 of 65
11. Question
The attacker is trying to cheat one of the employees of the target organization by initiating fake calls while posing as a legitimate employee. Also, he sent phishing emails to steal employee‘s credentials and further compromise his account. Which of the following techniques did the attacker use?
Correct
https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. In cybercrime, these “human hacking” scams tend to lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems. Attacks can happen online, in-person, and via other interactions. Scams based on social engineering are built around how people think and act. As such, social engineering attacks are especially useful for manipulating a userÂ’s behavior. Once an attacker understands what motivates a userÂ’s actions, they can deceive and manipulate the user effectively. Almost every type of cybersecurity attack contains some kind of social engineering. For example, the classic email and virus scams are laden with social overtones. Social engineering can impact you digitally through mobile attacks in addition to desktop devices. However, you can just as easily be faced with a threat in-person. These attacks can overlap and layer onto each other to create a scam. Here are some common methods used by social engineering attackers: · Phishing attackers pretend to be a trusted institution or individual in an attempt to persuade you to expose personal data and other valuables. · Baiting abuses your natural curiosity to coax you into exposing yourself to an attacker. Typically, potential for something free or exclusive is the manipulation used to exploit you. The attack usually involves infecting you with malware. · Physical breaches involve attackers appearing in-person, posing as someone legitimate to gain access to otherwise unauthorized areas or information. · Pretexting uses a deceptive identity as the “pretext” for establishing trust, such as directly impersonating a vendor or a facility employee. This approach requires the attacker to interact with you more proactively. The exploit follows once theyÂ’ve convinced you they are legitimate. · Tailgating , or piggybacking, is the act of trailing an authorized staff member into a restricted-access area. Attackers may play on social courtesy to get you to hold the door for them or convince you that they are also authorized to be in the area. Pretexting can play a role here too. · Quid pro quo is a term roughly meaning “a favor for a favor,” which in the context of phishing means an exchange of your personal info for some reward or other compensation. Giveaways or offers to take part in research studies might expose you to this type of attack. Incorrect answers: Insider threat https://en.wikipedia.org/wiki/Insider_threat Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organizationÂ’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information. Password reuse https://en.wikipedia.org/wiki/Password#Password_reuse Credential reuse is a problem for many organizations. Users inundated with requirements to supply complex passwords to different systems often resort to reusing the same password across multiple accounts so that they can easily manage their credentials. This can cause major security issues when those credentials are compromised. In a credential reuse attack, the attacker is able to obtain valid credentials for one system and then tries to use the same credentials to compromise other accounts/systems. Reverse engineering https://en.wikipedia.org/wiki/Reverse_engineering Reverse-engineering is the act of dismantling an object to see how it works. It is done primarily to analyze and gain knowledge about the way something works but often is used to duplicate or enhance the object. Security researchers reverse-engineer code to find security risks in programs. They also use the technique to understand malicious applications and disrupt them. But researchers aren‘t the only ones doing this: bad actors also want to find software flaws through reverse engineering.
Incorrect
https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. In cybercrime, these “human hacking” scams tend to lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems. Attacks can happen online, in-person, and via other interactions. Scams based on social engineering are built around how people think and act. As such, social engineering attacks are especially useful for manipulating a userÂ’s behavior. Once an attacker understands what motivates a userÂ’s actions, they can deceive and manipulate the user effectively. Almost every type of cybersecurity attack contains some kind of social engineering. For example, the classic email and virus scams are laden with social overtones. Social engineering can impact you digitally through mobile attacks in addition to desktop devices. However, you can just as easily be faced with a threat in-person. These attacks can overlap and layer onto each other to create a scam. Here are some common methods used by social engineering attackers: · Phishing attackers pretend to be a trusted institution or individual in an attempt to persuade you to expose personal data and other valuables. · Baiting abuses your natural curiosity to coax you into exposing yourself to an attacker. Typically, potential for something free or exclusive is the manipulation used to exploit you. The attack usually involves infecting you with malware. · Physical breaches involve attackers appearing in-person, posing as someone legitimate to gain access to otherwise unauthorized areas or information. · Pretexting uses a deceptive identity as the “pretext” for establishing trust, such as directly impersonating a vendor or a facility employee. This approach requires the attacker to interact with you more proactively. The exploit follows once theyÂ’ve convinced you they are legitimate. · Tailgating , or piggybacking, is the act of trailing an authorized staff member into a restricted-access area. Attackers may play on social courtesy to get you to hold the door for them or convince you that they are also authorized to be in the area. Pretexting can play a role here too. · Quid pro quo is a term roughly meaning “a favor for a favor,” which in the context of phishing means an exchange of your personal info for some reward or other compensation. Giveaways or offers to take part in research studies might expose you to this type of attack. Incorrect answers: Insider threat https://en.wikipedia.org/wiki/Insider_threat Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organizationÂ’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information. Password reuse https://en.wikipedia.org/wiki/Password#Password_reuse Credential reuse is a problem for many organizations. Users inundated with requirements to supply complex passwords to different systems often resort to reusing the same password across multiple accounts so that they can easily manage their credentials. This can cause major security issues when those credentials are compromised. In a credential reuse attack, the attacker is able to obtain valid credentials for one system and then tries to use the same credentials to compromise other accounts/systems. Reverse engineering https://en.wikipedia.org/wiki/Reverse_engineering Reverse-engineering is the act of dismantling an object to see how it works. It is done primarily to analyze and gain knowledge about the way something works but often is used to duplicate or enhance the object. Security researchers reverse-engineer code to find security risks in programs. They also use the technique to understand malicious applications and disrupt them. But researchers aren‘t the only ones doing this: bad actors also want to find software flaws through reverse engineering.
Unattempted
https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. In cybercrime, these “human hacking” scams tend to lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems. Attacks can happen online, in-person, and via other interactions. Scams based on social engineering are built around how people think and act. As such, social engineering attacks are especially useful for manipulating a userÂ’s behavior. Once an attacker understands what motivates a userÂ’s actions, they can deceive and manipulate the user effectively. Almost every type of cybersecurity attack contains some kind of social engineering. For example, the classic email and virus scams are laden with social overtones. Social engineering can impact you digitally through mobile attacks in addition to desktop devices. However, you can just as easily be faced with a threat in-person. These attacks can overlap and layer onto each other to create a scam. Here are some common methods used by social engineering attackers: · Phishing attackers pretend to be a trusted institution or individual in an attempt to persuade you to expose personal data and other valuables. · Baiting abuses your natural curiosity to coax you into exposing yourself to an attacker. Typically, potential for something free or exclusive is the manipulation used to exploit you. The attack usually involves infecting you with malware. · Physical breaches involve attackers appearing in-person, posing as someone legitimate to gain access to otherwise unauthorized areas or information. · Pretexting uses a deceptive identity as the “pretext” for establishing trust, such as directly impersonating a vendor or a facility employee. This approach requires the attacker to interact with you more proactively. The exploit follows once theyÂ’ve convinced you they are legitimate. · Tailgating , or piggybacking, is the act of trailing an authorized staff member into a restricted-access area. Attackers may play on social courtesy to get you to hold the door for them or convince you that they are also authorized to be in the area. Pretexting can play a role here too. · Quid pro quo is a term roughly meaning “a favor for a favor,” which in the context of phishing means an exchange of your personal info for some reward or other compensation. Giveaways or offers to take part in research studies might expose you to this type of attack. Incorrect answers: Insider threat https://en.wikipedia.org/wiki/Insider_threat Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organizationÂ’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information. Password reuse https://en.wikipedia.org/wiki/Password#Password_reuse Credential reuse is a problem for many organizations. Users inundated with requirements to supply complex passwords to different systems often resort to reusing the same password across multiple accounts so that they can easily manage their credentials. This can cause major security issues when those credentials are compromised. In a credential reuse attack, the attacker is able to obtain valid credentials for one system and then tries to use the same credentials to compromise other accounts/systems. Reverse engineering https://en.wikipedia.org/wiki/Reverse_engineering Reverse-engineering is the act of dismantling an object to see how it works. It is done primarily to analyze and gain knowledge about the way something works but often is used to duplicate or enhance the object. Security researchers reverse-engineer code to find security risks in programs. They also use the technique to understand malicious applications and disrupt them. But researchers aren‘t the only ones doing this: bad actors also want to find software flaws through reverse engineering.
Question 12 of 65
12. Question
Which of the following commands verify a user ID on an SMTP server?
Correct
RFC 821 https://www.ietf.org/rfc/rfc2821.txt – VRFY This SMTP command is used to verify a user ID on a mail domain. It can be used to test for valid user IDs. Incorrect answers: – RCPT Must include a “TO:” parameter specifying the recipient mailbox, and may also incorporate other optional parameters. Specifies one recipient of the e-mail message being conveyed in the current transaction. – NOOP NOOP is useful mainly in testing to avoid timeouts. This command does nothing and can generate only a successful response, with no change in state. – EXPN This SMTP command asks for confirmation about the identification of a mailing list.
Incorrect
RFC 821 https://www.ietf.org/rfc/rfc2821.txt – VRFY This SMTP command is used to verify a user ID on a mail domain. It can be used to test for valid user IDs. Incorrect answers: – RCPT Must include a “TO:” parameter specifying the recipient mailbox, and may also incorporate other optional parameters. Specifies one recipient of the e-mail message being conveyed in the current transaction. – NOOP NOOP is useful mainly in testing to avoid timeouts. This command does nothing and can generate only a successful response, with no change in state. – EXPN This SMTP command asks for confirmation about the identification of a mailing list.
Unattempted
RFC 821 https://www.ietf.org/rfc/rfc2821.txt – VRFY This SMTP command is used to verify a user ID on a mail domain. It can be used to test for valid user IDs. Incorrect answers: – RCPT Must include a “TO:” parameter specifying the recipient mailbox, and may also incorporate other optional parameters. Specifies one recipient of the e-mail message being conveyed in the current transaction. – NOOP NOOP is useful mainly in testing to avoid timeouts. This command does nothing and can generate only a successful response, with no change in state. – EXPN This SMTP command asks for confirmation about the identification of a mailing list.
Question 13 of 65
13. Question
You are the head of the Network Administrators department. And one of your subordinates uses SNMP to manage networked devices from a remote location. And one of your subordinates uses SNMP to manage networked devices from a remote location. To manage network nodes, your subordinate uses MIB, which contains formal descriptions of all network objects managed by SNMP. He accesses the contents of MIB by using a web browser either by entering the IP address and Lseries.mib or by entering the DNS library name and Lseries.mib. You know that your subordinate can retrieve information from a MIB that contains object types for workstations and server services. Which of the following types of MIB will your subordinate use to retrieve information about types for workstations and server services?
Correct
https://docs.microsoft.com/en-us/windows/win32/snmp/the-snmp-management-information-base-mib- A Management Information Base (MIB) describes a set of managed objects. An SNMP management console application can manipulate the objects on a specific computer if the SNMP service has an extension agent DLL that supports the MIB. Each managed object in a MIB has a unique identifier. The identifier includes the object‘s type (such as counter, string, gauge, or address), the object‘s access level (such as read or read/write), size restrictions, and range information. LMMIB2.MIB –Â Contains object types for workstation and server services. DHCP.MIB –Â Microsoft-defined MIB that contains object types for monitoring the network traffic between remote hosts and DHCP servers. HOSTMIB.MIB –Â Contains object types for monitoring and managing host resources. MIB_II.MIB –Â Contains the Management Information Base (MIB-II), which provides a simple, workable architecture and system for managing TCP/IP-based internets. WINS.MIB –Â Microsoft-defined MIB for the Windows Internet Name Service (WINS).
Incorrect
https://docs.microsoft.com/en-us/windows/win32/snmp/the-snmp-management-information-base-mib- A Management Information Base (MIB) describes a set of managed objects. An SNMP management console application can manipulate the objects on a specific computer if the SNMP service has an extension agent DLL that supports the MIB. Each managed object in a MIB has a unique identifier. The identifier includes the object‘s type (such as counter, string, gauge, or address), the object‘s access level (such as read or read/write), size restrictions, and range information. LMMIB2.MIB –Â Contains object types for workstation and server services. DHCP.MIB –Â Microsoft-defined MIB that contains object types for monitoring the network traffic between remote hosts and DHCP servers. HOSTMIB.MIB –Â Contains object types for monitoring and managing host resources. MIB_II.MIB –Â Contains the Management Information Base (MIB-II), which provides a simple, workable architecture and system for managing TCP/IP-based internets. WINS.MIB –Â Microsoft-defined MIB for the Windows Internet Name Service (WINS).
Unattempted
https://docs.microsoft.com/en-us/windows/win32/snmp/the-snmp-management-information-base-mib- A Management Information Base (MIB) describes a set of managed objects. An SNMP management console application can manipulate the objects on a specific computer if the SNMP service has an extension agent DLL that supports the MIB. Each managed object in a MIB has a unique identifier. The identifier includes the object‘s type (such as counter, string, gauge, or address), the object‘s access level (such as read or read/write), size restrictions, and range information. LMMIB2.MIB –Â Contains object types for workstation and server services. DHCP.MIB –Â Microsoft-defined MIB that contains object types for monitoring the network traffic between remote hosts and DHCP servers. HOSTMIB.MIB –Â Contains object types for monitoring and managing host resources. MIB_II.MIB –Â Contains the Management Information Base (MIB-II), which provides a simple, workable architecture and system for managing TCP/IP-based internets. WINS.MIB –Â Microsoft-defined MIB for the Windows Internet Name Service (WINS).
Question 14 of 65
14. Question
Your organization uses LDAP for accessing distributed directory services. An attacker knowing this can try to take advantage of an automated tool to anonymously query the LDAP service for sensitive information such as usernames, addresses, departmental details, and server names to launch further attacks on your organization. Which of the following tools can an attacker use to gather information from the LDAP service?
Correct
http://jxplorer.org/ Lightweight Directory Access Protocol (LDAP)Â is a protocol for querying and modifying directory services. A directory comprises an indexed set of information set out in hierarchical format. LDAP usually use DNS names for their structured formatting. Querying via LDAP can allow the tester to enumerate a great deal of information and can yield to valid usernames with anonymous access and no credentials required. There are a number of tools out there, that are command-line based, however JXplorer allows the tester a nice Graphical User Interface to query remote LDAP servers. JXplorer is a free general purpose LDAP browser that can be used to read and search any LDAP directory, or any X500 directory with an LDAP interface. JXplorers features include: – Standard LDAP operations: add/delete/copy/modify – Complex operations: tree copy and tree delete – Optional GUI based search filter construction – SSL and SASL authentication – Pluggable editors/viewers – Pluggable security providers – HTML templates/forms for data display – Full i18n support – LDIF file format support – DSML Support It is available for Windows, MAC, Linux and Solaris from here.
Incorrect
http://jxplorer.org/ Lightweight Directory Access Protocol (LDAP)Â is a protocol for querying and modifying directory services. A directory comprises an indexed set of information set out in hierarchical format. LDAP usually use DNS names for their structured formatting. Querying via LDAP can allow the tester to enumerate a great deal of information and can yield to valid usernames with anonymous access and no credentials required. There are a number of tools out there, that are command-line based, however JXplorer allows the tester a nice Graphical User Interface to query remote LDAP servers. JXplorer is a free general purpose LDAP browser that can be used to read and search any LDAP directory, or any X500 directory with an LDAP interface. JXplorers features include: – Standard LDAP operations: add/delete/copy/modify – Complex operations: tree copy and tree delete – Optional GUI based search filter construction – SSL and SASL authentication – Pluggable editors/viewers – Pluggable security providers – HTML templates/forms for data display – Full i18n support – LDIF file format support – DSML Support It is available for Windows, MAC, Linux and Solaris from here.
Unattempted
http://jxplorer.org/ Lightweight Directory Access Protocol (LDAP)Â is a protocol for querying and modifying directory services. A directory comprises an indexed set of information set out in hierarchical format. LDAP usually use DNS names for their structured formatting. Querying via LDAP can allow the tester to enumerate a great deal of information and can yield to valid usernames with anonymous access and no credentials required. There are a number of tools out there, that are command-line based, however JXplorer allows the tester a nice Graphical User Interface to query remote LDAP servers. JXplorer is a free general purpose LDAP browser that can be used to read and search any LDAP directory, or any X500 directory with an LDAP interface. JXplorers features include: – Standard LDAP operations: add/delete/copy/modify – Complex operations: tree copy and tree delete – Optional GUI based search filter construction – SSL and SASL authentication – Pluggable editors/viewers – Pluggable security providers – HTML templates/forms for data display – Full i18n support – LDIF file format support – DSML Support It is available for Windows, MAC, Linux and Solaris from here.
Question 15 of 65
15. Question
Identify the attack technique by description: The attacker gains unauthorized access to the target network, remains there without being detected for a long time, and obtains sensitive information without sabotaging the organization.
Correct
https://en.wikipedia.org/wiki/Advanced_persistent_threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals. Incorrect answers: Insider threat https://en.wikipedia.org/wiki/Insider_threat Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organizationÂ’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information. NOTE: Interestingly, this may well be the correct answer to the question. Jonh can be a turncloak. It is an insider who is maliciously stealing data. In most cases, itÂ’s an employee or contractor – someone who is supposed to be on the network and has legitimate credentials but is abusing their access for fun or profit. Diversion theft This is a con game, whereby attackers persuade delivery and transport companies that their deliveries and services are requested elsewhere. There are some advantages of getting the consignments of a certain company—the attackers can physically dress as the legitimate delivery agent and proceed to deliver already-flawed products. They might have installed rootkits or some spying hardware that will go undetected in the delivered products. NOTE: And this option fits as the correct answer. Or rather, as part of it. Part of the attack that Jonh performs to achieve the goal. You see, I don‘t like new questions, they are too straightforward, you will never meet this in real work, I don‘t agree to admit that the correct answer is the one that better fits the definition in Wikipedia, but this is just my humble opinion. Spear-phishing sites NOTE: I have not met such a definition, but probably the EC-Council means the following: Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted userÂ’s computer. This is how it works: An email arrives, apparently from a trustworthy source, but instead it leads the unknowing recipient to a bogus website full of malware. These emails often use clever tactics to get victims‘ attention.
Incorrect
https://en.wikipedia.org/wiki/Advanced_persistent_threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals. Incorrect answers: Insider threat https://en.wikipedia.org/wiki/Insider_threat Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organizationÂ’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information. NOTE: Interestingly, this may well be the correct answer to the question. Jonh can be a turncloak. It is an insider who is maliciously stealing data. In most cases, itÂ’s an employee or contractor – someone who is supposed to be on the network and has legitimate credentials but is abusing their access for fun or profit. Diversion theft This is a con game, whereby attackers persuade delivery and transport companies that their deliveries and services are requested elsewhere. There are some advantages of getting the consignments of a certain company—the attackers can physically dress as the legitimate delivery agent and proceed to deliver already-flawed products. They might have installed rootkits or some spying hardware that will go undetected in the delivered products. NOTE: And this option fits as the correct answer. Or rather, as part of it. Part of the attack that Jonh performs to achieve the goal. You see, I don‘t like new questions, they are too straightforward, you will never meet this in real work, I don‘t agree to admit that the correct answer is the one that better fits the definition in Wikipedia, but this is just my humble opinion. Spear-phishing sites NOTE: I have not met such a definition, but probably the EC-Council means the following: Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted userÂ’s computer. This is how it works: An email arrives, apparently from a trustworthy source, but instead it leads the unknowing recipient to a bogus website full of malware. These emails often use clever tactics to get victims‘ attention.
Unattempted
https://en.wikipedia.org/wiki/Advanced_persistent_threat An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals. Incorrect answers: Insider threat https://en.wikipedia.org/wiki/Insider_threat Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organizationÂ’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information. NOTE: Interestingly, this may well be the correct answer to the question. Jonh can be a turncloak. It is an insider who is maliciously stealing data. In most cases, itÂ’s an employee or contractor – someone who is supposed to be on the network and has legitimate credentials but is abusing their access for fun or profit. Diversion theft This is a con game, whereby attackers persuade delivery and transport companies that their deliveries and services are requested elsewhere. There are some advantages of getting the consignments of a certain company—the attackers can physically dress as the legitimate delivery agent and proceed to deliver already-flawed products. They might have installed rootkits or some spying hardware that will go undetected in the delivered products. NOTE: And this option fits as the correct answer. Or rather, as part of it. Part of the attack that Jonh performs to achieve the goal. You see, I don‘t like new questions, they are too straightforward, you will never meet this in real work, I don‘t agree to admit that the correct answer is the one that better fits the definition in Wikipedia, but this is just my humble opinion. Spear-phishing sites NOTE: I have not met such a definition, but probably the EC-Council means the following: Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted userÂ’s computer. This is how it works: An email arrives, apparently from a trustworthy source, but instead it leads the unknowing recipient to a bogus website full of malware. These emails often use clever tactics to get victims‘ attention.
Question 16 of 65
16. Question
Your organization conducts a vulnerability assessment for mitigating threats. Your task is to scan the organization by building an inventory of the protocols found on the organizationÂ’s machines to detect which ports are attached to services such as a web server, an email server or a database server. After this, you will need to select the vulnerabilities on each machine and start executing only the relevant tests. Which of the following type of vulnerability assessment solutions will you perform?
Correct
With inference-based assessment, the scanning process begins by gathering information based on discovery methods, including host identification, operating system detection and fingerprinting port scanning, and protocol detection. Information obtained through discovery enables the scanning engine to determine which ports are attached to services, such as Web servers, databases, and e-mail servers. After the intelligence-gathering phase, the scanning engine intelligently selects and runs appropriate vulnerability checks for the scan. Only vulnerabilities that could be present on each machine‘s configuration will be tested. Inference-based scanning is an expert systems approach that learns information about a system in the same fashion that a hacker would. Inference-based assessment systems integrate new knowledge as it is discovered. This knowledge is used to build intelligence on the machine in real-time and run precisely the tests that are likely to produce results. Therefore, this approach is more efficient, imposes less load on the machine, and maximizes vulnerability discovery while minimizing false positives and false negatives. Incorrect answers: Companies can choose from several approaches to vulnerability assessment: manual testing using software-based products, consultantsÂ’ penetration testing, and externally hosted self-service automated solutions. There are two categories of vulnerability assessment solutions: product-based and service-based: – Product-based solutions Product-based solutions are installed on the enterpriseÂ’s internal network and are generally manually operated. The drawback of the product-based approach to network vulnerability assessment is that it fails to deliver an outside view of its weaknesses. The product must be installed on either the non-routable or private portion of an enterprise network or on its openly Internet-addressable portion. – Service-based solutions Third parties offer service-based solutions. Some service-based solutions are network hosted, while others are externally hosted. The latter type of solution mimics the perspective of a hacker to audit a network at its perimeter. That is, the assessment is initiated from the hackerÂ’s point of view: from the outside, looking in. Service-based solutions are offered both by outside consultants and by providers of automated security audits, such as Qualys. Third-party audits should also include the capability to assess the security of internal networks inside the firewall perimeter. To securely detect internal weaknesses, service-based solutions utilize hardened appliances to test within the corporate firewall accurately. Combining external and internal information gives organizations a 360-degree view of all potential threats. Whether product-based or service-based, vulnerability assessment tools employ either tree-based or inference-based assessment technology: – Tree-based assessment Early vulnerability assessment technologies relied on lists, or trees, of vulnerabilities to test against a server or device. Administrators provided the intelligence by selecting the trees appropriate for each machine—for example, the trees for a server running Windows, Web services, and a database. This approach to vulnerability assessment relies on administrators to provide an initial shot of intelligence, and then the scan continues blindly, without incorporating any information discovered during the scan.
Incorrect
With inference-based assessment, the scanning process begins by gathering information based on discovery methods, including host identification, operating system detection and fingerprinting port scanning, and protocol detection. Information obtained through discovery enables the scanning engine to determine which ports are attached to services, such as Web servers, databases, and e-mail servers. After the intelligence-gathering phase, the scanning engine intelligently selects and runs appropriate vulnerability checks for the scan. Only vulnerabilities that could be present on each machine‘s configuration will be tested. Inference-based scanning is an expert systems approach that learns information about a system in the same fashion that a hacker would. Inference-based assessment systems integrate new knowledge as it is discovered. This knowledge is used to build intelligence on the machine in real-time and run precisely the tests that are likely to produce results. Therefore, this approach is more efficient, imposes less load on the machine, and maximizes vulnerability discovery while minimizing false positives and false negatives. Incorrect answers: Companies can choose from several approaches to vulnerability assessment: manual testing using software-based products, consultantsÂ’ penetration testing, and externally hosted self-service automated solutions. There are two categories of vulnerability assessment solutions: product-based and service-based: – Product-based solutions Product-based solutions are installed on the enterpriseÂ’s internal network and are generally manually operated. The drawback of the product-based approach to network vulnerability assessment is that it fails to deliver an outside view of its weaknesses. The product must be installed on either the non-routable or private portion of an enterprise network or on its openly Internet-addressable portion. – Service-based solutions Third parties offer service-based solutions. Some service-based solutions are network hosted, while others are externally hosted. The latter type of solution mimics the perspective of a hacker to audit a network at its perimeter. That is, the assessment is initiated from the hackerÂ’s point of view: from the outside, looking in. Service-based solutions are offered both by outside consultants and by providers of automated security audits, such as Qualys. Third-party audits should also include the capability to assess the security of internal networks inside the firewall perimeter. To securely detect internal weaknesses, service-based solutions utilize hardened appliances to test within the corporate firewall accurately. Combining external and internal information gives organizations a 360-degree view of all potential threats. Whether product-based or service-based, vulnerability assessment tools employ either tree-based or inference-based assessment technology: – Tree-based assessment Early vulnerability assessment technologies relied on lists, or trees, of vulnerabilities to test against a server or device. Administrators provided the intelligence by selecting the trees appropriate for each machine—for example, the trees for a server running Windows, Web services, and a database. This approach to vulnerability assessment relies on administrators to provide an initial shot of intelligence, and then the scan continues blindly, without incorporating any information discovered during the scan.
Unattempted
With inference-based assessment, the scanning process begins by gathering information based on discovery methods, including host identification, operating system detection and fingerprinting port scanning, and protocol detection. Information obtained through discovery enables the scanning engine to determine which ports are attached to services, such as Web servers, databases, and e-mail servers. After the intelligence-gathering phase, the scanning engine intelligently selects and runs appropriate vulnerability checks for the scan. Only vulnerabilities that could be present on each machine‘s configuration will be tested. Inference-based scanning is an expert systems approach that learns information about a system in the same fashion that a hacker would. Inference-based assessment systems integrate new knowledge as it is discovered. This knowledge is used to build intelligence on the machine in real-time and run precisely the tests that are likely to produce results. Therefore, this approach is more efficient, imposes less load on the machine, and maximizes vulnerability discovery while minimizing false positives and false negatives. Incorrect answers: Companies can choose from several approaches to vulnerability assessment: manual testing using software-based products, consultantsÂ’ penetration testing, and externally hosted self-service automated solutions. There are two categories of vulnerability assessment solutions: product-based and service-based: – Product-based solutions Product-based solutions are installed on the enterpriseÂ’s internal network and are generally manually operated. The drawback of the product-based approach to network vulnerability assessment is that it fails to deliver an outside view of its weaknesses. The product must be installed on either the non-routable or private portion of an enterprise network or on its openly Internet-addressable portion. – Service-based solutions Third parties offer service-based solutions. Some service-based solutions are network hosted, while others are externally hosted. The latter type of solution mimics the perspective of a hacker to audit a network at its perimeter. That is, the assessment is initiated from the hackerÂ’s point of view: from the outside, looking in. Service-based solutions are offered both by outside consultants and by providers of automated security audits, such as Qualys. Third-party audits should also include the capability to assess the security of internal networks inside the firewall perimeter. To securely detect internal weaknesses, service-based solutions utilize hardened appliances to test within the corporate firewall accurately. Combining external and internal information gives organizations a 360-degree view of all potential threats. Whether product-based or service-based, vulnerability assessment tools employ either tree-based or inference-based assessment technology: – Tree-based assessment Early vulnerability assessment technologies relied on lists, or trees, of vulnerabilities to test against a server or device. Administrators provided the intelligence by selecting the trees appropriate for each machine—for example, the trees for a server running Windows, Web services, and a database. This approach to vulnerability assessment relies on administrators to provide an initial shot of intelligence, and then the scan continues blindly, without incorporating any information discovered during the scan.
Question 17 of 65
17. Question
Which of the following algorithms uses a 64-bit block size that is encrypted three times with 56-bit keys?
Correct
https://en.wikipedia.org/wiki/Triple_DES Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standard‘s (DES) 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power. However, an adapted version of DES, Triple DES (3DES), uses the same algorithm to produce a more secure encryption. While the government and industry standards abbreviate the algorithm‘s name as TDES (Triple DES) and TDEA (Triple Data Encryption Algorithm), RFC 1851 referred to it as 3DES from the time it first promulgated the idea, and this namesake has since come into wide use by most vendors, users, and cryptographers. Incorrect answers: IDEA https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm The International Data Encryption Algorithm (IDEA) operates on 64-bit blocks using a 128-bit key and consists of a series of 8 identical transformations (a round, see the illustration) and an output transformation (the half-round). AES https://en.wikipedia.org/wiki/Advanced_Encryption_Standard The Advanced Encryption Standard (AES) is a variant of Rijndael, with a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. DES https://en.wikipedia.org/wiki/Data_Encryption_Standard The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of digital data, with a fixed block size of 64 bits, and a key size of 56 bits. NOTE: The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity and are thereafter discarded. Hence the effective key length is 56 bits.
Incorrect
https://en.wikipedia.org/wiki/Triple_DES Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standard‘s (DES) 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power. However, an adapted version of DES, Triple DES (3DES), uses the same algorithm to produce a more secure encryption. While the government and industry standards abbreviate the algorithm‘s name as TDES (Triple DES) and TDEA (Triple Data Encryption Algorithm), RFC 1851 referred to it as 3DES from the time it first promulgated the idea, and this namesake has since come into wide use by most vendors, users, and cryptographers. Incorrect answers: IDEA https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm The International Data Encryption Algorithm (IDEA) operates on 64-bit blocks using a 128-bit key and consists of a series of 8 identical transformations (a round, see the illustration) and an output transformation (the half-round). AES https://en.wikipedia.org/wiki/Advanced_Encryption_Standard The Advanced Encryption Standard (AES) is a variant of Rijndael, with a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. DES https://en.wikipedia.org/wiki/Data_Encryption_Standard The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of digital data, with a fixed block size of 64 bits, and a key size of 56 bits. NOTE: The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity and are thereafter discarded. Hence the effective key length is 56 bits.
Unattempted
https://en.wikipedia.org/wiki/Triple_DES Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standard‘s (DES) 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power. However, an adapted version of DES, Triple DES (3DES), uses the same algorithm to produce a more secure encryption. While the government and industry standards abbreviate the algorithm‘s name as TDES (Triple DES) and TDEA (Triple Data Encryption Algorithm), RFC 1851 referred to it as 3DES from the time it first promulgated the idea, and this namesake has since come into wide use by most vendors, users, and cryptographers. Incorrect answers: IDEA https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm The International Data Encryption Algorithm (IDEA) operates on 64-bit blocks using a 128-bit key and consists of a series of 8 identical transformations (a round, see the illustration) and an output transformation (the half-round). AES https://en.wikipedia.org/wiki/Advanced_Encryption_Standard The Advanced Encryption Standard (AES) is a variant of Rijndael, with a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. DES https://en.wikipedia.org/wiki/Data_Encryption_Standard The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of digital data, with a fixed block size of 64 bits, and a key size of 56 bits. NOTE: The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity and are thereafter discarded. Hence the effective key length is 56 bits.
Question 18 of 65
18. Question
Which of the following SQLi types leverages a database serverÂ’s ability to make DNS requests to pass data to an attacker?
Correct
https://en.wikipedia.org/wiki/SQL_injection Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results. Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable). Out-of-band SQLi techniques would rely on the database serverÂ’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL ServerÂ’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle DatabaseÂ’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls. Incorrect answers: – In-band SQLi In-band SQL injection is the most common and easy-to-exploit of SQL injection attacks. In-band SQL injection occurs when an attacker is able to use the same communication channel to both launch the attack and gather results. – Union-based SQLi Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response. – Time-based blind SQLi Time-based SQL injection is an inferential SQL injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.
Incorrect
https://en.wikipedia.org/wiki/SQL_injection Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results. Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable). Out-of-band SQLi techniques would rely on the database serverÂ’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL ServerÂ’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle DatabaseÂ’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls. Incorrect answers: – In-band SQLi In-band SQL injection is the most common and easy-to-exploit of SQL injection attacks. In-band SQL injection occurs when an attacker is able to use the same communication channel to both launch the attack and gather results. – Union-based SQLi Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response. – Time-based blind SQLi Time-based SQL injection is an inferential SQL injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.
Unattempted
https://en.wikipedia.org/wiki/SQL_injection Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results. Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable). Out-of-band SQLi techniques would rely on the database serverÂ’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL ServerÂ’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle DatabaseÂ’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls. Incorrect answers: – In-band SQLi In-band SQL injection is the most common and easy-to-exploit of SQL injection attacks. In-band SQL injection occurs when an attacker is able to use the same communication channel to both launch the attack and gather results. – Union-based SQLi Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response. – Time-based blind SQLi Time-based SQL injection is an inferential SQL injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.
Question 19 of 65
19. Question
An attacker gained access to a Linux host and stolen the password file from /etc/passwd. Which of the following scenarios best describes what an attacker can do with this file?
Correct
https://en.wikipedia.org/wiki/Passwd#Password_file The /etc/passwd file is a text-based database of information about users that may log into the system or other operating system user identities that own running processes. In many operating systems this file is just one of many possible back-ends for the more general passwd name service. The file‘s name originates from one of its initial functions as it contained the data used to verify passwords of user accounts. However, on modern Unix systems the security-sensitive password information is instead often stored in a different file using shadow passwords, or other database implementations. The /etc/passwd file typically has file system permissions that allow it to be readable by all users of the system (world-readable), although it may only be modified by the superuser or by using a few special purpose privileged commands. The /etc/passwd file is a text file with one record per line, each describing a user account. Each record consists of seven fields separated by colons. The ordering of the records within the file is generally unimportant.
Incorrect
https://en.wikipedia.org/wiki/Passwd#Password_file The /etc/passwd file is a text-based database of information about users that may log into the system or other operating system user identities that own running processes. In many operating systems this file is just one of many possible back-ends for the more general passwd name service. The file‘s name originates from one of its initial functions as it contained the data used to verify passwords of user accounts. However, on modern Unix systems the security-sensitive password information is instead often stored in a different file using shadow passwords, or other database implementations. The /etc/passwd file typically has file system permissions that allow it to be readable by all users of the system (world-readable), although it may only be modified by the superuser or by using a few special purpose privileged commands. The /etc/passwd file is a text file with one record per line, each describing a user account. Each record consists of seven fields separated by colons. The ordering of the records within the file is generally unimportant.
Unattempted
https://en.wikipedia.org/wiki/Passwd#Password_file The /etc/passwd file is a text-based database of information about users that may log into the system or other operating system user identities that own running processes. In many operating systems this file is just one of many possible back-ends for the more general passwd name service. The file‘s name originates from one of its initial functions as it contained the data used to verify passwords of user accounts. However, on modern Unix systems the security-sensitive password information is instead often stored in a different file using shadow passwords, or other database implementations. The /etc/passwd file typically has file system permissions that allow it to be readable by all users of the system (world-readable), although it may only be modified by the superuser or by using a few special purpose privileged commands. The /etc/passwd file is a text file with one record per line, each describing a user account. Each record consists of seven fields separated by colons. The ordering of the records within the file is generally unimportant.
Question 20 of 65
20. Question
A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. They are classified according to the place of their injection. What type of rootkit loads itself underneath the computerÂ’s operating system and can intercept hardware calls made by the original operating system.
Correct
https://en.wikipedia.org/wiki/Rootkit#Hypervisor_level A hypervisor rootkit takes advantage of the hardware virtualization and is installed between the hardware and the kernel acting as the real hardware. Hence, it can intercept the communication/requests between the hardware and the host operating system. Common detection applications that run in user or kernel mode are not effective in this case as the kernel may not know whether it is executed on the legitimate hardware. Incorrect answers: Kernel mode rootkits https://en.wikipedia.org/wiki/Rootkit#Kernel_mode Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are difficult to detect because they have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations. Application rootkit Simple rootkits run in user-mode and are called user-mode rootkits. Such rootkits modify processes, network connections, files, events and system services. It is the only type of rootkit that could be detected by a common antivirus application. Memory rootkit This type of rootkit hides in the computer’s RAM. These rootkits carry out harmful activities in the background and have a short lifespan. They only live in the computer’s RAM and will disappear after the reboot system.
Incorrect
https://en.wikipedia.org/wiki/Rootkit#Hypervisor_level A hypervisor rootkit takes advantage of the hardware virtualization and is installed between the hardware and the kernel acting as the real hardware. Hence, it can intercept the communication/requests between the hardware and the host operating system. Common detection applications that run in user or kernel mode are not effective in this case as the kernel may not know whether it is executed on the legitimate hardware. Incorrect answers: Kernel mode rootkits https://en.wikipedia.org/wiki/Rootkit#Kernel_mode Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are difficult to detect because they have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations. Application rootkit Simple rootkits run in user-mode and are called user-mode rootkits. Such rootkits modify processes, network connections, files, events and system services. It is the only type of rootkit that could be detected by a common antivirus application. Memory rootkit This type of rootkit hides in the computer’s RAM. These rootkits carry out harmful activities in the background and have a short lifespan. They only live in the computer’s RAM and will disappear after the reboot system.
Unattempted
https://en.wikipedia.org/wiki/Rootkit#Hypervisor_level A hypervisor rootkit takes advantage of the hardware virtualization and is installed between the hardware and the kernel acting as the real hardware. Hence, it can intercept the communication/requests between the hardware and the host operating system. Common detection applications that run in user or kernel mode are not effective in this case as the kernel may not know whether it is executed on the legitimate hardware. Incorrect answers: Kernel mode rootkits https://en.wikipedia.org/wiki/Rootkit#Kernel_mode Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are difficult to detect because they have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations. Application rootkit Simple rootkits run in user-mode and are called user-mode rootkits. Such rootkits modify processes, network connections, files, events and system services. It is the only type of rootkit that could be detected by a common antivirus application. Memory rootkit This type of rootkit hides in the computer’s RAM. These rootkits carry out harmful activities in the background and have a short lifespan. They only live in the computer’s RAM and will disappear after the reboot system.
Question 21 of 65
21. Question
Alex, a network administrator, received a warning from IDS about a possibly malicious sequence of packets sent to a Web server in the network‘s external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. Now Alex needs to determine if these packets are genuinely malicious or simply a false positive. Which of the following type of network tools will he use?
Correct
Explanation: A network protocol analyzer is a tool used to monitor data traffic and analyze captured signals as they travel across communication channels. Sometimes network protocol analyzers are standalone hardware devices through which all network traffic is routed, and in other cases, they’re software applications installed on specific workstations or networks to provide an added layer of security. In addition, network protocol analyzers can be paired with firewalls and antivirus programs for a strong line of defense against network intrusions. The most widely-used network protocol analyzer is Wireshark. For example, It can analyze information from PCAP files. https://www.wireshark.org/ Incorrect answers: Intrusion Prevention System (IPS) https://en.wikipedia.org/wiki/Intrusion_detection_system Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, report it and attempt to block or stop it. Host-based intrusion prevention system (HIPS) https://en.wikipedia.org/wiki/Intrusion_detection_system Host-based intrusion prevention system (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. Vulnerability scanner https://en.wikipedia.org/wiki/Vulnerability_scanner A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. In plain words, these scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detection of vulnerabilities arising from mis-configurations or flawed programming within a network-based asset such as a firewall, router, web server, application server, etc. Modern vulnerability scanners allow for both authenticated and unauthenticated scans. Modern scanners are typically available as SaaS (Software as a service); provided over the internet and delivered as a web application. The modern vulnerability scanner often has the ability to customize vulnerability reports as well as the installed software, open ports, certificates and other host information that can be queried as part of its workflow.
Incorrect
Explanation: A network protocol analyzer is a tool used to monitor data traffic and analyze captured signals as they travel across communication channels. Sometimes network protocol analyzers are standalone hardware devices through which all network traffic is routed, and in other cases, they’re software applications installed on specific workstations or networks to provide an added layer of security. In addition, network protocol analyzers can be paired with firewalls and antivirus programs for a strong line of defense against network intrusions. The most widely-used network protocol analyzer is Wireshark. For example, It can analyze information from PCAP files. https://www.wireshark.org/ Incorrect answers: Intrusion Prevention System (IPS) https://en.wikipedia.org/wiki/Intrusion_detection_system Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, report it and attempt to block or stop it. Host-based intrusion prevention system (HIPS) https://en.wikipedia.org/wiki/Intrusion_detection_system Host-based intrusion prevention system (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. Vulnerability scanner https://en.wikipedia.org/wiki/Vulnerability_scanner A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. In plain words, these scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detection of vulnerabilities arising from mis-configurations or flawed programming within a network-based asset such as a firewall, router, web server, application server, etc. Modern vulnerability scanners allow for both authenticated and unauthenticated scans. Modern scanners are typically available as SaaS (Software as a service); provided over the internet and delivered as a web application. The modern vulnerability scanner often has the ability to customize vulnerability reports as well as the installed software, open ports, certificates and other host information that can be queried as part of its workflow.
Unattempted
Explanation: A network protocol analyzer is a tool used to monitor data traffic and analyze captured signals as they travel across communication channels. Sometimes network protocol analyzers are standalone hardware devices through which all network traffic is routed, and in other cases, they’re software applications installed on specific workstations or networks to provide an added layer of security. In addition, network protocol analyzers can be paired with firewalls and antivirus programs for a strong line of defense against network intrusions. The most widely-used network protocol analyzer is Wireshark. For example, It can analyze information from PCAP files. https://www.wireshark.org/ Incorrect answers: Intrusion Prevention System (IPS) https://en.wikipedia.org/wiki/Intrusion_detection_system Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, report it and attempt to block or stop it. Host-based intrusion prevention system (HIPS) https://en.wikipedia.org/wiki/Intrusion_detection_system Host-based intrusion prevention system (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. Vulnerability scanner https://en.wikipedia.org/wiki/Vulnerability_scanner A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. In plain words, these scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detection of vulnerabilities arising from mis-configurations or flawed programming within a network-based asset such as a firewall, router, web server, application server, etc. Modern vulnerability scanners allow for both authenticated and unauthenticated scans. Modern scanners are typically available as SaaS (Software as a service); provided over the internet and delivered as a web application. The modern vulnerability scanner often has the ability to customize vulnerability reports as well as the installed software, open ports, certificates and other host information that can be queried as part of its workflow.
Question 22 of 65
22. Question
Which of the following is a component of IPsec that performs protocol-level functions required to encrypt and decrypt the packets?
Correct
This question is based on the information provided in the EC-Council‘s courseware: IPsec driver:Â Software that performs protocol-level functions required to encrypt and decrypt packets.
Incorrect
This question is based on the information provided in the EC-Council‘s courseware: IPsec driver:Â Software that performs protocol-level functions required to encrypt and decrypt packets.
Unattempted
This question is based on the information provided in the EC-Council‘s courseware: IPsec driver:Â Software that performs protocol-level functions required to encrypt and decrypt packets.
Question 23 of 65
23. Question
Which mode of a NIC (interface) allows you to intercept and read each network packet that arrives in its entirety?
Correct
https://en.wikipedia.org/wiki/Promiscuous_mode Promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing on a router or a computer connected to a wired network or one being part of a wireless LAN. Interfaces are placed into promiscuous mode by software bridges often used with hardware virtualization. Incorrect answers: Port forwarding https://en.wikipedia.org/wiki/Port_forwarding Port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network) by remapping the destination IP address and port number of the communication to an internal host. Multicast https://en.wikipedia.org/wiki/Multicast Multicast is group communication where data transmission is addressed to a group of destination computers simultaneously. Multicast can be one-to-many or many-to-many distribution. Multicast should not be confused with physical layer point-to-multipoint communication. Simplex Mode https://en.wikipedia.org/wiki/Simplex_communication The concept refers to the communication channel type in which the data can flow only in one direction, i.e., the communication is unidirectional. Data Transmission mode defines the direction of the flow of information between two communication devices. This is not directly related to the topic of the exam and is added to confuse you.
Incorrect
https://en.wikipedia.org/wiki/Promiscuous_mode Promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing on a router or a computer connected to a wired network or one being part of a wireless LAN. Interfaces are placed into promiscuous mode by software bridges often used with hardware virtualization. Incorrect answers: Port forwarding https://en.wikipedia.org/wiki/Port_forwarding Port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network) by remapping the destination IP address and port number of the communication to an internal host. Multicast https://en.wikipedia.org/wiki/Multicast Multicast is group communication where data transmission is addressed to a group of destination computers simultaneously. Multicast can be one-to-many or many-to-many distribution. Multicast should not be confused with physical layer point-to-multipoint communication. Simplex Mode https://en.wikipedia.org/wiki/Simplex_communication The concept refers to the communication channel type in which the data can flow only in one direction, i.e., the communication is unidirectional. Data Transmission mode defines the direction of the flow of information between two communication devices. This is not directly related to the topic of the exam and is added to confuse you.
Unattempted
https://en.wikipedia.org/wiki/Promiscuous_mode Promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing on a router or a computer connected to a wired network or one being part of a wireless LAN. Interfaces are placed into promiscuous mode by software bridges often used with hardware virtualization. Incorrect answers: Port forwarding https://en.wikipedia.org/wiki/Port_forwarding Port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network) by remapping the destination IP address and port number of the communication to an internal host. Multicast https://en.wikipedia.org/wiki/Multicast Multicast is group communication where data transmission is addressed to a group of destination computers simultaneously. Multicast can be one-to-many or many-to-many distribution. Multicast should not be confused with physical layer point-to-multipoint communication. Simplex Mode https://en.wikipedia.org/wiki/Simplex_communication The concept refers to the communication channel type in which the data can flow only in one direction, i.e., the communication is unidirectional. Data Transmission mode defines the direction of the flow of information between two communication devices. This is not directly related to the topic of the exam and is added to confuse you.
Question 24 of 65
24. Question
Due to the network slowdown, the IT department decided to monitor the Internet traffic of all employees to track a possible cause, but they can‘t do it immediately. Which of the following is troublesome to take this kind of measure from a legal point of view?
Correct
Workplace monitoring is subject to various federal and state constitutional provisions and laws regarding when employees have a right to privacy and if and when they must be notified that they are being monitored. From a legal perspective, disclosing surveillance is the smartest tactic. Letting employees know that they will be monitored removes employees‘ reasonable expectation of privacy—the element that often forms the basis for invasion-of-privacy lawsuits arising under common law. The two main restrictions on workplace monitoring are the Electronic Communications Privacy Act of 1986 (ECPA) (18 U.S.C. Section 2511 et seq.) and common-law protection against invasion of privacy. The ECPA is the only federal law that directly governs the monitoring of electronic communications in the workplace. Congress passed it in 1986 as an amendment to the federal Wiretap Act. Whereas the Wiretap Act restricted only the interception and monitoring of oral and wire communications, the ECPA extended those restrictions to electronic communications such as e-mail. At first glance, the ECPA appears to prohibit an employer from intentionally intercepting its employees‘ oral, wire, and electronic communications. However, the ECPA contains several exceptions to this prohibition, and two of these exceptions are of particular importance to employers. The first is commonly known as the business purpose exception, which permits employers to monitor oral and electronic communications as long as the company can show a legitimate business purpose for doing so. The second is the consent exception, which allows employers to monitor employee communications provided that they have their employees‘ consent to do so. An important and often overlooked distinction between the two exceptions is that the consent exception is not limited to business communications, and, therefore, a company arguably can monitor personal electronic communications if it can show employee consent. See May, an employee secretly record conversations with management and other employees without informing them? In addition to these two exceptions, the ECPA contains a loophole that may limit employer liability for certain methods of monitoring. The act‘s definition of “electronic communications“ expressly applies to the transmission of such communications and does not include such communications‘ electronic storage. Therefore, courts have distinguished between monitoring electronic communications such as e-mail messages while they are being transmitted versus viewing e-mails while they are in storage. Viewing stored e-mail is similar to searching through an employee‘s papers and files. Several courts confronting this issue have found that monitoring electronic communications after transmission does not run afoul of the ECPA. The Stored Communications Act (SCA) is part of the ECPA and prohibits an entity providing an electronic communication service to the public from knowingly divulging electronic communication contents. It applies only to communications in which the employee had a reasonable expectation of privacy. When an employer makes it clear that certain communications are not protected, the SCA likely will not apply. The ECPA merely sets the minimum restrictions on employee monitoring; individual states are free to impose greater limitations, and many have done so. For instance, in Connecticut, employers that monitor must provide employees advance written notice that specifies the specific types of monitoring methods. In addition, several state constitutions, including those of California, Florida, Louisiana, and South Carolina, expressly guarantee citizens a right to privacy. An explicit declaration of privacy in a state constitution may give employees heightened expectations of privacy, and employers in such states are wise to take additional steps to diminish employees‘ privacy expectations with respect to electronic information and communication in the workplace.
Incorrect
Workplace monitoring is subject to various federal and state constitutional provisions and laws regarding when employees have a right to privacy and if and when they must be notified that they are being monitored. From a legal perspective, disclosing surveillance is the smartest tactic. Letting employees know that they will be monitored removes employees‘ reasonable expectation of privacy—the element that often forms the basis for invasion-of-privacy lawsuits arising under common law. The two main restrictions on workplace monitoring are the Electronic Communications Privacy Act of 1986 (ECPA) (18 U.S.C. Section 2511 et seq.) and common-law protection against invasion of privacy. The ECPA is the only federal law that directly governs the monitoring of electronic communications in the workplace. Congress passed it in 1986 as an amendment to the federal Wiretap Act. Whereas the Wiretap Act restricted only the interception and monitoring of oral and wire communications, the ECPA extended those restrictions to electronic communications such as e-mail. At first glance, the ECPA appears to prohibit an employer from intentionally intercepting its employees‘ oral, wire, and electronic communications. However, the ECPA contains several exceptions to this prohibition, and two of these exceptions are of particular importance to employers. The first is commonly known as the business purpose exception, which permits employers to monitor oral and electronic communications as long as the company can show a legitimate business purpose for doing so. The second is the consent exception, which allows employers to monitor employee communications provided that they have their employees‘ consent to do so. An important and often overlooked distinction between the two exceptions is that the consent exception is not limited to business communications, and, therefore, a company arguably can monitor personal electronic communications if it can show employee consent. See May, an employee secretly record conversations with management and other employees without informing them? In addition to these two exceptions, the ECPA contains a loophole that may limit employer liability for certain methods of monitoring. The act‘s definition of “electronic communications“ expressly applies to the transmission of such communications and does not include such communications‘ electronic storage. Therefore, courts have distinguished between monitoring electronic communications such as e-mail messages while they are being transmitted versus viewing e-mails while they are in storage. Viewing stored e-mail is similar to searching through an employee‘s papers and files. Several courts confronting this issue have found that monitoring electronic communications after transmission does not run afoul of the ECPA. The Stored Communications Act (SCA) is part of the ECPA and prohibits an entity providing an electronic communication service to the public from knowingly divulging electronic communication contents. It applies only to communications in which the employee had a reasonable expectation of privacy. When an employer makes it clear that certain communications are not protected, the SCA likely will not apply. The ECPA merely sets the minimum restrictions on employee monitoring; individual states are free to impose greater limitations, and many have done so. For instance, in Connecticut, employers that monitor must provide employees advance written notice that specifies the specific types of monitoring methods. In addition, several state constitutions, including those of California, Florida, Louisiana, and South Carolina, expressly guarantee citizens a right to privacy. An explicit declaration of privacy in a state constitution may give employees heightened expectations of privacy, and employers in such states are wise to take additional steps to diminish employees‘ privacy expectations with respect to electronic information and communication in the workplace.
Unattempted
Workplace monitoring is subject to various federal and state constitutional provisions and laws regarding when employees have a right to privacy and if and when they must be notified that they are being monitored. From a legal perspective, disclosing surveillance is the smartest tactic. Letting employees know that they will be monitored removes employees‘ reasonable expectation of privacy—the element that often forms the basis for invasion-of-privacy lawsuits arising under common law. The two main restrictions on workplace monitoring are the Electronic Communications Privacy Act of 1986 (ECPA) (18 U.S.C. Section 2511 et seq.) and common-law protection against invasion of privacy. The ECPA is the only federal law that directly governs the monitoring of electronic communications in the workplace. Congress passed it in 1986 as an amendment to the federal Wiretap Act. Whereas the Wiretap Act restricted only the interception and monitoring of oral and wire communications, the ECPA extended those restrictions to electronic communications such as e-mail. At first glance, the ECPA appears to prohibit an employer from intentionally intercepting its employees‘ oral, wire, and electronic communications. However, the ECPA contains several exceptions to this prohibition, and two of these exceptions are of particular importance to employers. The first is commonly known as the business purpose exception, which permits employers to monitor oral and electronic communications as long as the company can show a legitimate business purpose for doing so. The second is the consent exception, which allows employers to monitor employee communications provided that they have their employees‘ consent to do so. An important and often overlooked distinction between the two exceptions is that the consent exception is not limited to business communications, and, therefore, a company arguably can monitor personal electronic communications if it can show employee consent. See May, an employee secretly record conversations with management and other employees without informing them? In addition to these two exceptions, the ECPA contains a loophole that may limit employer liability for certain methods of monitoring. The act‘s definition of “electronic communications“ expressly applies to the transmission of such communications and does not include such communications‘ electronic storage. Therefore, courts have distinguished between monitoring electronic communications such as e-mail messages while they are being transmitted versus viewing e-mails while they are in storage. Viewing stored e-mail is similar to searching through an employee‘s papers and files. Several courts confronting this issue have found that monitoring electronic communications after transmission does not run afoul of the ECPA. The Stored Communications Act (SCA) is part of the ECPA and prohibits an entity providing an electronic communication service to the public from knowingly divulging electronic communication contents. It applies only to communications in which the employee had a reasonable expectation of privacy. When an employer makes it clear that certain communications are not protected, the SCA likely will not apply. The ECPA merely sets the minimum restrictions on employee monitoring; individual states are free to impose greater limitations, and many have done so. For instance, in Connecticut, employers that monitor must provide employees advance written notice that specifies the specific types of monitoring methods. In addition, several state constitutions, including those of California, Florida, Louisiana, and South Carolina, expressly guarantee citizens a right to privacy. An explicit declaration of privacy in a state constitution may give employees heightened expectations of privacy, and employers in such states are wise to take additional steps to diminish employees‘ privacy expectations with respect to electronic information and communication in the workplace.
Question 25 of 65
25. Question
Alex, an employee of a law firm, receives an email with an attachment “Court_Notice_09082020.zip“. There is a file inside the archive “Court_Notice_09082020.zip.exe“. Alex does not notice that this is an executable file and runs it. After that, a window appears with the notification “This word document is corrupt“ and at the same time, malware copies data to APPDATA\local directory takes place in the background and begins to beacon to a C2 server to download additional malicious binaries. What type of malware has Alex encountered?
Correct
https://en.wikipedia.org/wiki/Trojan_horse_(computing) A Trojan horse (or simply trojan) is any malware which misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy. Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. Trojans may allow an attacker to access users‘ personal information such as banking information, passwords, or personal identity. It can also delete a user‘s files or infect other devices connected to the network. Ransomware attacks are often carried out using a trojan. Unlike computer viruses, worms, and rogue security software, trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves. Incorrect answers: Worm https://en.wikipedia.org/wiki/Computer_worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive method to copy themselves without host program and distribute themselves based on the law of exponential growth, and then controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. Macro Virus https://en.wikipedia.org/wiki/Macro_virus A macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application (e.g., word processors and spreadsheet applications). Some applications, such as Microsoft Office, Excel, PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in e-mails. Many antivirus programs can detect macro viruses; however, the macro virus‘ behavior can still be difficult to detect. Key-Logger https://en.wikipedia.org/wiki/Keystroke_logging Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware. While the programs themselves are legal, with many of them being designed to allow employers to oversee the use of their computers, keyloggers are most often used for stealing passwords and other confidential information. Keylogging can also be used to study keystroke dynamics or human-computer interaction. Numerous keylogging methods exist they range from hardware and software-based approaches to acoustic cryptanalysis.
Incorrect
https://en.wikipedia.org/wiki/Trojan_horse_(computing) A Trojan horse (or simply trojan) is any malware which misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy. Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. Trojans may allow an attacker to access users‘ personal information such as banking information, passwords, or personal identity. It can also delete a user‘s files or infect other devices connected to the network. Ransomware attacks are often carried out using a trojan. Unlike computer viruses, worms, and rogue security software, trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves. Incorrect answers: Worm https://en.wikipedia.org/wiki/Computer_worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive method to copy themselves without host program and distribute themselves based on the law of exponential growth, and then controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. Macro Virus https://en.wikipedia.org/wiki/Macro_virus A macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application (e.g., word processors and spreadsheet applications). Some applications, such as Microsoft Office, Excel, PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in e-mails. Many antivirus programs can detect macro viruses; however, the macro virus‘ behavior can still be difficult to detect. Key-Logger https://en.wikipedia.org/wiki/Keystroke_logging Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware. While the programs themselves are legal, with many of them being designed to allow employers to oversee the use of their computers, keyloggers are most often used for stealing passwords and other confidential information. Keylogging can also be used to study keystroke dynamics or human-computer interaction. Numerous keylogging methods exist they range from hardware and software-based approaches to acoustic cryptanalysis.
Unattempted
https://en.wikipedia.org/wiki/Trojan_horse_(computing) A Trojan horse (or simply trojan) is any malware which misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy. Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. Trojans may allow an attacker to access users‘ personal information such as banking information, passwords, or personal identity. It can also delete a user‘s files or infect other devices connected to the network. Ransomware attacks are often carried out using a trojan. Unlike computer viruses, worms, and rogue security software, trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves. Incorrect answers: Worm https://en.wikipedia.org/wiki/Computer_worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive method to copy themselves without host program and distribute themselves based on the law of exponential growth, and then controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. Macro Virus https://en.wikipedia.org/wiki/Macro_virus A macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application (e.g., word processors and spreadsheet applications). Some applications, such as Microsoft Office, Excel, PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in e-mails. Many antivirus programs can detect macro viruses; however, the macro virus‘ behavior can still be difficult to detect. Key-Logger https://en.wikipedia.org/wiki/Keystroke_logging Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware. While the programs themselves are legal, with many of them being designed to allow employers to oversee the use of their computers, keyloggers are most often used for stealing passwords and other confidential information. Keylogging can also be used to study keystroke dynamics or human-computer interaction. Numerous keylogging methods exist they range from hardware and software-based approaches to acoustic cryptanalysis.
Question 26 of 65
26. Question
Implementing the security testing process early in the SDLC is the key to finding out and fixing the security bugs early in the SDLC lifecycle. The security testing process can be performed in two ways, Automated or Manual web application security testing. Which of the proposed statements is true?
Correct
In using both automated and manual testing approaches, it is important to identify all possible attack surfaces, as a malicious attacker may only need one vulnerability to obtain unauthorized access to your sensitive information. Penetration testing companies often rely on a variety of automated and manual testing approaches, but it is best to understand each to achieve the greatest coverage. Automated Tools Speed: Automated tools work at a much faster rate by order of magnitude. It is much more difficult to manually test each component, service, and protocol manually with the same speed that a machine or script can. Coverage: Capable of covering larger attack surfaces with more ease by implementing crawling of web applications to identify potential attack inputs especially “low hanging fruit” and technical related vulnerabilities. Manual testing would require a large amount of time and skill to guarantee the same coverage and comparison to known vulnerabilities. Difficult for automated tools to accurately test in-house web applications and services which can result in missed logical vulnerabilities. Efficiency: The processing capabilities of a machine are excellent. Automated tools can initialize and execute a large number of payloads for each test, but may not choose to execute the payloads correctly for each scenario. Usually, fuzz the application with multiple payloads and then wait for a reaction. Qualifications: Automated tools have gone through intensive product testing for reliability and validity especially for professional versions. Manual testing skills is solely based on the individual pen tester’s expert skillset and experience. Reporting: Reports can be created easily and quickly. Usually, have graphical features such as charts for effective visual data comprehension. Can be generic output that may not be capable of describing how the finding was validated. Investment: Open source tools and vulnerability scanners are usually free, but lack support or warranty. Professional licensing for vulnerability scanners and other automated tools can range dramatically in costs. Manual Approach Effectiveness: Automation alone is not capable to ensure that an application is thoroughly tested from a security perspective. Automated tools are poor at testing for logical vulnerabilities. Logical vulnerabilities require an understanding of the scope and flow of the application to identify any security issues. Certain findings, for example, CSRF (Cross-Site Request Forgery) and business logic vulnerabilities need an experienced certified security professional to be capable to exploit and validate all potential security scenarios. Validity: Automated tool results usually contain a large number of false positives and negatives (30% to 90% depending on methodology and product) that can create a false sense of security or lack of security. These inaccuracies exist due to the lack of tool capabilities. It is the responsibility and expertise of the manual tester initializing the automated tool to validate the results and identify the true security findings. Accuracy: Automated tools are only as reliable as their updates. If a new vulnerability or exploit has been introduced into the environment without a known category (i.e. zero-day), it is impossible for the automated tools to discover and identify the security threat. In manual testing, it is possible for the tester to create their own exploit depending on the situation and vulnerability. This allows the execution of comprehensive testing methodology that automated tools will overlook and fail to detect. Custom Reporting: Once the penetration test is complete, the tester is capable of creating a comprehensive report that is as individual as the test results. At its most basic level, it will describe the vulnerabilities found, exploits used, data collected, risk rating, supportive evidence, affected assets, and mitigation recommendations. These reports are fine-tuned to the needs of the client so they gain the greatest security understanding of their infrastructure, application, or device. Investment: The costs of manual testing depends on the scope and size of the engagement. In most penetration testing engagements, the cost and licensing of additional automated tools are covered under the negotiated penetration test contract unless special requirements call for installation of additional devices. In comparison, the cost of a data breach is growing exponentially as shown in current studies.
Incorrect
In using both automated and manual testing approaches, it is important to identify all possible attack surfaces, as a malicious attacker may only need one vulnerability to obtain unauthorized access to your sensitive information. Penetration testing companies often rely on a variety of automated and manual testing approaches, but it is best to understand each to achieve the greatest coverage. Automated Tools Speed: Automated tools work at a much faster rate by order of magnitude. It is much more difficult to manually test each component, service, and protocol manually with the same speed that a machine or script can. Coverage: Capable of covering larger attack surfaces with more ease by implementing crawling of web applications to identify potential attack inputs especially “low hanging fruit” and technical related vulnerabilities. Manual testing would require a large amount of time and skill to guarantee the same coverage and comparison to known vulnerabilities. Difficult for automated tools to accurately test in-house web applications and services which can result in missed logical vulnerabilities. Efficiency: The processing capabilities of a machine are excellent. Automated tools can initialize and execute a large number of payloads for each test, but may not choose to execute the payloads correctly for each scenario. Usually, fuzz the application with multiple payloads and then wait for a reaction. Qualifications: Automated tools have gone through intensive product testing for reliability and validity especially for professional versions. Manual testing skills is solely based on the individual pen tester’s expert skillset and experience. Reporting: Reports can be created easily and quickly. Usually, have graphical features such as charts for effective visual data comprehension. Can be generic output that may not be capable of describing how the finding was validated. Investment: Open source tools and vulnerability scanners are usually free, but lack support or warranty. Professional licensing for vulnerability scanners and other automated tools can range dramatically in costs. Manual Approach Effectiveness: Automation alone is not capable to ensure that an application is thoroughly tested from a security perspective. Automated tools are poor at testing for logical vulnerabilities. Logical vulnerabilities require an understanding of the scope and flow of the application to identify any security issues. Certain findings, for example, CSRF (Cross-Site Request Forgery) and business logic vulnerabilities need an experienced certified security professional to be capable to exploit and validate all potential security scenarios. Validity: Automated tool results usually contain a large number of false positives and negatives (30% to 90% depending on methodology and product) that can create a false sense of security or lack of security. These inaccuracies exist due to the lack of tool capabilities. It is the responsibility and expertise of the manual tester initializing the automated tool to validate the results and identify the true security findings. Accuracy: Automated tools are only as reliable as their updates. If a new vulnerability or exploit has been introduced into the environment without a known category (i.e. zero-day), it is impossible for the automated tools to discover and identify the security threat. In manual testing, it is possible for the tester to create their own exploit depending on the situation and vulnerability. This allows the execution of comprehensive testing methodology that automated tools will overlook and fail to detect. Custom Reporting: Once the penetration test is complete, the tester is capable of creating a comprehensive report that is as individual as the test results. At its most basic level, it will describe the vulnerabilities found, exploits used, data collected, risk rating, supportive evidence, affected assets, and mitigation recommendations. These reports are fine-tuned to the needs of the client so they gain the greatest security understanding of their infrastructure, application, or device. Investment: The costs of manual testing depends on the scope and size of the engagement. In most penetration testing engagements, the cost and licensing of additional automated tools are covered under the negotiated penetration test contract unless special requirements call for installation of additional devices. In comparison, the cost of a data breach is growing exponentially as shown in current studies.
Unattempted
In using both automated and manual testing approaches, it is important to identify all possible attack surfaces, as a malicious attacker may only need one vulnerability to obtain unauthorized access to your sensitive information. Penetration testing companies often rely on a variety of automated and manual testing approaches, but it is best to understand each to achieve the greatest coverage. Automated Tools Speed: Automated tools work at a much faster rate by order of magnitude. It is much more difficult to manually test each component, service, and protocol manually with the same speed that a machine or script can. Coverage: Capable of covering larger attack surfaces with more ease by implementing crawling of web applications to identify potential attack inputs especially “low hanging fruit” and technical related vulnerabilities. Manual testing would require a large amount of time and skill to guarantee the same coverage and comparison to known vulnerabilities. Difficult for automated tools to accurately test in-house web applications and services which can result in missed logical vulnerabilities. Efficiency: The processing capabilities of a machine are excellent. Automated tools can initialize and execute a large number of payloads for each test, but may not choose to execute the payloads correctly for each scenario. Usually, fuzz the application with multiple payloads and then wait for a reaction. Qualifications: Automated tools have gone through intensive product testing for reliability and validity especially for professional versions. Manual testing skills is solely based on the individual pen tester’s expert skillset and experience. Reporting: Reports can be created easily and quickly. Usually, have graphical features such as charts for effective visual data comprehension. Can be generic output that may not be capable of describing how the finding was validated. Investment: Open source tools and vulnerability scanners are usually free, but lack support or warranty. Professional licensing for vulnerability scanners and other automated tools can range dramatically in costs. Manual Approach Effectiveness: Automation alone is not capable to ensure that an application is thoroughly tested from a security perspective. Automated tools are poor at testing for logical vulnerabilities. Logical vulnerabilities require an understanding of the scope and flow of the application to identify any security issues. Certain findings, for example, CSRF (Cross-Site Request Forgery) and business logic vulnerabilities need an experienced certified security professional to be capable to exploit and validate all potential security scenarios. Validity: Automated tool results usually contain a large number of false positives and negatives (30% to 90% depending on methodology and product) that can create a false sense of security or lack of security. These inaccuracies exist due to the lack of tool capabilities. It is the responsibility and expertise of the manual tester initializing the automated tool to validate the results and identify the true security findings. Accuracy: Automated tools are only as reliable as their updates. If a new vulnerability or exploit has been introduced into the environment without a known category (i.e. zero-day), it is impossible for the automated tools to discover and identify the security threat. In manual testing, it is possible for the tester to create their own exploit depending on the situation and vulnerability. This allows the execution of comprehensive testing methodology that automated tools will overlook and fail to detect. Custom Reporting: Once the penetration test is complete, the tester is capable of creating a comprehensive report that is as individual as the test results. At its most basic level, it will describe the vulnerabilities found, exploits used, data collected, risk rating, supportive evidence, affected assets, and mitigation recommendations. These reports are fine-tuned to the needs of the client so they gain the greatest security understanding of their infrastructure, application, or device. Investment: The costs of manual testing depends on the scope and size of the engagement. In most penetration testing engagements, the cost and licensing of additional automated tools are covered under the negotiated penetration test contract unless special requirements call for installation of additional devices. In comparison, the cost of a data breach is growing exponentially as shown in current studies.
Question 27 of 65
27. Question
Maria, the leader of the Blue Team, wants to use network traffic analysis to implement the ability to detect an intrusion in her network of several hosts quickly. Which tool is best suited to perform this task?
Correct
https://en.wikipedia.org/wiki/Intrusion_detection_system#Network_intrusion_detection_systems Correct answer NIDS because a discovery system is required for large network environments. HIDS can meet such requirements only in conjunction with NIDS. Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. Incorrect answers: HIDS https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces. Firewall https://en.wikipedia.org/wiki/Firewall_(computing) A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet. Honeypot https://en.wikipedia.org/wiki/Honeypot_(computing) A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site that seems to contain information or a resource of value to attackers, but actually, is isolated and monitored and enables blocking or analyzing the attackers.
Incorrect
https://en.wikipedia.org/wiki/Intrusion_detection_system#Network_intrusion_detection_systems Correct answer NIDS because a discovery system is required for large network environments. HIDS can meet such requirements only in conjunction with NIDS. Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. Incorrect answers: HIDS https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces. Firewall https://en.wikipedia.org/wiki/Firewall_(computing) A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet. Honeypot https://en.wikipedia.org/wiki/Honeypot_(computing) A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site that seems to contain information or a resource of value to attackers, but actually, is isolated and monitored and enables blocking or analyzing the attackers.
Unattempted
https://en.wikipedia.org/wiki/Intrusion_detection_system#Network_intrusion_detection_systems Correct answer NIDS because a discovery system is required for large network environments. HIDS can meet such requirements only in conjunction with NIDS. Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. Incorrect answers: HIDS https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces. Firewall https://en.wikipedia.org/wiki/Firewall_(computing) A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet. Honeypot https://en.wikipedia.org/wiki/Honeypot_(computing) A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site that seems to contain information or a resource of value to attackers, but actually, is isolated and monitored and enables blocking or analyzing the attackers.
Question 28 of 65
28. Question
You need to identify the OS of the target host. You want to use the Unicornscan tool to do this.
As a result of using the tool, you got the TTL value and determined that the target system is running a Windows OS.
Which of the following TTL values did you get when using the program?
Imagine the following scenario:
The hacker monitored and intercepted already established traffic between the victim and a host machine to predict the victim‘s ISN. The hacker sent spoofed packets with the victim‘s IP address to the host machine using the ISN. After this manipulation, the host machine responded with a packet having an incremented ISN. After this manipulation, the host machine responded with a packet having an incremented ISN. The victim‘s connection was interrupted, and the hacker was able to connect with the host machine on behalf of the victim.
Which of the following attacks did the hacker perform?
Correct
https://en.wikipedia.org/wiki/Session_hijacking
TCP/IP Hijacking is when an authorized user gains access to a genuine network connection of another user. It is done in order to bypass the password authentication which is normally the start of a session.
In theory, a TCP/IP connection is established as shown below.
To hijack this connection, there are two possibilities:
– Find the seq which is a number that increases by 1, but there is no chance to predict it.
– The second possibility is to use the Man-in-the-Middle attack which, in simple words, is a type of network sniffing. For sniffing, we use tools like Wireshark or Ethercap.
ADDITION: There is no difference in SEQ in the picture and ISN in the question. Just the question was trying to confuse a little.
Initial sequence numbers (ISN)Â refers to the unique 32-bit sequence number assigned to each new connection on a Transmission Control Protocol (TCP)-based data communication. It helps with the allocation of a sequence number that does not conflict with other data bytes transmitted over a TCP connection. An ISN is unique to each connection and separated by each device.
Incorrect
https://en.wikipedia.org/wiki/Session_hijacking
TCP/IP Hijacking is when an authorized user gains access to a genuine network connection of another user. It is done in order to bypass the password authentication which is normally the start of a session.
In theory, a TCP/IP connection is established as shown below.
To hijack this connection, there are two possibilities:
– Find the seq which is a number that increases by 1, but there is no chance to predict it.
– The second possibility is to use the Man-in-the-Middle attack which, in simple words, is a type of network sniffing. For sniffing, we use tools like Wireshark or Ethercap.
ADDITION: There is no difference in SEQ in the picture and ISN in the question. Just the question was trying to confuse a little.
Initial sequence numbers (ISN)Â refers to the unique 32-bit sequence number assigned to each new connection on a Transmission Control Protocol (TCP)-based data communication. It helps with the allocation of a sequence number that does not conflict with other data bytes transmitted over a TCP connection. An ISN is unique to each connection and separated by each device.
Unattempted
https://en.wikipedia.org/wiki/Session_hijacking
TCP/IP Hijacking is when an authorized user gains access to a genuine network connection of another user. It is done in order to bypass the password authentication which is normally the start of a session.
In theory, a TCP/IP connection is established as shown below.
To hijack this connection, there are two possibilities:
– Find the seq which is a number that increases by 1, but there is no chance to predict it.
– The second possibility is to use the Man-in-the-Middle attack which, in simple words, is a type of network sniffing. For sniffing, we use tools like Wireshark or Ethercap.
ADDITION: There is no difference in SEQ in the picture and ISN in the question. Just the question was trying to confuse a little.
Initial sequence numbers (ISN)Â refers to the unique 32-bit sequence number assigned to each new connection on a Transmission Control Protocol (TCP)-based data communication. It helps with the allocation of a sequence number that does not conflict with other data bytes transmitted over a TCP connection. An ISN is unique to each connection and separated by each device.
Question 30 of 65
30. Question
According to Common Vulnerability Scoring System (CVSS) v3.1 severity ratings, which of the following ranges is the medium?
Correct
https://www.first.org/cvss/v3.1/specification-document
The Common Vulnerability Scoring System (CVSS)Â provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Incorrect
https://www.first.org/cvss/v3.1/specification-document
The Common Vulnerability Scoring System (CVSS)Â provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Unattempted
https://www.first.org/cvss/v3.1/specification-document
The Common Vulnerability Scoring System (CVSS)Â provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Question 31 of 65
31. Question
Your company has decided to purchase a subscription to a cloud-hosted solution. After purchasing this solution, the only administrative task of your employees will be the management of user accounts. The provider will cover all hardware, operating system, and software administration (including patching and monitoring).
Which of the following is this type of solution?
Correct
Infrastructure as a Service (IaaS) – IaaS allows you to purchase computer hardware, storage devices, and networking services from a third party rather than buying this infrastructure outright. You can then install the operating systems and applications you desire and then scale the infrastructure up or down depending on their processing and storage needs. This allows users to retain control of their computer infrastructure in a cost-effective manner.
Platform as a Service (PaaS) – PaaS provides a platform for software developers to build their applications. PaaS providers manage the infrastructure, the operating systems, software updates, and storage requirements, saving the developers time.
Software as a Service (SaaS) – SaaS applications move the infrastructure, platform, and all support for the application and its data to a third-party hosting provider. This eliminates the need for IT staff to manage the network, infrastructure, hardware and software, OS, backups, and security. Instead, all these tasks are handled by the hosting provider. The SaaS user simply accesses the application via the web, typically requiring only the use of a standard browser.
Containers as a service (CaaS)Â is a cloud service that allows software developers and IT departments to upload, organize, run, scale, manage and stop containers by using container-based virtualization. A CaaS provider will commonly provide a framework which allows users to make use of the service. Providers typically make use of application programming interface (API) calls or a web portal interface.
Incorrect
Infrastructure as a Service (IaaS) – IaaS allows you to purchase computer hardware, storage devices, and networking services from a third party rather than buying this infrastructure outright. You can then install the operating systems and applications you desire and then scale the infrastructure up or down depending on their processing and storage needs. This allows users to retain control of their computer infrastructure in a cost-effective manner.
Platform as a Service (PaaS) – PaaS provides a platform for software developers to build their applications. PaaS providers manage the infrastructure, the operating systems, software updates, and storage requirements, saving the developers time.
Software as a Service (SaaS) – SaaS applications move the infrastructure, platform, and all support for the application and its data to a third-party hosting provider. This eliminates the need for IT staff to manage the network, infrastructure, hardware and software, OS, backups, and security. Instead, all these tasks are handled by the hosting provider. The SaaS user simply accesses the application via the web, typically requiring only the use of a standard browser.
Containers as a service (CaaS)Â is a cloud service that allows software developers and IT departments to upload, organize, run, scale, manage and stop containers by using container-based virtualization. A CaaS provider will commonly provide a framework which allows users to make use of the service. Providers typically make use of application programming interface (API) calls or a web portal interface.
Unattempted
Infrastructure as a Service (IaaS) – IaaS allows you to purchase computer hardware, storage devices, and networking services from a third party rather than buying this infrastructure outright. You can then install the operating systems and applications you desire and then scale the infrastructure up or down depending on their processing and storage needs. This allows users to retain control of their computer infrastructure in a cost-effective manner.
Platform as a Service (PaaS) – PaaS provides a platform for software developers to build their applications. PaaS providers manage the infrastructure, the operating systems, software updates, and storage requirements, saving the developers time.
Software as a Service (SaaS) – SaaS applications move the infrastructure, platform, and all support for the application and its data to a third-party hosting provider. This eliminates the need for IT staff to manage the network, infrastructure, hardware and software, OS, backups, and security. Instead, all these tasks are handled by the hosting provider. The SaaS user simply accesses the application via the web, typically requiring only the use of a standard browser.
Containers as a service (CaaS)Â is a cloud service that allows software developers and IT departments to upload, organize, run, scale, manage and stop containers by using container-based virtualization. A CaaS provider will commonly provide a framework which allows users to make use of the service. Providers typically make use of application programming interface (API) calls or a web portal interface.
Question 32 of 65
32. Question
Which of the following AAA protocols can use for authentication users connecting via analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network?
Correct
https://en.wikipedia.org/wiki/RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.
RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication. A RADIUS server is usually a background process running on UNIX or Microsoft Windows.
Authentication and authorization
The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The credentials are passed to the NAS device via the link-layer protocol—for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers or posted in an HTTPS secure web form.
In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.
This request includes access credentials, typically in the form of username and password or security certificate provided by the user. Additionally, the request may contain other information which the NAS knows about the user, such as its network address or phone number, and information regarding the user‘s physical point of attachment to the NAS.
The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP or EAP. The user‘s proof of identification is verified, along with, optionally, other information related to the request, such as the user‘s network address or phone number, account status, and specific network service access privileges. Historically, RADIUS servers checked the user‘s information against a locally stored flat-file database. Modern RADIUS servers can do this or can refer to external sources—commonly SQL, Kerberos, LDAP, or Active Directory servers _ to verify the user‘s credentials.
The RADIUS server then returns one of three responses to the NAS:
1) Access-Reject,
2) Access-Challenge,
3) Access-Accept.
Access-Reject
The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account.
Access-Challenge
Requests additional information from the user such as a secondary password, PIN, token, or card. Access-Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the NAS.
Access-Accept
The user is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested. A given user may be allowed to use a company‘s wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server or may be looked up in an external source such as LDAP or Active Directory.
Incorrect
https://en.wikipedia.org/wiki/RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.
RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication. A RADIUS server is usually a background process running on UNIX or Microsoft Windows.
Authentication and authorization
The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The credentials are passed to the NAS device via the link-layer protocol—for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers or posted in an HTTPS secure web form.
In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.
This request includes access credentials, typically in the form of username and password or security certificate provided by the user. Additionally, the request may contain other information which the NAS knows about the user, such as its network address or phone number, and information regarding the user‘s physical point of attachment to the NAS.
The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP or EAP. The user‘s proof of identification is verified, along with, optionally, other information related to the request, such as the user‘s network address or phone number, account status, and specific network service access privileges. Historically, RADIUS servers checked the user‘s information against a locally stored flat-file database. Modern RADIUS servers can do this or can refer to external sources—commonly SQL, Kerberos, LDAP, or Active Directory servers _ to verify the user‘s credentials.
The RADIUS server then returns one of three responses to the NAS:
1) Access-Reject,
2) Access-Challenge,
3) Access-Accept.
Access-Reject
The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account.
Access-Challenge
Requests additional information from the user such as a secondary password, PIN, token, or card. Access-Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the NAS.
Access-Accept
The user is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested. A given user may be allowed to use a company‘s wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server or may be looked up in an external source such as LDAP or Active Directory.
Unattempted
https://en.wikipedia.org/wiki/RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.
RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication. A RADIUS server is usually a background process running on UNIX or Microsoft Windows.
Authentication and authorization
The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The credentials are passed to the NAS device via the link-layer protocol—for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers or posted in an HTTPS secure web form.
In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.
This request includes access credentials, typically in the form of username and password or security certificate provided by the user. Additionally, the request may contain other information which the NAS knows about the user, such as its network address or phone number, and information regarding the user‘s physical point of attachment to the NAS.
The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP or EAP. The user‘s proof of identification is verified, along with, optionally, other information related to the request, such as the user‘s network address or phone number, account status, and specific network service access privileges. Historically, RADIUS servers checked the user‘s information against a locally stored flat-file database. Modern RADIUS servers can do this or can refer to external sources—commonly SQL, Kerberos, LDAP, or Active Directory servers _ to verify the user‘s credentials.
The RADIUS server then returns one of three responses to the NAS:
1) Access-Reject,
2) Access-Challenge,
3) Access-Accept.
Access-Reject
The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account.
Access-Challenge
Requests additional information from the user such as a secondary password, PIN, token, or card. Access-Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the NAS.
Access-Accept
The user is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested. A given user may be allowed to use a company‘s wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server or may be looked up in an external source such as LDAP or Active Directory.
Question 33 of 65
33. Question
After scanning the ports on the target machine, you see a list of open ports, which seems unusual to you:
Starting NMAP 5.21 at 2019-06-18 12:32
NMAP scan report for 172.19.40.112
Host is up (1.00s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
139/tcp open netbios-ssn
515/tcp open
631/tcp open ipp
9100/tcp open
MAC Address: 00:00:5D:3F:EE:92
Based on the NMAP output, identify what is most likely this host?
You need to assess the system used by your employee. During the assessment, you found that compromise was possible through user directories, registries, and other system parameters. Also, you discovered vulnerabilities such as native configuration tables, incorrect registry or file permissions, and software configuration errors. Which of the following types of vulnerability assessments that you conducted?
Correct
According to the EC-Council‘s study guide:Â Host-based assessments are a type of security check that involve conducting a configuration-level check to identify system configurations, user directories, file systems, registry settings, and other parameters to evaluate the possibility of compromise. These assessments check the security of a particular network or server. Host-based scanners assess systems to identify vulnerabilities such as native configuration tables, incorrect registry or file permissions, and software configuration errors. Host-based assessments use many commercial and open-source scanning tools.
Incorrect
According to the EC-Council‘s study guide:Â Host-based assessments are a type of security check that involve conducting a configuration-level check to identify system configurations, user directories, file systems, registry settings, and other parameters to evaluate the possibility of compromise. These assessments check the security of a particular network or server. Host-based scanners assess systems to identify vulnerabilities such as native configuration tables, incorrect registry or file permissions, and software configuration errors. Host-based assessments use many commercial and open-source scanning tools.
Unattempted
According to the EC-Council‘s study guide:Â Host-based assessments are a type of security check that involve conducting a configuration-level check to identify system configurations, user directories, file systems, registry settings, and other parameters to evaluate the possibility of compromise. These assessments check the security of a particular network or server. Host-based scanners assess systems to identify vulnerabilities such as native configuration tables, incorrect registry or file permissions, and software configuration errors. Host-based assessments use many commercial and open-source scanning tools.
Question 35 of 65
35. Question
Identify the footprinting technique by description: Using this technique, an attacker can gather domain information such as the target domain name, contact details of its owner, expiry date, and creation date. Also, using this information, an attacker can create a map of the organizationÂ’s network and misleads domain owners with social engineering to obtain internal details of its network.
Correct
https://en.wikipedia.org/wiki/Footprinting Footprinting (also known as reconnaissance) is the technique used for gathering information about computer systems and the entities they belong to. To get this information, a hacker might use various tools and technologies. This information is very useful to a hacker who is trying to crack a whole system. There are two types of Footprinting that can be used: active Footprinting and passive Footprinting: – Active Footprinting is the process of using tools and techniques, such as performing a ping sweep or using the traceroute command, to gather information on a target. Active Footprinting can trigger a target‘s Intrusion Detection System (IDS) and may be logged, and thus requires a level of stealth to do successfully. – Passive Footprinting is the process of gathering information on a target by innocuous or passive means. Browsing the target‘s website, visiting social media profiles of employees, searching for the website on WHOIS, and performing a Google search of the target are all ways of passive Footprinting. Passive Footprinting is the stealthier method since it will not trigger a target‘s IDS or otherwise alert the target of information being gathered. https://en.wikipedia.org/wiki/WHOIS WHOIS s a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. The current iteration of the WHOIS protocol was drafted by the Internet Society, and is documented in RFC 3912
Incorrect
https://en.wikipedia.org/wiki/Footprinting Footprinting (also known as reconnaissance) is the technique used for gathering information about computer systems and the entities they belong to. To get this information, a hacker might use various tools and technologies. This information is very useful to a hacker who is trying to crack a whole system. There are two types of Footprinting that can be used: active Footprinting and passive Footprinting: – Active Footprinting is the process of using tools and techniques, such as performing a ping sweep or using the traceroute command, to gather information on a target. Active Footprinting can trigger a target‘s Intrusion Detection System (IDS) and may be logged, and thus requires a level of stealth to do successfully. – Passive Footprinting is the process of gathering information on a target by innocuous or passive means. Browsing the target‘s website, visiting social media profiles of employees, searching for the website on WHOIS, and performing a Google search of the target are all ways of passive Footprinting. Passive Footprinting is the stealthier method since it will not trigger a target‘s IDS or otherwise alert the target of information being gathered. https://en.wikipedia.org/wiki/WHOIS WHOIS s a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. The current iteration of the WHOIS protocol was drafted by the Internet Society, and is documented in RFC 3912
Unattempted
https://en.wikipedia.org/wiki/Footprinting Footprinting (also known as reconnaissance) is the technique used for gathering information about computer systems and the entities they belong to. To get this information, a hacker might use various tools and technologies. This information is very useful to a hacker who is trying to crack a whole system. There are two types of Footprinting that can be used: active Footprinting and passive Footprinting: – Active Footprinting is the process of using tools and techniques, such as performing a ping sweep or using the traceroute command, to gather information on a target. Active Footprinting can trigger a target‘s Intrusion Detection System (IDS) and may be logged, and thus requires a level of stealth to do successfully. – Passive Footprinting is the process of gathering information on a target by innocuous or passive means. Browsing the target‘s website, visiting social media profiles of employees, searching for the website on WHOIS, and performing a Google search of the target are all ways of passive Footprinting. Passive Footprinting is the stealthier method since it will not trigger a target‘s IDS or otherwise alert the target of information being gathered. https://en.wikipedia.org/wiki/WHOIS WHOIS s a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. The current iteration of the WHOIS protocol was drafted by the Internet Society, and is documented in RFC 3912
Question 36 of 65
36. Question
Which of the following is a piece of hardware on a motherboard that generates encryption keys and only releases a part of the key so that decrypting a disk on a new piece of hardware is impossible?
Correct
https://securityboulevard.com/2020/10/what-is-a-tpm/ A TPM, also known as a Trusted Platform Module, is an international standard for a secure cryptoprocessor and is a chip found on the computer’s motherboard. The function of a TPM is to generate encryption keys and keep a part of the key inside the TPM rather than all on the disk. This is helpful for when an attacker steals the disk and tries to access the contents elsewhere. The TPM provides hardware-based authentication so if the would-be attacker were to try and remove the chip and place it onto another motherboard, or try to tamper with the motherboard to bypass the encryption, it would deny access.
Incorrect
https://securityboulevard.com/2020/10/what-is-a-tpm/ A TPM, also known as a Trusted Platform Module, is an international standard for a secure cryptoprocessor and is a chip found on the computer’s motherboard. The function of a TPM is to generate encryption keys and keep a part of the key inside the TPM rather than all on the disk. This is helpful for when an attacker steals the disk and tries to access the contents elsewhere. The TPM provides hardware-based authentication so if the would-be attacker were to try and remove the chip and place it onto another motherboard, or try to tamper with the motherboard to bypass the encryption, it would deny access.
Unattempted
https://securityboulevard.com/2020/10/what-is-a-tpm/ A TPM, also known as a Trusted Platform Module, is an international standard for a secure cryptoprocessor and is a chip found on the computer’s motherboard. The function of a TPM is to generate encryption keys and keep a part of the key inside the TPM rather than all on the disk. This is helpful for when an attacker steals the disk and tries to access the contents elsewhere. The TPM provides hardware-based authentication so if the would-be attacker were to try and remove the chip and place it onto another motherboard, or try to tamper with the motherboard to bypass the encryption, it would deny access.
Question 37 of 65
37. Question
During testing execution, you established a connection with your computer using the SMB service and entered your login and password in plaintext. After the testing is completed, you need to delete the data about the login and password you entered so that no one can use it. Which of the following files do you need to clear?
Correct
.bash_history – file created by Bash, a Unix-based shell program commonly used on Mac OS X and Linux operating systems; stores a history of user commands entered at the command prompt; used for viewing old commands that have been executed. History expansions introduce words from the history list into the input stream, making it easy to repeat commands, insert the arguments to a previous command into the current input line, or fix errors in previous commands quickly. You may pass sensitive information such as passwords and it is stored in shell history file. history -c clears your history in the current shell. That‘s enough (but overkill) if you‘ve just typed your password and haven‘t exited that shell or saved its history explicitly. When you exit bash, the history is saved to the history file, which by default is .bash_history in your home directory. More precisely, the history created during the current session is appended to the file; entries that are already present are unaffected. Instead of removing all your history entries, you can open .bash_history in an editor and remove the lines you don‘t want to keep. You can also do that inside bash, less conveniently, by using history to display all the entries, then history -d to delete the entries you don‘t want, and finally history -w to save. Note that if you have multiple running bash instances that have read the password, each of them might save it again. Before definitively purging the password from the history file, make sure that it is purged from all running shell instances. Even after you‘ve edited the history file, it‘s possible that your password is still present somewhere on the disk from an earlier version of the file. It can‘t be retrieved through the filesystem anymore, but it might still be possible (but probably not easy) to find it by accessing the disk directly. If you use this password elsewhere and your disk gets stolen (or someone gets access to the disk), this could be a problem.
Incorrect
.bash_history – file created by Bash, a Unix-based shell program commonly used on Mac OS X and Linux operating systems; stores a history of user commands entered at the command prompt; used for viewing old commands that have been executed. History expansions introduce words from the history list into the input stream, making it easy to repeat commands, insert the arguments to a previous command into the current input line, or fix errors in previous commands quickly. You may pass sensitive information such as passwords and it is stored in shell history file. history -c clears your history in the current shell. That‘s enough (but overkill) if you‘ve just typed your password and haven‘t exited that shell or saved its history explicitly. When you exit bash, the history is saved to the history file, which by default is .bash_history in your home directory. More precisely, the history created during the current session is appended to the file; entries that are already present are unaffected. Instead of removing all your history entries, you can open .bash_history in an editor and remove the lines you don‘t want to keep. You can also do that inside bash, less conveniently, by using history to display all the entries, then history -d to delete the entries you don‘t want, and finally history -w to save. Note that if you have multiple running bash instances that have read the password, each of them might save it again. Before definitively purging the password from the history file, make sure that it is purged from all running shell instances. Even after you‘ve edited the history file, it‘s possible that your password is still present somewhere on the disk from an earlier version of the file. It can‘t be retrieved through the filesystem anymore, but it might still be possible (but probably not easy) to find it by accessing the disk directly. If you use this password elsewhere and your disk gets stolen (or someone gets access to the disk), this could be a problem.
Unattempted
.bash_history – file created by Bash, a Unix-based shell program commonly used on Mac OS X and Linux operating systems; stores a history of user commands entered at the command prompt; used for viewing old commands that have been executed. History expansions introduce words from the history list into the input stream, making it easy to repeat commands, insert the arguments to a previous command into the current input line, or fix errors in previous commands quickly. You may pass sensitive information such as passwords and it is stored in shell history file. history -c clears your history in the current shell. That‘s enough (but overkill) if you‘ve just typed your password and haven‘t exited that shell or saved its history explicitly. When you exit bash, the history is saved to the history file, which by default is .bash_history in your home directory. More precisely, the history created during the current session is appended to the file; entries that are already present are unaffected. Instead of removing all your history entries, you can open .bash_history in an editor and remove the lines you don‘t want to keep. You can also do that inside bash, less conveniently, by using history to display all the entries, then history -d to delete the entries you don‘t want, and finally history -w to save. Note that if you have multiple running bash instances that have read the password, each of them might save it again. Before definitively purging the password from the history file, make sure that it is purged from all running shell instances. Even after you‘ve edited the history file, it‘s possible that your password is still present somewhere on the disk from an earlier version of the file. It can‘t be retrieved through the filesystem anymore, but it might still be possible (but probably not easy) to find it by accessing the disk directly. If you use this password elsewhere and your disk gets stolen (or someone gets access to the disk), this could be a problem.
Question 38 of 65
38. Question
Identify the exploit framework whose capabilities include automated attacks on services, ports, applications and unpatched security flaws?
Correct
https://en.wikipedia.org/wiki/Metasploit_Project The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7. Its best-known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research. The Metasploit Project includes anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Metasploit is pre-installed in the Kali Linux operating system. The basic steps for exploiting a system using the Framework include. 1. Optionally checking whether the intended target system is vulnerable to an exploit. 2. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 900 different exploits for Windows, Unix/Linux and macOS systems are included). 3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry; for instance, a remote shell or a VNC server). Metasploit often recommends a payload that should work. 4. Choosing the encoding technique so that hexadecimal opcodes known as “bad characters“ are removed from the payload, these characters will cause the exploit to fail. 5. Executing the exploit. This modular approach – allowing the combination of any exploit with any payload – is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers and payload writers. Incorrect answers: Maltego https://en.wikipedia.org/wiki/Maltego Maltego is software used for open-source intelligence and forensics, developed by Paterva from Pretoria, South Africa. Maltego focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining. Maltego permits creating custom entities, allowing it to represent any type of information in addition to the basic entity types which are part of the software. The basic focus of the application is analyzing real-world relationships (Social Networks, OSINT APIs, Self-hosted Private Data and Computer Networks Nodes) between people, groups, Webpages, domains, networks, internet infrastructure, and social media affiliations. Maltego extends its data reach with integrations from various data partners. Among its data sources are DNS records, whois records, search engines, social networking services, various APIs and various meta data. Wireshark https://ru.wikipedia.org/wiki/Wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues. Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License version 2 or any later version. Nessus https://en.wikipedia.org/wiki/Nessus_(software) Nessus is a proprietary vulnerability scanner developed by Tenable, Inc. Examples of vulnerabilities and exposures Nessus can scan for include: – Vulnerabilities that could allow unauthorized control or access to sensitive data on a system. – Misconfiguration (e.g. open mail relay, missing patches, etc.). – Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack. – Denials of service vulnerabilities
Incorrect
https://en.wikipedia.org/wiki/Metasploit_Project The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7. Its best-known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research. The Metasploit Project includes anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Metasploit is pre-installed in the Kali Linux operating system. The basic steps for exploiting a system using the Framework include. 1. Optionally checking whether the intended target system is vulnerable to an exploit. 2. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 900 different exploits for Windows, Unix/Linux and macOS systems are included). 3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry; for instance, a remote shell or a VNC server). Metasploit often recommends a payload that should work. 4. Choosing the encoding technique so that hexadecimal opcodes known as “bad characters“ are removed from the payload, these characters will cause the exploit to fail. 5. Executing the exploit. This modular approach – allowing the combination of any exploit with any payload – is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers and payload writers. Incorrect answers: Maltego https://en.wikipedia.org/wiki/Maltego Maltego is software used for open-source intelligence and forensics, developed by Paterva from Pretoria, South Africa. Maltego focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining. Maltego permits creating custom entities, allowing it to represent any type of information in addition to the basic entity types which are part of the software. The basic focus of the application is analyzing real-world relationships (Social Networks, OSINT APIs, Self-hosted Private Data and Computer Networks Nodes) between people, groups, Webpages, domains, networks, internet infrastructure, and social media affiliations. Maltego extends its data reach with integrations from various data partners. Among its data sources are DNS records, whois records, search engines, social networking services, various APIs and various meta data. Wireshark https://ru.wikipedia.org/wiki/Wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues. Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License version 2 or any later version. Nessus https://en.wikipedia.org/wiki/Nessus_(software) Nessus is a proprietary vulnerability scanner developed by Tenable, Inc. Examples of vulnerabilities and exposures Nessus can scan for include: – Vulnerabilities that could allow unauthorized control or access to sensitive data on a system. – Misconfiguration (e.g. open mail relay, missing patches, etc.). – Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack. – Denials of service vulnerabilities
Unattempted
https://en.wikipedia.org/wiki/Metasploit_Project The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7. Its best-known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research. The Metasploit Project includes anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Metasploit is pre-installed in the Kali Linux operating system. The basic steps for exploiting a system using the Framework include. 1. Optionally checking whether the intended target system is vulnerable to an exploit. 2. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 900 different exploits for Windows, Unix/Linux and macOS systems are included). 3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry; for instance, a remote shell or a VNC server). Metasploit often recommends a payload that should work. 4. Choosing the encoding technique so that hexadecimal opcodes known as “bad characters“ are removed from the payload, these characters will cause the exploit to fail. 5. Executing the exploit. This modular approach – allowing the combination of any exploit with any payload – is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers and payload writers. Incorrect answers: Maltego https://en.wikipedia.org/wiki/Maltego Maltego is software used for open-source intelligence and forensics, developed by Paterva from Pretoria, South Africa. Maltego focuses on providing a library of transforms for discovery of data from open sources, and visualizing that information in a graph format, suitable for link analysis and data mining. Maltego permits creating custom entities, allowing it to represent any type of information in addition to the basic entity types which are part of the software. The basic focus of the application is analyzing real-world relationships (Social Networks, OSINT APIs, Self-hosted Private Data and Computer Networks Nodes) between people, groups, Webpages, domains, networks, internet infrastructure, and social media affiliations. Maltego extends its data reach with integrations from various data partners. Among its data sources are DNS records, whois records, search engines, social networking services, various APIs and various meta data. Wireshark https://ru.wikipedia.org/wiki/Wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues. Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License version 2 or any later version. Nessus https://en.wikipedia.org/wiki/Nessus_(software) Nessus is a proprietary vulnerability scanner developed by Tenable, Inc. Examples of vulnerabilities and exposures Nessus can scan for include: – Vulnerabilities that could allow unauthorized control or access to sensitive data on a system. – Misconfiguration (e.g. open mail relay, missing patches, etc.). – Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack. – Denials of service vulnerabilities
Question 39 of 65
39. Question
Which of the following online tools allows attackers to gather information related to the model of the IoT device and the certifications granted to it?
Correct
https://en.wikipedia.org/wiki/FCC_mark An FCC ID is a unique identifier assigned to a device registered with the United States Federal Communications Commission. For legal sale of wireless deices in the US, manufacturers must: · Have the device evaluated by an independent lab to ensure it conforms to FCC standards · Provide documentation to the FCC of the lab results · Provide User Manuals, Documentation, and Photos relating to the device · Digitally or physically label the device with the unique identifier provided by the FCC (upon approved application) The FCC gets its authourity from Title 47 of the Code of Federal Regulations (47 CFR). FCC IDs are required for all wireless emitting devices sold in the USA. By searching an FCC ID, you can find details on the wireless operating frequency (including strength), photos of the device, user manuals for the device, and SAR reports on the wireless emissions.
Incorrect
https://en.wikipedia.org/wiki/FCC_mark An FCC ID is a unique identifier assigned to a device registered with the United States Federal Communications Commission. For legal sale of wireless deices in the US, manufacturers must: · Have the device evaluated by an independent lab to ensure it conforms to FCC standards · Provide documentation to the FCC of the lab results · Provide User Manuals, Documentation, and Photos relating to the device · Digitally or physically label the device with the unique identifier provided by the FCC (upon approved application) The FCC gets its authourity from Title 47 of the Code of Federal Regulations (47 CFR). FCC IDs are required for all wireless emitting devices sold in the USA. By searching an FCC ID, you can find details on the wireless operating frequency (including strength), photos of the device, user manuals for the device, and SAR reports on the wireless emissions.
Unattempted
https://en.wikipedia.org/wiki/FCC_mark An FCC ID is a unique identifier assigned to a device registered with the United States Federal Communications Commission. For legal sale of wireless deices in the US, manufacturers must: · Have the device evaluated by an independent lab to ensure it conforms to FCC standards · Provide documentation to the FCC of the lab results · Provide User Manuals, Documentation, and Photos relating to the device · Digitally or physically label the device with the unique identifier provided by the FCC (upon approved application) The FCC gets its authourity from Title 47 of the Code of Federal Regulations (47 CFR). FCC IDs are required for all wireless emitting devices sold in the USA. By searching an FCC ID, you can find details on the wireless operating frequency (including strength), photos of the device, user manuals for the device, and SAR reports on the wireless emissions.
Question 40 of 65
40. Question
You need to send an email containing confidential information. Your colleague advises you to use PGP to be sure that the data will be safe. What should you use to communicate correctly using this type of encryption?
Correct
https://en.wikipedia.org/wiki/Pretty_Good_Privacy Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. https://en.wikipedia.org/wiki/Public-key_cryptography Public key encryption uses two different keys. One key is used to encrypt the information and the other is used to decrypt the information. Sometimes this is referred to as asymmetric encryption because two keys are required to make the system and/or process work securely. One key is known as the public key and should be shared by the owner with anyone who will be securely communicating with the key owner. However, the owner’s secret key is not to be shared and considered a private key. If the private key is shared with unauthorized recipients, the encryption mechanisms protecting the information must be considered compromised.
Incorrect
https://en.wikipedia.org/wiki/Pretty_Good_Privacy Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. https://en.wikipedia.org/wiki/Public-key_cryptography Public key encryption uses two different keys. One key is used to encrypt the information and the other is used to decrypt the information. Sometimes this is referred to as asymmetric encryption because two keys are required to make the system and/or process work securely. One key is known as the public key and should be shared by the owner with anyone who will be securely communicating with the key owner. However, the owner’s secret key is not to be shared and considered a private key. If the private key is shared with unauthorized recipients, the encryption mechanisms protecting the information must be considered compromised.
Unattempted
https://en.wikipedia.org/wiki/Pretty_Good_Privacy Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. https://en.wikipedia.org/wiki/Public-key_cryptography Public key encryption uses two different keys. One key is used to encrypt the information and the other is used to decrypt the information. Sometimes this is referred to as asymmetric encryption because two keys are required to make the system and/or process work securely. One key is known as the public key and should be shared by the owner with anyone who will be securely communicating with the key owner. However, the owner’s secret key is not to be shared and considered a private key. If the private key is shared with unauthorized recipients, the encryption mechanisms protecting the information must be considered compromised.
Question 41 of 65
41. Question
You must discover all the active devices hidden by a restrictive firewall in the IPv4 range in a target network. Which of the following host discovery techniques will you use?
Correct
Discovering hosts with ARP ping scans. Address Resolution Protocol (ARP) is used by hosts on a network to resolve IP addresses into Media Access Control (MAC) addresses, which can be interpreted as a network interfaceÂ’s unique serial number. Hosts on an Ethernet network use MAC addresses rather than IP addresses to communicate. When a host tries to create a connection to another host (on the same subnet), it first needs to obtain the second hostÂ’s MAC address. In this process, Host A sends an ARP request to the subnet‘s broadcast address to which it is connected. Every host on the subnet receives this broadcast, and the host with the IP address in question sends an ARP reply back to Host A with its MAC address. After receiving the ARP reply from Host B, Host A can connect to Host B. ARP is required for an Ethernet network to function properly, so it typically is not blocked by a firewall. If ARP requests were blocked, no-host would be able to “find” a computer on a network and connect to it. For all intents and purposes, the system would be unplugged from the network. One possible drawback to this system of using ARP to ping a host is that the ARP protocol is not a routed protocol. If you are not on the same subnet as the host you are trying to connect to, then this method is not going to work without first joining that subnet, which may or may not be physically possible. Thus by sending an ARP request, you are virtually guaranteed to get a reply.
Incorrect
Discovering hosts with ARP ping scans. Address Resolution Protocol (ARP) is used by hosts on a network to resolve IP addresses into Media Access Control (MAC) addresses, which can be interpreted as a network interfaceÂ’s unique serial number. Hosts on an Ethernet network use MAC addresses rather than IP addresses to communicate. When a host tries to create a connection to another host (on the same subnet), it first needs to obtain the second hostÂ’s MAC address. In this process, Host A sends an ARP request to the subnet‘s broadcast address to which it is connected. Every host on the subnet receives this broadcast, and the host with the IP address in question sends an ARP reply back to Host A with its MAC address. After receiving the ARP reply from Host B, Host A can connect to Host B. ARP is required for an Ethernet network to function properly, so it typically is not blocked by a firewall. If ARP requests were blocked, no-host would be able to “find” a computer on a network and connect to it. For all intents and purposes, the system would be unplugged from the network. One possible drawback to this system of using ARP to ping a host is that the ARP protocol is not a routed protocol. If you are not on the same subnet as the host you are trying to connect to, then this method is not going to work without first joining that subnet, which may or may not be physically possible. Thus by sending an ARP request, you are virtually guaranteed to get a reply.
Unattempted
Discovering hosts with ARP ping scans. Address Resolution Protocol (ARP) is used by hosts on a network to resolve IP addresses into Media Access Control (MAC) addresses, which can be interpreted as a network interfaceÂ’s unique serial number. Hosts on an Ethernet network use MAC addresses rather than IP addresses to communicate. When a host tries to create a connection to another host (on the same subnet), it first needs to obtain the second hostÂ’s MAC address. In this process, Host A sends an ARP request to the subnet‘s broadcast address to which it is connected. Every host on the subnet receives this broadcast, and the host with the IP address in question sends an ARP reply back to Host A with its MAC address. After receiving the ARP reply from Host B, Host A can connect to Host B. ARP is required for an Ethernet network to function properly, so it typically is not blocked by a firewall. If ARP requests were blocked, no-host would be able to “find” a computer on a network and connect to it. For all intents and purposes, the system would be unplugged from the network. One possible drawback to this system of using ARP to ping a host is that the ARP protocol is not a routed protocol. If you are not on the same subnet as the host you are trying to connect to, then this method is not going to work without first joining that subnet, which may or may not be physically possible. Thus by sending an ARP request, you are virtually guaranteed to get a reply.
Question 42 of 65
42. Question
Your company follows the five-tier container technology architecture. Your colleagues use container technology to deploy applications/software. In this process, they include all dependencies, such as libraries and configuration files, binaries, and other resources that run independently from other processes in the cloud environment. Now they verify and validate image contents, sign images, and send them to the registries. At which of the following tiers are your colleagues currently working according to the five-tier container technology architecture?
Correct
According to EC-Council‘s training materials: Tier-1:Â Developer machines – image creation, testing and accreditation Tier-2:Â Testing and accreditation systems – verification and validation of image contents, signing images and sending them to the registries Tier-3:Â Registries – storing images and disseminating images to the orchestrators based on requests Tier-4:Â Orchestrators – transforming images into containers and deploying containers to hosts Tier-5:Â Hosts – operating and managing containers as instructed by the orchestrator
Incorrect
According to EC-Council‘s training materials: Tier-1:Â Developer machines – image creation, testing and accreditation Tier-2:Â Testing and accreditation systems – verification and validation of image contents, signing images and sending them to the registries Tier-3:Â Registries – storing images and disseminating images to the orchestrators based on requests Tier-4:Â Orchestrators – transforming images into containers and deploying containers to hosts Tier-5:Â Hosts – operating and managing containers as instructed by the orchestrator
Unattempted
According to EC-Council‘s training materials: Tier-1:Â Developer machines – image creation, testing and accreditation Tier-2:Â Testing and accreditation systems – verification and validation of image contents, signing images and sending them to the registries Tier-3:Â Registries – storing images and disseminating images to the orchestrators based on requests Tier-4:Â Orchestrators – transforming images into containers and deploying containers to hosts Tier-5:Â Hosts – operating and managing containers as instructed by the orchestrator
Question 43 of 65
43. Question
You were instructed to check the configuration of the webserver and you found that the server permits SSLv2 connections, and the same private key certificate is used on a different server that allows SSLv2 connections. You understand that this vulnerability makes the web server vulnerable to attacks as the SSLv2 server can leak key information. Which of the following attacks can an attacker perform using this vulnerability?
Correct
https://en.wikipedia.org/wiki/DROWN_attack The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack is a cross-protocol security bug that attacks servers supporting modern SSLv3/TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. DROWN can affect all types of servers that offer services encrypted with SSLv3/TLS yet still support SSLv2, provided they share the same public key credentials between the two protocols. Additionally, if the same public key certificate is used on a different server that supports SSLv2, the TLS server is also vulnerable due to the SSLv2 server leaking key information that can be used against the TLS server. Full details of DROWN were announced in March 2016, along with a patch that disables SSLv2 in OpenSSL; the vulnerability was assigned the ID CVE-2016-0800. The patch alone will not be sufficient to mitigate the attack if the certificate can be found on another SSLv2 host. The only viable countermeasure is to disable SSLv2 on all servers.
Incorrect
https://en.wikipedia.org/wiki/DROWN_attack The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack is a cross-protocol security bug that attacks servers supporting modern SSLv3/TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. DROWN can affect all types of servers that offer services encrypted with SSLv3/TLS yet still support SSLv2, provided they share the same public key credentials between the two protocols. Additionally, if the same public key certificate is used on a different server that supports SSLv2, the TLS server is also vulnerable due to the SSLv2 server leaking key information that can be used against the TLS server. Full details of DROWN were announced in March 2016, along with a patch that disables SSLv2 in OpenSSL; the vulnerability was assigned the ID CVE-2016-0800. The patch alone will not be sufficient to mitigate the attack if the certificate can be found on another SSLv2 host. The only viable countermeasure is to disable SSLv2 on all servers.
Unattempted
https://en.wikipedia.org/wiki/DROWN_attack The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack is a cross-protocol security bug that attacks servers supporting modern SSLv3/TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. DROWN can affect all types of servers that offer services encrypted with SSLv3/TLS yet still support SSLv2, provided they share the same public key credentials between the two protocols. Additionally, if the same public key certificate is used on a different server that supports SSLv2, the TLS server is also vulnerable due to the SSLv2 server leaking key information that can be used against the TLS server. Full details of DROWN were announced in March 2016, along with a patch that disables SSLv2 in OpenSSL; the vulnerability was assigned the ID CVE-2016-0800. The patch alone will not be sufficient to mitigate the attack if the certificate can be found on another SSLv2 host. The only viable countermeasure is to disable SSLv2 on all servers.
Question 44 of 65
44. Question
An ethical hacker has already received all the necessary information and is now considering further actions. For example, infect a system with malware and use phishing to gain credentials to a system or web application. What phase of ethical hacking methodology is the hacker currently in?
Correct
https://www.geeksforgeeks.org/5-phases-hacking/ Reconnaissance This phase is also called as Footprinting and information gathering Phase, and int this phase hacker gathers information about a target before launching an attack. It is during this phase that the hacker finds valuable information such as old passwords, names of important employees. These data include important areas such as: –Â Finding out specific IP addresses –Â TCP and UDP services –Â Identifies vulnerabilities There are two types of Footprinting: –Â Active:Â Directly interacting with the target to gather information about the target. –Â Passive:Â Trying to collect the information about the target without directly accessing the target. To this purpose, hacker can use social media, public websites etc. Scanning In this phase, hackers are probably seeking any information that can help them perpetrate attack such as computer names, IP addresses, and user accounts. In fact, hacker identifies a quick way to gain access to the network and look for information. This phase includes usage of tools like dialers, port scanners, network mappers, sweepers, and vulnerability scanners to scan data. Basically, at this stage, four types of scans are used: –Â Pre-attack:Â Hacker scans the network for specific information based on the information gathered during reconnaissance. –Â Port scanning/sniffing:Â This method includes the use of dialers, port scanners, and other data-gathering equipment. –Â Vulnerability Scanning:Â Scanning the target for weaknesses/vulnerabilities. –Â Information extraction:Â In this step, hacker collects information about ports, live machines and OS details, topology of network, routers, firewalls, and servers. Gaining Access At this point, the hacker has the information he needs. So first he designs the network map and then he has to decide how to carry out the attack? There are many options, for example: – Phishing attack – Man in the middle attack – Brute Force Attack – Spoofing Attack – Dos attack – Buffer overflow attack – Session hijacking – BEC Attack Anyway, hacker after entering into a system, he has to increase his privilege to the administrator level so he can install an application he needs or modify data or hide data. Maintaining Access Once a hacker has gained access, they want to keep that access for future exploitation and attacks. Also, the hacker secures access to the organizationÂ’s Rootkits and Trojans and uses it to launch additional attacks on the network. An ethical hacker tries to maintain the access to the target until he finishes the tasks he planned to accomplish in that target. Clearing Tracks An intelligent hacker always clears all evidence so that in the later point of time, no one will find any traces leading to him/her. He/she does this by: – Clearing the cache and cookies – Modifying registry values – Modifying/corrupting/deleting the values of Logs – Clearing out Sent emails – Closing all the open ports – Uninstalling all applications that he/she be used
Incorrect
https://www.geeksforgeeks.org/5-phases-hacking/ Reconnaissance This phase is also called as Footprinting and information gathering Phase, and int this phase hacker gathers information about a target before launching an attack. It is during this phase that the hacker finds valuable information such as old passwords, names of important employees. These data include important areas such as: –Â Finding out specific IP addresses –Â TCP and UDP services –Â Identifies vulnerabilities There are two types of Footprinting: –Â Active:Â Directly interacting with the target to gather information about the target. –Â Passive:Â Trying to collect the information about the target without directly accessing the target. To this purpose, hacker can use social media, public websites etc. Scanning In this phase, hackers are probably seeking any information that can help them perpetrate attack such as computer names, IP addresses, and user accounts. In fact, hacker identifies a quick way to gain access to the network and look for information. This phase includes usage of tools like dialers, port scanners, network mappers, sweepers, and vulnerability scanners to scan data. Basically, at this stage, four types of scans are used: –Â Pre-attack:Â Hacker scans the network for specific information based on the information gathered during reconnaissance. –Â Port scanning/sniffing:Â This method includes the use of dialers, port scanners, and other data-gathering equipment. –Â Vulnerability Scanning:Â Scanning the target for weaknesses/vulnerabilities. –Â Information extraction:Â In this step, hacker collects information about ports, live machines and OS details, topology of network, routers, firewalls, and servers. Gaining Access At this point, the hacker has the information he needs. So first he designs the network map and then he has to decide how to carry out the attack? There are many options, for example: – Phishing attack – Man in the middle attack – Brute Force Attack – Spoofing Attack – Dos attack – Buffer overflow attack – Session hijacking – BEC Attack Anyway, hacker after entering into a system, he has to increase his privilege to the administrator level so he can install an application he needs or modify data or hide data. Maintaining Access Once a hacker has gained access, they want to keep that access for future exploitation and attacks. Also, the hacker secures access to the organizationÂ’s Rootkits and Trojans and uses it to launch additional attacks on the network. An ethical hacker tries to maintain the access to the target until he finishes the tasks he planned to accomplish in that target. Clearing Tracks An intelligent hacker always clears all evidence so that in the later point of time, no one will find any traces leading to him/her. He/she does this by: – Clearing the cache and cookies – Modifying registry values – Modifying/corrupting/deleting the values of Logs – Clearing out Sent emails – Closing all the open ports – Uninstalling all applications that he/she be used
Unattempted
https://www.geeksforgeeks.org/5-phases-hacking/ Reconnaissance This phase is also called as Footprinting and information gathering Phase, and int this phase hacker gathers information about a target before launching an attack. It is during this phase that the hacker finds valuable information such as old passwords, names of important employees. These data include important areas such as: –Â Finding out specific IP addresses –Â TCP and UDP services –Â Identifies vulnerabilities There are two types of Footprinting: –Â Active:Â Directly interacting with the target to gather information about the target. –Â Passive:Â Trying to collect the information about the target without directly accessing the target. To this purpose, hacker can use social media, public websites etc. Scanning In this phase, hackers are probably seeking any information that can help them perpetrate attack such as computer names, IP addresses, and user accounts. In fact, hacker identifies a quick way to gain access to the network and look for information. This phase includes usage of tools like dialers, port scanners, network mappers, sweepers, and vulnerability scanners to scan data. Basically, at this stage, four types of scans are used: –Â Pre-attack:Â Hacker scans the network for specific information based on the information gathered during reconnaissance. –Â Port scanning/sniffing:Â This method includes the use of dialers, port scanners, and other data-gathering equipment. –Â Vulnerability Scanning:Â Scanning the target for weaknesses/vulnerabilities. –Â Information extraction:Â In this step, hacker collects information about ports, live machines and OS details, topology of network, routers, firewalls, and servers. Gaining Access At this point, the hacker has the information he needs. So first he designs the network map and then he has to decide how to carry out the attack? There are many options, for example: – Phishing attack – Man in the middle attack – Brute Force Attack – Spoofing Attack – Dos attack – Buffer overflow attack – Session hijacking – BEC Attack Anyway, hacker after entering into a system, he has to increase his privilege to the administrator level so he can install an application he needs or modify data or hide data. Maintaining Access Once a hacker has gained access, they want to keep that access for future exploitation and attacks. Also, the hacker secures access to the organizationÂ’s Rootkits and Trojans and uses it to launch additional attacks on the network. An ethical hacker tries to maintain the access to the target until he finishes the tasks he planned to accomplish in that target. Clearing Tracks An intelligent hacker always clears all evidence so that in the later point of time, no one will find any traces leading to him/her. He/she does this by: – Clearing the cache and cookies – Modifying registry values – Modifying/corrupting/deleting the values of Logs – Clearing out Sent emails – Closing all the open ports – Uninstalling all applications that he/she be used
Question 45 of 65
45. Question
Which of the following is the hacker‘s first step in conducting a DNS cache poisoning attack on a target organization?
Correct
https://ru.wikipedia.org/wiki/DNS_spoofing DNS spoofing is a threat that copies the legitimate server destinations to divert the domain‘s traffic. Ignorant these attacks, the users are redirected to malicious websites, which results in insensitive and personal data being leaked. It is a method of attack where your DNS server is tricked into saving a fake DNS entry. This will make the DNS server recall a fake site for you, thereby posing a threat to vital information stored on your server or computer. The cache poisoning codes are often found in URLs sent through spam emails. These emails are sent to prompt users to click on the URL, which infects their computer. When the computer is poisoned, it will divert you to a fake IP address that looks like a real thing. This way, the threats are injected into your systems as well. Different Stages of Attack of DNS Cache Poisoning: – The attacker proceeds to send DNS queries to the DNS resolver, which forwards the Root/TLD authoritative DNS server request and awaits an answer. – The attacker overloads the DNS with poisoned responses that contain several IP addresses of the malicious website. To be accepted by the DNS resolver, the attacker‘s response should match a port number and the query ID field before the DNS response. Also, the attackers can force its response to increasing their chance of success. – If you are a legitimate user who queries this DNS resolver, you will get a poisoned response from the cache, and you will be automatically redirected to the malicious website.
Incorrect
https://ru.wikipedia.org/wiki/DNS_spoofing DNS spoofing is a threat that copies the legitimate server destinations to divert the domain‘s traffic. Ignorant these attacks, the users are redirected to malicious websites, which results in insensitive and personal data being leaked. It is a method of attack where your DNS server is tricked into saving a fake DNS entry. This will make the DNS server recall a fake site for you, thereby posing a threat to vital information stored on your server or computer. The cache poisoning codes are often found in URLs sent through spam emails. These emails are sent to prompt users to click on the URL, which infects their computer. When the computer is poisoned, it will divert you to a fake IP address that looks like a real thing. This way, the threats are injected into your systems as well. Different Stages of Attack of DNS Cache Poisoning: – The attacker proceeds to send DNS queries to the DNS resolver, which forwards the Root/TLD authoritative DNS server request and awaits an answer. – The attacker overloads the DNS with poisoned responses that contain several IP addresses of the malicious website. To be accepted by the DNS resolver, the attacker‘s response should match a port number and the query ID field before the DNS response. Also, the attackers can force its response to increasing their chance of success. – If you are a legitimate user who queries this DNS resolver, you will get a poisoned response from the cache, and you will be automatically redirected to the malicious website.
Unattempted
https://ru.wikipedia.org/wiki/DNS_spoofing DNS spoofing is a threat that copies the legitimate server destinations to divert the domain‘s traffic. Ignorant these attacks, the users are redirected to malicious websites, which results in insensitive and personal data being leaked. It is a method of attack where your DNS server is tricked into saving a fake DNS entry. This will make the DNS server recall a fake site for you, thereby posing a threat to vital information stored on your server or computer. The cache poisoning codes are often found in URLs sent through spam emails. These emails are sent to prompt users to click on the URL, which infects their computer. When the computer is poisoned, it will divert you to a fake IP address that looks like a real thing. This way, the threats are injected into your systems as well. Different Stages of Attack of DNS Cache Poisoning: – The attacker proceeds to send DNS queries to the DNS resolver, which forwards the Root/TLD authoritative DNS server request and awaits an answer. – The attacker overloads the DNS with poisoned responses that contain several IP addresses of the malicious website. To be accepted by the DNS resolver, the attacker‘s response should match a port number and the query ID field before the DNS response. Also, the attackers can force its response to increasing their chance of success. – If you are a legitimate user who queries this DNS resolver, you will get a poisoned response from the cache, and you will be automatically redirected to the malicious website.
Question 46 of 65
46. Question
Identify the protocol used to secure an LDAP service against anonymous queries?
Correct
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol According EC-Council‘s courseware: “LDAP Enumeration Countermeasures – By default, LDAP traffic is transmitted unsecured; use SSL or STARTTLS technology to encrypt the traffic. – Select a username different from your email address and enable account lockout. – Restrict access to Active Directory by using software such as Citrix. – Use NTLM or any basic authentication mechanism to limit access to legitimate users. Lightweight Directory Access Protocol (LDAP)Â is vulnerable to various security threats, including spoofing of directory services, attacks against the databases that provide the directory services. This isn‘t to say that LDAP is completely vulnerable. LDAP supports a number of different security mechanisms, beginning from when clients initially connect to an LDAP server. LDAP clients must authenticate to the server before being allowed access to the directory. Clients (users, computers, or applications) connect to the LDAP server using a distinguished name and authentication credentials (usually a password). Authentication information is sent from the client to the server as part of a “bind“ operation, and the connection is later closed using an “unbind“ operation. Unfortunately, it is possible for users to make the connection with limited or no authentication, by using either anonymous or simple authentication. LDAP allows for anonymous clients to send LDAP requests to the server without first performing the bind operation. While anonymous connections don‘t require a password, simple authentication will send a person‘s password over the network unencrypted. Active Directory is comprised of multiple services, but the primary component is LDAP server. This contains information about everything inside the domain (e.g., users, user groups, machines, devices, etc.). When logging in to a Windows domain, part of the authentication process involves sending an LDAP bind request to the domain controller to validate the credentials. It is common for third-party applications to delegate authentication to Active Directory using LDAP.
Incorrect
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol According EC-Council‘s courseware: “LDAP Enumeration Countermeasures – By default, LDAP traffic is transmitted unsecured; use SSL or STARTTLS technology to encrypt the traffic. – Select a username different from your email address and enable account lockout. – Restrict access to Active Directory by using software such as Citrix. – Use NTLM or any basic authentication mechanism to limit access to legitimate users. Lightweight Directory Access Protocol (LDAP)Â is vulnerable to various security threats, including spoofing of directory services, attacks against the databases that provide the directory services. This isn‘t to say that LDAP is completely vulnerable. LDAP supports a number of different security mechanisms, beginning from when clients initially connect to an LDAP server. LDAP clients must authenticate to the server before being allowed access to the directory. Clients (users, computers, or applications) connect to the LDAP server using a distinguished name and authentication credentials (usually a password). Authentication information is sent from the client to the server as part of a “bind“ operation, and the connection is later closed using an “unbind“ operation. Unfortunately, it is possible for users to make the connection with limited or no authentication, by using either anonymous or simple authentication. LDAP allows for anonymous clients to send LDAP requests to the server without first performing the bind operation. While anonymous connections don‘t require a password, simple authentication will send a person‘s password over the network unencrypted. Active Directory is comprised of multiple services, but the primary component is LDAP server. This contains information about everything inside the domain (e.g., users, user groups, machines, devices, etc.). When logging in to a Windows domain, part of the authentication process involves sending an LDAP bind request to the domain controller to validate the credentials. It is common for third-party applications to delegate authentication to Active Directory using LDAP.
Unattempted
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol According EC-Council‘s courseware: “LDAP Enumeration Countermeasures – By default, LDAP traffic is transmitted unsecured; use SSL or STARTTLS technology to encrypt the traffic. – Select a username different from your email address and enable account lockout. – Restrict access to Active Directory by using software such as Citrix. – Use NTLM or any basic authentication mechanism to limit access to legitimate users. Lightweight Directory Access Protocol (LDAP)Â is vulnerable to various security threats, including spoofing of directory services, attacks against the databases that provide the directory services. This isn‘t to say that LDAP is completely vulnerable. LDAP supports a number of different security mechanisms, beginning from when clients initially connect to an LDAP server. LDAP clients must authenticate to the server before being allowed access to the directory. Clients (users, computers, or applications) connect to the LDAP server using a distinguished name and authentication credentials (usually a password). Authentication information is sent from the client to the server as part of a “bind“ operation, and the connection is later closed using an “unbind“ operation. Unfortunately, it is possible for users to make the connection with limited or no authentication, by using either anonymous or simple authentication. LDAP allows for anonymous clients to send LDAP requests to the server without first performing the bind operation. While anonymous connections don‘t require a password, simple authentication will send a person‘s password over the network unencrypted. Active Directory is comprised of multiple services, but the primary component is LDAP server. This contains information about everything inside the domain (e.g., users, user groups, machines, devices, etc.). When logging in to a Windows domain, part of the authentication process involves sending an LDAP bind request to the domain controller to validate the credentials. It is common for third-party applications to delegate authentication to Active Directory using LDAP.
Question 47 of 65
47. Question
What is the common name of vulnerability disclosure programs opened by companies on HackerOne, Bugcrowd, etc.?
Correct
https://en.wikipedia.org/wiki/Bug_bounty_program A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of an organization‘s vulnerability management strategy. Many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited. Bug reports must document enough information for for the organization offering the bounty to be able to reproduce the vulnerability. Typically, payment amounts are commensurate with the size of the organization, the difficulty in hacking the system and how much impact on users a bug might have. HackerOne https://www.hackerone.com/ HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. It was one of the first companies, along with Synack and Bugcrowd, to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; it is the largest cybersecurity firm of its kind. As of May 2020, HackerOne‘s network had paid $100 million in bounties.
Incorrect
https://en.wikipedia.org/wiki/Bug_bounty_program A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of an organization‘s vulnerability management strategy. Many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited. Bug reports must document enough information for for the organization offering the bounty to be able to reproduce the vulnerability. Typically, payment amounts are commensurate with the size of the organization, the difficulty in hacking the system and how much impact on users a bug might have. HackerOne https://www.hackerone.com/ HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. It was one of the first companies, along with Synack and Bugcrowd, to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; it is the largest cybersecurity firm of its kind. As of May 2020, HackerOne‘s network had paid $100 million in bounties.
Unattempted
https://en.wikipedia.org/wiki/Bug_bounty_program A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of an organization‘s vulnerability management strategy. Many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited. Bug reports must document enough information for for the organization offering the bounty to be able to reproduce the vulnerability. Typically, payment amounts are commensurate with the size of the organization, the difficulty in hacking the system and how much impact on users a bug might have. HackerOne https://www.hackerone.com/ HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. It was one of the first companies, along with Synack and Bugcrowd, to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; it is the largest cybersecurity firm of its kind. As of May 2020, HackerOne‘s network had paid $100 million in bounties.
Question 48 of 65
48. Question
All the industrial control systems of your organization are connected to the Internet. Your management wants to empower the manufacturing process, ensure the reliability of industrial networks, and reduce downtime and service disruption. You have been assigned to find and install an OT security tool that further protects against security incidents such as cyber espionage, zero-day attacks, and malware. Which of the following tools will you use to accomplish this task?
Correct
NOTE: The question is advertising from the EC-Council, there is no value in this “knowledge“. – Flowmon https://www.flowmon.com/en/company According to EC-Council‘s study guide: “Flowmon empowers manufacturers and utility companies to ensure the reliability of their industrial networks to avoid downtime and disruption of service continuity“ Incorrect answers: – Robotium https://en.wikipedia.org/wiki/Robotium Robotium is an open-source test framework for writing automatic gray box testing cases for Android applications. – BalenaCloud https://www.balena.io/what-is-balena “Balena is a complete set of tools for building, deploying, and managing fleets of connected Linux devices. We provide infrastructure for fleet owners so they can focus on developing their applications and growing their fleets with as little friction as possible. The core balena platform, or what we call balenaCloud, encompasses device, server, and client-side software, all designed to get your code securely deployed to a fleet of devices. The broad strokes are easy to grasp: once your device is set up with our host OS (balenaOS), you can push code to the balena build servers, where it will be packaged into containers and delivered to your fleet.“ – IntentFuzzer detecting capability leaks of android applications
Incorrect
NOTE: The question is advertising from the EC-Council, there is no value in this “knowledge“. – Flowmon https://www.flowmon.com/en/company According to EC-Council‘s study guide: “Flowmon empowers manufacturers and utility companies to ensure the reliability of their industrial networks to avoid downtime and disruption of service continuity“ Incorrect answers: – Robotium https://en.wikipedia.org/wiki/Robotium Robotium is an open-source test framework for writing automatic gray box testing cases for Android applications. – BalenaCloud https://www.balena.io/what-is-balena “Balena is a complete set of tools for building, deploying, and managing fleets of connected Linux devices. We provide infrastructure for fleet owners so they can focus on developing their applications and growing their fleets with as little friction as possible. The core balena platform, or what we call balenaCloud, encompasses device, server, and client-side software, all designed to get your code securely deployed to a fleet of devices. The broad strokes are easy to grasp: once your device is set up with our host OS (balenaOS), you can push code to the balena build servers, where it will be packaged into containers and delivered to your fleet.“ – IntentFuzzer detecting capability leaks of android applications
Unattempted
NOTE: The question is advertising from the EC-Council, there is no value in this “knowledge“. – Flowmon https://www.flowmon.com/en/company According to EC-Council‘s study guide: “Flowmon empowers manufacturers and utility companies to ensure the reliability of their industrial networks to avoid downtime and disruption of service continuity“ Incorrect answers: – Robotium https://en.wikipedia.org/wiki/Robotium Robotium is an open-source test framework for writing automatic gray box testing cases for Android applications. – BalenaCloud https://www.balena.io/what-is-balena “Balena is a complete set of tools for building, deploying, and managing fleets of connected Linux devices. We provide infrastructure for fleet owners so they can focus on developing their applications and growing their fleets with as little friction as possible. The core balena platform, or what we call balenaCloud, encompasses device, server, and client-side software, all designed to get your code securely deployed to a fleet of devices. The broad strokes are easy to grasp: once your device is set up with our host OS (balenaOS), you can push code to the balena build servers, where it will be packaged into containers and delivered to your fleet.“ – IntentFuzzer detecting capability leaks of android applications
Question 49 of 65
49. Question
You need to transfer sensitive data of the organization between industrial systems securely. For these purposes, you have decided to use short-range wireless communication technology that meets the following requirements: – Protocol based on the IEEE 203.15.4 standard; – Range of 10-100 m. – Designed for small-scale projects which need wireless connection. Which of the following protocols will meet your requirements?
Correct
https://en.wikipedia.org/wiki/Zigbee According to the EC-Council‘s study guide:Â Zig-Bee:Â This is a short-range communication protocol based on the IEEE 203.15.4 standard. Zig-Bee is used in devices that transfer data infrequently at a low rate in a restricted area and within a range of 10-100 m.
Incorrect
https://en.wikipedia.org/wiki/Zigbee According to the EC-Council‘s study guide:Â Zig-Bee:Â This is a short-range communication protocol based on the IEEE 203.15.4 standard. Zig-Bee is used in devices that transfer data infrequently at a low rate in a restricted area and within a range of 10-100 m.
Unattempted
https://en.wikipedia.org/wiki/Zigbee According to the EC-Council‘s study guide:Â Zig-Bee:Â This is a short-range communication protocol based on the IEEE 203.15.4 standard. Zig-Bee is used in devices that transfer data infrequently at a low rate in a restricted area and within a range of 10-100 m.
Question 50 of 65
50. Question
Your friend installed the application from a third-party app store. After a while, some of the applications in his smartphone were replaced by malicious applications that appeared legitimate, and he began to receive a lot of advertising spam. Which of the following attacks has your friend been subjected to?
Correct
https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/ Agent Smith is a modular malware that exploits a series of Android vulnerabilities to replace legitimate existing apps with a malicious imitation. The malicious app doesn‘t steal data. Instead, apps replaced display a huge number of adverts to the user or steal credit from the device to pay for adverts already served. The malware carries the “Agent Smith“ moniker, the same name as the infamous Matrix character who is characterized as a virus. The Check Point research team reason that the methods the malware uses to propagate are similar to Agent Smith‘s techniques in the film series. The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own. Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first‘ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like “Agent Smith.“ Moreover, Agent Smith has infected a huge number of devices. India has by far the most infections. The Check Point research indicates some 15 million devices carrying Agent Smith. The next closest country is Bangladesh, with around 2.5 million devices infected. There were over 300,000 Agent Smith infections in the US and around 137,000 in the UK.
Incorrect
https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/ Agent Smith is a modular malware that exploits a series of Android vulnerabilities to replace legitimate existing apps with a malicious imitation. The malicious app doesn‘t steal data. Instead, apps replaced display a huge number of adverts to the user or steal credit from the device to pay for adverts already served. The malware carries the “Agent Smith“ moniker, the same name as the infamous Matrix character who is characterized as a virus. The Check Point research team reason that the methods the malware uses to propagate are similar to Agent Smith‘s techniques in the film series. The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own. Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first‘ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like “Agent Smith.“ Moreover, Agent Smith has infected a huge number of devices. India has by far the most infections. The Check Point research indicates some 15 million devices carrying Agent Smith. The next closest country is Bangladesh, with around 2.5 million devices infected. There were over 300,000 Agent Smith infections in the US and around 137,000 in the UK.
Unattempted
https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/ Agent Smith is a modular malware that exploits a series of Android vulnerabilities to replace legitimate existing apps with a malicious imitation. The malicious app doesn‘t steal data. Instead, apps replaced display a huge number of adverts to the user or steal credit from the device to pay for adverts already served. The malware carries the “Agent Smith“ moniker, the same name as the infamous Matrix character who is characterized as a virus. The Check Point research team reason that the methods the malware uses to propagate are similar to Agent Smith‘s techniques in the film series. The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own. Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first‘ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like “Agent Smith.“ Moreover, Agent Smith has infected a huge number of devices. India has by far the most infections. The Check Point research indicates some 15 million devices carrying Agent Smith. The next closest country is Bangladesh, with around 2.5 million devices infected. There were over 300,000 Agent Smith infections in the US and around 137,000 in the UK.
Question 51 of 65
51. Question
While checking your organization‘s wireless network, you found that the wireless network component is not sufficiently secure. It uses an old encryption protocol designed to mimic wired encryption. Which of the following protocols is used in your organization‘s wireless network?
Correct
https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11. WEP was intended to mimic the privacy characteristics of a wired LAN. WEP uses the insecure RC4 cipher to encrypt data, but because it was incorrectly implemented, it‘s vulnerable to reverse-engineering the encryption key. It‘s been easily crackable for well over a decade. Incorrect answers: RADIUS https://en.wikipedia.org/wiki/RADIUS Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into the IETF standards. WPA and WPA3 https://ru.wikipedia.org/wiki/WPA Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).
Incorrect
https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11. WEP was intended to mimic the privacy characteristics of a wired LAN. WEP uses the insecure RC4 cipher to encrypt data, but because it was incorrectly implemented, it‘s vulnerable to reverse-engineering the encryption key. It‘s been easily crackable for well over a decade. Incorrect answers: RADIUS https://en.wikipedia.org/wiki/RADIUS Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into the IETF standards. WPA and WPA3 https://ru.wikipedia.org/wiki/WPA Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).
Unattempted
https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11. WEP was intended to mimic the privacy characteristics of a wired LAN. WEP uses the insecure RC4 cipher to encrypt data, but because it was incorrectly implemented, it‘s vulnerable to reverse-engineering the encryption key. It‘s been easily crackable for well over a decade. Incorrect answers: RADIUS https://en.wikipedia.org/wiki/RADIUS Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into the IETF standards. WPA and WPA3 https://ru.wikipedia.org/wiki/WPA Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).
Question 52 of 65
52. Question
Identify the correct syntax for ICMP scan on a remote computer using hping2.
Correct
http://www.carnal0wnage.com/papers/LSO-Hping2-Basics.pdf Most ping programs use ICMP echo requests and wait for echo replies to come back to test connectivity. Hping2 allows us to do the same testing using any IP packet, including ICMP, UDP, and TCP. This can be helpful since nowadays most firewalls or routers block ICMP. Hping2, by default, will use TCP, but, if you still want to send an ICMP scan, you can. We send ICMP scans using the -1 (one) mode. Basically the syntax will be hping2 -1 IPADDRESS [root@localhost hping2-rc3]# hping2 -1 192.168.0.100 HPING 192.168.0.100 (eth0 192.168.0.100): icmp mode set, 28 headers + 0 data bytes len=46 ip=192.168.0.100 ttl=128 id=27118 icmp_seq=0 rtt=14.9 ms len=46 ip=192.168.0.100 ttl=128 id=27119 icmp_seq=1 rtt=0.5 ms len=46 ip=192.168.0.100 ttl=128 id=27120 icmp_seq=2 rtt=0.5 ms len=46 ip=192.168.0.100 ttl=128 id=27121 icmp_seq=3 rtt=1.5 ms len=46 ip=192.168.0.100 ttl=128 id=27122 icmp_seq=4 rtt=0.9 ms — 192.168.0.100 hping statistic — 5 packets tramitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.5/3.7/14.9 ms [root@localhost hping2-rc3]#
Incorrect
http://www.carnal0wnage.com/papers/LSO-Hping2-Basics.pdf Most ping programs use ICMP echo requests and wait for echo replies to come back to test connectivity. Hping2 allows us to do the same testing using any IP packet, including ICMP, UDP, and TCP. This can be helpful since nowadays most firewalls or routers block ICMP. Hping2, by default, will use TCP, but, if you still want to send an ICMP scan, you can. We send ICMP scans using the -1 (one) mode. Basically the syntax will be hping2 -1 IPADDRESS [root@localhost hping2-rc3]# hping2 -1 192.168.0.100 HPING 192.168.0.100 (eth0 192.168.0.100): icmp mode set, 28 headers + 0 data bytes len=46 ip=192.168.0.100 ttl=128 id=27118 icmp_seq=0 rtt=14.9 ms len=46 ip=192.168.0.100 ttl=128 id=27119 icmp_seq=1 rtt=0.5 ms len=46 ip=192.168.0.100 ttl=128 id=27120 icmp_seq=2 rtt=0.5 ms len=46 ip=192.168.0.100 ttl=128 id=27121 icmp_seq=3 rtt=1.5 ms len=46 ip=192.168.0.100 ttl=128 id=27122 icmp_seq=4 rtt=0.9 ms — 192.168.0.100 hping statistic — 5 packets tramitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.5/3.7/14.9 ms [root@localhost hping2-rc3]#
Unattempted
http://www.carnal0wnage.com/papers/LSO-Hping2-Basics.pdf Most ping programs use ICMP echo requests and wait for echo replies to come back to test connectivity. Hping2 allows us to do the same testing using any IP packet, including ICMP, UDP, and TCP. This can be helpful since nowadays most firewalls or routers block ICMP. Hping2, by default, will use TCP, but, if you still want to send an ICMP scan, you can. We send ICMP scans using the -1 (one) mode. Basically the syntax will be hping2 -1 IPADDRESS [root@localhost hping2-rc3]# hping2 -1 192.168.0.100 HPING 192.168.0.100 (eth0 192.168.0.100): icmp mode set, 28 headers + 0 data bytes len=46 ip=192.168.0.100 ttl=128 id=27118 icmp_seq=0 rtt=14.9 ms len=46 ip=192.168.0.100 ttl=128 id=27119 icmp_seq=1 rtt=0.5 ms len=46 ip=192.168.0.100 ttl=128 id=27120 icmp_seq=2 rtt=0.5 ms len=46 ip=192.168.0.100 ttl=128 id=27121 icmp_seq=3 rtt=1.5 ms len=46 ip=192.168.0.100 ttl=128 id=27122 icmp_seq=4 rtt=0.9 ms — 192.168.0.100 hping statistic — 5 packets tramitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.5/3.7/14.9 ms [root@localhost hping2-rc3]#
Question 53 of 65
53. Question
Which of the following vulnerabilities will you use if you know that the target network uses WPA3 encryption?
Correct
https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#Dragonblood_attack In April 2019 the same researchers behind the KRACK disclosure in 2017 released five new WPA3 vulnerabilities collectively named Dragonblood. It allows an attacker in range of a password-protected Wi-Fi network to obtain the password and gain access to sensitive information such as user credentials, emails and credit card numbers. According to the published report: – https://wpa3.mathyvanhoef.com/ “The WPA3 certification aims to secure Wi-Fi networks, and provides several advantages over its predecessor WPA2, such as protection against offline dictionary attacks and forward secrecy. Unfortunately, we show that WPA3 is affected by several design flaws, and analyze these flaws both theoretically and practically. Most prominently, we show that WPA3Â’s Simultaneous Authentication of Equals (SAE) handshake, commonly known as Dragonfly, is affected by password partitioning attacks.” Incorrect answers: Cross-site request forgery https://en.wikipedia.org/wiki/Cross-site_request_forgery Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which theyÂ’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attackerÂ’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. Key reinstallation attack https://en.wikipedia.org/wiki/KRACK KRACK is an acronym for Key Reinstallation Attack. KRACK is a severe replay attack on Wi-Fi Protected Access protocol (WPA2), which secures your Wi-Fi connection. Hackers use KRACK to exploit a vulnerability in WPA2. When in close range of a potential victim, attackers can access and read encrypted data using KRACK. AP misconfiguration APs connected to your network with a configuration that does not conform to your Authorized WLAN Policy. Most common areas of misconfiguration, that leads to wireless crackingÂ’s are: – Some AP configurations are left to factory defaults, like usernames and passwords or default WLAN‘s broadcasted (SSID‘s) and default settings may be found in manuals of the specific vendor on the internet. – Human Error – advanced security policies are configured on a set of AP‘s across the organization, and other ones are forgotten and left with default weak security settings. As a counter-measure against misconfigured AP, organizations should follow the ongoing site surveys as a tool to monitor a secure wireless environment.
Incorrect
https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#Dragonblood_attack In April 2019 the same researchers behind the KRACK disclosure in 2017 released five new WPA3 vulnerabilities collectively named Dragonblood. It allows an attacker in range of a password-protected Wi-Fi network to obtain the password and gain access to sensitive information such as user credentials, emails and credit card numbers. According to the published report: – https://wpa3.mathyvanhoef.com/ “The WPA3 certification aims to secure Wi-Fi networks, and provides several advantages over its predecessor WPA2, such as protection against offline dictionary attacks and forward secrecy. Unfortunately, we show that WPA3 is affected by several design flaws, and analyze these flaws both theoretically and practically. Most prominently, we show that WPA3Â’s Simultaneous Authentication of Equals (SAE) handshake, commonly known as Dragonfly, is affected by password partitioning attacks.” Incorrect answers: Cross-site request forgery https://en.wikipedia.org/wiki/Cross-site_request_forgery Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which theyÂ’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attackerÂ’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. Key reinstallation attack https://en.wikipedia.org/wiki/KRACK KRACK is an acronym for Key Reinstallation Attack. KRACK is a severe replay attack on Wi-Fi Protected Access protocol (WPA2), which secures your Wi-Fi connection. Hackers use KRACK to exploit a vulnerability in WPA2. When in close range of a potential victim, attackers can access and read encrypted data using KRACK. AP misconfiguration APs connected to your network with a configuration that does not conform to your Authorized WLAN Policy. Most common areas of misconfiguration, that leads to wireless crackingÂ’s are: – Some AP configurations are left to factory defaults, like usernames and passwords or default WLAN‘s broadcasted (SSID‘s) and default settings may be found in manuals of the specific vendor on the internet. – Human Error – advanced security policies are configured on a set of AP‘s across the organization, and other ones are forgotten and left with default weak security settings. As a counter-measure against misconfigured AP, organizations should follow the ongoing site surveys as a tool to monitor a secure wireless environment.
Unattempted
https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#Dragonblood_attack In April 2019 the same researchers behind the KRACK disclosure in 2017 released five new WPA3 vulnerabilities collectively named Dragonblood. It allows an attacker in range of a password-protected Wi-Fi network to obtain the password and gain access to sensitive information such as user credentials, emails and credit card numbers. According to the published report: – https://wpa3.mathyvanhoef.com/ “The WPA3 certification aims to secure Wi-Fi networks, and provides several advantages over its predecessor WPA2, such as protection against offline dictionary attacks and forward secrecy. Unfortunately, we show that WPA3 is affected by several design flaws, and analyze these flaws both theoretically and practically. Most prominently, we show that WPA3Â’s Simultaneous Authentication of Equals (SAE) handshake, commonly known as Dragonfly, is affected by password partitioning attacks.” Incorrect answers: Cross-site request forgery https://en.wikipedia.org/wiki/Cross-site_request_forgery Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which theyÂ’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attackerÂ’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. Key reinstallation attack https://en.wikipedia.org/wiki/KRACK KRACK is an acronym for Key Reinstallation Attack. KRACK is a severe replay attack on Wi-Fi Protected Access protocol (WPA2), which secures your Wi-Fi connection. Hackers use KRACK to exploit a vulnerability in WPA2. When in close range of a potential victim, attackers can access and read encrypted data using KRACK. AP misconfiguration APs connected to your network with a configuration that does not conform to your Authorized WLAN Policy. Most common areas of misconfiguration, that leads to wireless crackingÂ’s are: – Some AP configurations are left to factory defaults, like usernames and passwords or default WLAN‘s broadcasted (SSID‘s) and default settings may be found in manuals of the specific vendor on the internet. – Human Error – advanced security policies are configured on a set of AP‘s across the organization, and other ones are forgotten and left with default weak security settings. As a counter-measure against misconfigured AP, organizations should follow the ongoing site surveys as a tool to monitor a secure wireless environment.
Question 54 of 65
54. Question
Matthew successfully hacked the server and got root privileges. Now he wants to pivot and stealthy transit the traffic over the network, avoiding the IDS. Which of the following will be the best solution for Matthew?
Correct
https://linuxsecurityblog.com/2018/12/23/create-a-backdoor-with-cryptcat/ Cryptcat enables us to communicate between two systems and encrypts the communication between them with twofish, one of many excellent encryption algorithms from Bruce Schneier et al. TwofishÂ’s encryption is on par with AES encryption, making it nearly bulletproof. In this way, the IDS canÂ’t detect the malicious behavior taking place even when its traveling across normal HTTP ports like 80 and 443.
Incorrect
https://linuxsecurityblog.com/2018/12/23/create-a-backdoor-with-cryptcat/ Cryptcat enables us to communicate between two systems and encrypts the communication between them with twofish, one of many excellent encryption algorithms from Bruce Schneier et al. TwofishÂ’s encryption is on par with AES encryption, making it nearly bulletproof. In this way, the IDS canÂ’t detect the malicious behavior taking place even when its traveling across normal HTTP ports like 80 and 443.
Unattempted
https://linuxsecurityblog.com/2018/12/23/create-a-backdoor-with-cryptcat/ Cryptcat enables us to communicate between two systems and encrypts the communication between them with twofish, one of many excellent encryption algorithms from Bruce Schneier et al. TwofishÂ’s encryption is on par with AES encryption, making it nearly bulletproof. In this way, the IDS canÂ’t detect the malicious behavior taking place even when its traveling across normal HTTP ports like 80 and 443.
Question 55 of 65
55. Question
Which of the following attacks can you perform if you know that the web server handles the “(../)“ (character string) incorrectly and returns the file listing of a folder structure of the server?
Correct
https://en.wikipedia.org/wiki/Directory_traversal_attack A directory traversal (or path traversal) attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing “traverse to parent directory“ are passed through to the operating system‘s file system API. An affected application can be exploited to gain unauthorized access to the file system. Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks. Incorrect answers: Cross-site scripting https://en.wikipedia.org/wiki/Cross-site_scripting Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. SQL injection https://en.wikipedia.org/wiki/SQL_injection A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. Denial of service https://en.wikipedia.org/wiki/Denial-of-service_attack A denial-of-service (DoS) attack is a type of cyber attack in which a malicious actor aims to render a computer or other device unavailable to its intended users by interrupting the device‘s normal functioning. DoS attacks typically function by overwhelming or flooding a targeted machine with requests until normal traffic is unable to be processed, resulting in denial-of-service to addition users. A DoS attack is characterized by using a single computer to launch the attack.
Incorrect
https://en.wikipedia.org/wiki/Directory_traversal_attack A directory traversal (or path traversal) attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing “traverse to parent directory“ are passed through to the operating system‘s file system API. An affected application can be exploited to gain unauthorized access to the file system. Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks. Incorrect answers: Cross-site scripting https://en.wikipedia.org/wiki/Cross-site_scripting Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. SQL injection https://en.wikipedia.org/wiki/SQL_injection A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. Denial of service https://en.wikipedia.org/wiki/Denial-of-service_attack A denial-of-service (DoS) attack is a type of cyber attack in which a malicious actor aims to render a computer or other device unavailable to its intended users by interrupting the device‘s normal functioning. DoS attacks typically function by overwhelming or flooding a targeted machine with requests until normal traffic is unable to be processed, resulting in denial-of-service to addition users. A DoS attack is characterized by using a single computer to launch the attack.
Unattempted
https://en.wikipedia.org/wiki/Directory_traversal_attack A directory traversal (or path traversal) attack exploits insufficient security validation or sanitization of user-supplied file names, such that characters representing “traverse to parent directory“ are passed through to the operating system‘s file system API. An affected application can be exploited to gain unauthorized access to the file system. Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks. Incorrect answers: Cross-site scripting https://en.wikipedia.org/wiki/Cross-site_scripting Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. SQL injection https://en.wikipedia.org/wiki/SQL_injection A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. Denial of service https://en.wikipedia.org/wiki/Denial-of-service_attack A denial-of-service (DoS) attack is a type of cyber attack in which a malicious actor aims to render a computer or other device unavailable to its intended users by interrupting the device‘s normal functioning. DoS attacks typically function by overwhelming or flooding a targeted machine with requests until normal traffic is unable to be processed, resulting in denial-of-service to addition users. A DoS attack is characterized by using a single computer to launch the attack.
Question 56 of 65
56. Question
To bypass firewalls using the DNS tunnelling method to exfiltrate data, you can use the NSTX tool. On which of the following ports should be run the NSTX tool?
Correct
https://en.wikipedia.org/wiki/Domain_Name_System DNS is a foundational protocol that enables applications such as web browsers to function based on domain names. DNS is not intended for a command channel or general-purpose tunneling. However, several utilities have been developed to enable tunneling over DNS. Because it is not intended for general data transfer, DNS often has less attention in security monitoring than other protocols such as web traffic. If DNS tunneling goes undetected, it represents a significant risk to an organization. DNS uses both UDP server port 53 and TCP server port 53 for communications. Typically UDP is used, but TCP will be used for zone transfers or with payloads over 512 bytes. NOTE:Â NSTX is the name of a 2003 open source project that even left us in the Beta version. Why the EC-Council suddenly remembered this tool in the 2021 course and exam – I don‘t know.
Incorrect
https://en.wikipedia.org/wiki/Domain_Name_System DNS is a foundational protocol that enables applications such as web browsers to function based on domain names. DNS is not intended for a command channel or general-purpose tunneling. However, several utilities have been developed to enable tunneling over DNS. Because it is not intended for general data transfer, DNS often has less attention in security monitoring than other protocols such as web traffic. If DNS tunneling goes undetected, it represents a significant risk to an organization. DNS uses both UDP server port 53 and TCP server port 53 for communications. Typically UDP is used, but TCP will be used for zone transfers or with payloads over 512 bytes. NOTE:Â NSTX is the name of a 2003 open source project that even left us in the Beta version. Why the EC-Council suddenly remembered this tool in the 2021 course and exam – I don‘t know.
Unattempted
https://en.wikipedia.org/wiki/Domain_Name_System DNS is a foundational protocol that enables applications such as web browsers to function based on domain names. DNS is not intended for a command channel or general-purpose tunneling. However, several utilities have been developed to enable tunneling over DNS. Because it is not intended for general data transfer, DNS often has less attention in security monitoring than other protocols such as web traffic. If DNS tunneling goes undetected, it represents a significant risk to an organization. DNS uses both UDP server port 53 and TCP server port 53 for communications. Typically UDP is used, but TCP will be used for zone transfers or with payloads over 512 bytes. NOTE:Â NSTX is the name of a 2003 open source project that even left us in the Beta version. Why the EC-Council suddenly remembered this tool in the 2021 course and exam – I don‘t know.
Question 57 of 65
57. Question
Ron, the hacker, is trying to crack an employee‘s password of the target organization utilizing a rainbow table. During the break-in, he discovered that upon entering a password that extra characters are added to the password after submitting. Which of the following countermeasures is the target company using to protect against rainbow tables?
Correct
https://en.wikipedia.org/wiki/Salt_(cryptography) A salt is random data that is used as an additional input to a one-way function that hashes data, a password, or passphrase. Salts are used to safeguard passwords in storage. Historically a password was stored in plaintext on a system, but over time additional safeguards were developed to protect a user‘s password against being read from the system. A salt is one of those methods. A new salt is randomly generated for each password. In a typical setting, the salt and the password (or its version after key stretching) are concatenated and processed with a cryptographic hash function, and the output hash value (but not the original password) is stored with the salt in a database. Hashing allows for later authentication without keeping and therefore risking exposure of the plaintext password in the event that the authentication data store is compromised. Salts defend against a pre-computed hash attack, e.g. rainbow tables. Since salts do not have to be memorized by humans they can make the size of the hash table required for a successful attack prohibitively large without placing a burden on the users. Since salts are different in each case, they also protect commonly used passwords, or those users who use the same password on several sites, by making all salted hash instances for the same password different from each other.
Incorrect
https://en.wikipedia.org/wiki/Salt_(cryptography) A salt is random data that is used as an additional input to a one-way function that hashes data, a password, or passphrase. Salts are used to safeguard passwords in storage. Historically a password was stored in plaintext on a system, but over time additional safeguards were developed to protect a user‘s password against being read from the system. A salt is one of those methods. A new salt is randomly generated for each password. In a typical setting, the salt and the password (or its version after key stretching) are concatenated and processed with a cryptographic hash function, and the output hash value (but not the original password) is stored with the salt in a database. Hashing allows for later authentication without keeping and therefore risking exposure of the plaintext password in the event that the authentication data store is compromised. Salts defend against a pre-computed hash attack, e.g. rainbow tables. Since salts do not have to be memorized by humans they can make the size of the hash table required for a successful attack prohibitively large without placing a burden on the users. Since salts are different in each case, they also protect commonly used passwords, or those users who use the same password on several sites, by making all salted hash instances for the same password different from each other.
Unattempted
https://en.wikipedia.org/wiki/Salt_(cryptography) A salt is random data that is used as an additional input to a one-way function that hashes data, a password, or passphrase. Salts are used to safeguard passwords in storage. Historically a password was stored in plaintext on a system, but over time additional safeguards were developed to protect a user‘s password against being read from the system. A salt is one of those methods. A new salt is randomly generated for each password. In a typical setting, the salt and the password (or its version after key stretching) are concatenated and processed with a cryptographic hash function, and the output hash value (but not the original password) is stored with the salt in a database. Hashing allows for later authentication without keeping and therefore risking exposure of the plaintext password in the event that the authentication data store is compromised. Salts defend against a pre-computed hash attack, e.g. rainbow tables. Since salts do not have to be memorized by humans they can make the size of the hash table required for a successful attack prohibitively large without placing a burden on the users. Since salts are different in each case, they also protect commonly used passwords, or those users who use the same password on several sites, by making all salted hash instances for the same password different from each other.
Question 58 of 65
58. Question
Which of the following encryption algorithms is a symmetric key block cipher that has a 128-bit block size, and its key size can be up to 256 bits?
Correct
https://en.wikipedia.org/wiki/Twofish Twofish is an encryption algorithm designed by Bruce Schneier. It‘s a symmetric key block cipher with a block size of 128 bits, with keys up to 256 bits. Incorrect answers: HMAC https://en.wikipedia.org/wiki/HMAC An HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. HMAC can provide message authentication using a shared secret instead of using digital signatures with asymmetric cryptography. It trades off the need for a complex public key infrastructure by delegating the key exchange to the communicating parties, who are responsible for establishing and using a trusted channel to agree on the key prior to communication. IDEA https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm The International Data Encryption Algorithm (IDEA), originally called Improved Proposed Encryption Standard (IPES), is a symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991. The algorithm was intended as a replacement for the Data Encryption Standard (DES). IDEA is a minor revision of an earlier cipher Proposed Encryption Standard (PES). The cipher was designed under a research contract with the Hasler Foundation, which became part of Ascom-Tech AG. The cipher was patented in a number of countries but was freely available for non-commercial use. The name “IDEA“ is also a trademark. The last patents expired in 2012, and IDEA is now patent-free and thus completely free for all uses. IDEA was used in Pretty Good Privacy (PGP) v2.0 and was incorporated after the original cipher used in v1.0, BassOmatic, was found to be insecure. IDEA is an optional algorithm in the OpenPGP standard. Blowfish https://en.wikipedia.org/wiki/Blowfish_(cipher) Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard (AES) now receives more attention, and Schneier recommends Twofish for modern applications. Schneier designed Blowfish as a general-purpose algorithm, intended as an alternative to the aging DES and free of the problems and constraints associated with other algorithms. At the time Blowfish was released, many other designs were proprietary, encumbered by patents or were commercial or government secrets. Schneier has stated that, “Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone.“ Notable features of the design include key-dependent S-boxes and a highly complex key schedule.
Incorrect
https://en.wikipedia.org/wiki/Twofish Twofish is an encryption algorithm designed by Bruce Schneier. It‘s a symmetric key block cipher with a block size of 128 bits, with keys up to 256 bits. Incorrect answers: HMAC https://en.wikipedia.org/wiki/HMAC An HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. HMAC can provide message authentication using a shared secret instead of using digital signatures with asymmetric cryptography. It trades off the need for a complex public key infrastructure by delegating the key exchange to the communicating parties, who are responsible for establishing and using a trusted channel to agree on the key prior to communication. IDEA https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm The International Data Encryption Algorithm (IDEA), originally called Improved Proposed Encryption Standard (IPES), is a symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991. The algorithm was intended as a replacement for the Data Encryption Standard (DES). IDEA is a minor revision of an earlier cipher Proposed Encryption Standard (PES). The cipher was designed under a research contract with the Hasler Foundation, which became part of Ascom-Tech AG. The cipher was patented in a number of countries but was freely available for non-commercial use. The name “IDEA“ is also a trademark. The last patents expired in 2012, and IDEA is now patent-free and thus completely free for all uses. IDEA was used in Pretty Good Privacy (PGP) v2.0 and was incorporated after the original cipher used in v1.0, BassOmatic, was found to be insecure. IDEA is an optional algorithm in the OpenPGP standard. Blowfish https://en.wikipedia.org/wiki/Blowfish_(cipher) Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard (AES) now receives more attention, and Schneier recommends Twofish for modern applications. Schneier designed Blowfish as a general-purpose algorithm, intended as an alternative to the aging DES and free of the problems and constraints associated with other algorithms. At the time Blowfish was released, many other designs were proprietary, encumbered by patents or were commercial or government secrets. Schneier has stated that, “Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone.“ Notable features of the design include key-dependent S-boxes and a highly complex key schedule.
Unattempted
https://en.wikipedia.org/wiki/Twofish Twofish is an encryption algorithm designed by Bruce Schneier. It‘s a symmetric key block cipher with a block size of 128 bits, with keys up to 256 bits. Incorrect answers: HMAC https://en.wikipedia.org/wiki/HMAC An HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. HMAC can provide message authentication using a shared secret instead of using digital signatures with asymmetric cryptography. It trades off the need for a complex public key infrastructure by delegating the key exchange to the communicating parties, who are responsible for establishing and using a trusted channel to agree on the key prior to communication. IDEA https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm The International Data Encryption Algorithm (IDEA), originally called Improved Proposed Encryption Standard (IPES), is a symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991. The algorithm was intended as a replacement for the Data Encryption Standard (DES). IDEA is a minor revision of an earlier cipher Proposed Encryption Standard (PES). The cipher was designed under a research contract with the Hasler Foundation, which became part of Ascom-Tech AG. The cipher was patented in a number of countries but was freely available for non-commercial use. The name “IDEA“ is also a trademark. The last patents expired in 2012, and IDEA is now patent-free and thus completely free for all uses. IDEA was used in Pretty Good Privacy (PGP) v2.0 and was incorporated after the original cipher used in v1.0, BassOmatic, was found to be insecure. IDEA is an optional algorithm in the OpenPGP standard. Blowfish https://en.wikipedia.org/wiki/Blowfish_(cipher) Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard (AES) now receives more attention, and Schneier recommends Twofish for modern applications. Schneier designed Blowfish as a general-purpose algorithm, intended as an alternative to the aging DES and free of the problems and constraints associated with other algorithms. At the time Blowfish was released, many other designs were proprietary, encumbered by patents or were commercial or government secrets. Schneier has stated that, “Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone.“ Notable features of the design include key-dependent S-boxes and a highly complex key schedule.
Question 59 of 65
59. Question
Identify the phase of the APT lifecycle that the hacker is in at the moment according to the scenario given below: The hacker prepared for an attack and attempted to enter the target network using techniques such as sending spear-phishing emails and exploiting vulnerabilities on publicly available servers. Thanks to the successful attack, he deployed malware on the target system to establish an outbound connection and began to move on.
Correct
https://en.wikipedia.org/wiki/Advanced_persistent_threat#Life_cycle An advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data. The targets of these assaults, which are very carefully chosen and researched, typically include large enterprises or governmental networks. The consequences of such intrusions are vast, and include: – Intellectual property theft (e.g., trade secrets or patents) – Compromised sensitive information (e.g., employee and user private data) – The sabotaging of critical organizational infrastructures (e.g., database deletion) – Total site takeovers Executing an APT assault requires more resources than a standard web application attack. The perpetrators are usually teams of experienced cybercriminals having substantial financial backing. Some APT attacks are government-funded and used as cyber warfare weapons. The lifecycle of an APT is much longer and more complex than other kinds of attacks: 1. Define target: Determine who youÂ’re targeting, what you hope to accomplish – and why. 2. Find and organize accomplices: Select team members, identify required skills, and pursue insider access. 3. Build or acquire tools: Find currently available tools, or create new applications to get the right tools for the job. 4. Research target: Discover who has access you need, what hardware and software the target uses, and how to best engineer the attack. 5. Test for detection: Deploy a small reconnaissance version of your software, test communications and alarms, identify any weak spots. 6. Deployment: The dance begins. Deploy the full suite and begin infiltration. 7. Initial intrusion: Once youÂ’re inside the network, figure out where to go and find your target. 8. Outbound connection initiated: Target acquired, requesting evac. Create a tunnel to begin sending data from the target. 9. Expand access and obtain credentials: Create a “ghost network” under your control inside the target network, leveraging your access to gain more movement. 10. Strengthen foothold: Exploit other vulnerabilities to establish more zombies or extend your access to other valuable locations. 11. Exfiltrate data: Once you find what you were looking for, get it back to base. 12. Cover tracks and remain undetected: The entire operation hinges upon your ability to stay hidden on the network. Keep rolling high on your stealth checks and make sure to clean up after yourself. A little more detail about the stage of interest to us: Initial Intrusion The common technique used for initial intrusion is thru spear phishing emails or exploiting vulnerabilities on public-ally out there servers. The spear phishing emails sometimes look legitimate with attachments containing feasible malware or malicious link. These malicious links will send to the website where targetÂ’s application and software system are compromised by the assailant victimization varied exploit techniques. Sometimes, an offender might also use social engineering techniques to assemble info from the victim. once getting info from the target, attackers use that info to launch any attacks on the target network. during this phase, malicious code or the malware is deployed into the target system to initiate AN outward affiliation.
Incorrect
https://en.wikipedia.org/wiki/Advanced_persistent_threat#Life_cycle An advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data. The targets of these assaults, which are very carefully chosen and researched, typically include large enterprises or governmental networks. The consequences of such intrusions are vast, and include: – Intellectual property theft (e.g., trade secrets or patents) – Compromised sensitive information (e.g., employee and user private data) – The sabotaging of critical organizational infrastructures (e.g., database deletion) – Total site takeovers Executing an APT assault requires more resources than a standard web application attack. The perpetrators are usually teams of experienced cybercriminals having substantial financial backing. Some APT attacks are government-funded and used as cyber warfare weapons. The lifecycle of an APT is much longer and more complex than other kinds of attacks: 1. Define target: Determine who youÂ’re targeting, what you hope to accomplish – and why. 2. Find and organize accomplices: Select team members, identify required skills, and pursue insider access. 3. Build or acquire tools: Find currently available tools, or create new applications to get the right tools for the job. 4. Research target: Discover who has access you need, what hardware and software the target uses, and how to best engineer the attack. 5. Test for detection: Deploy a small reconnaissance version of your software, test communications and alarms, identify any weak spots. 6. Deployment: The dance begins. Deploy the full suite and begin infiltration. 7. Initial intrusion: Once youÂ’re inside the network, figure out where to go and find your target. 8. Outbound connection initiated: Target acquired, requesting evac. Create a tunnel to begin sending data from the target. 9. Expand access and obtain credentials: Create a “ghost network” under your control inside the target network, leveraging your access to gain more movement. 10. Strengthen foothold: Exploit other vulnerabilities to establish more zombies or extend your access to other valuable locations. 11. Exfiltrate data: Once you find what you were looking for, get it back to base. 12. Cover tracks and remain undetected: The entire operation hinges upon your ability to stay hidden on the network. Keep rolling high on your stealth checks and make sure to clean up after yourself. A little more detail about the stage of interest to us: Initial Intrusion The common technique used for initial intrusion is thru spear phishing emails or exploiting vulnerabilities on public-ally out there servers. The spear phishing emails sometimes look legitimate with attachments containing feasible malware or malicious link. These malicious links will send to the website where targetÂ’s application and software system are compromised by the assailant victimization varied exploit techniques. Sometimes, an offender might also use social engineering techniques to assemble info from the victim. once getting info from the target, attackers use that info to launch any attacks on the target network. during this phase, malicious code or the malware is deployed into the target system to initiate AN outward affiliation.
Unattempted
https://en.wikipedia.org/wiki/Advanced_persistent_threat#Life_cycle An advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data. The targets of these assaults, which are very carefully chosen and researched, typically include large enterprises or governmental networks. The consequences of such intrusions are vast, and include: – Intellectual property theft (e.g., trade secrets or patents) – Compromised sensitive information (e.g., employee and user private data) – The sabotaging of critical organizational infrastructures (e.g., database deletion) – Total site takeovers Executing an APT assault requires more resources than a standard web application attack. The perpetrators are usually teams of experienced cybercriminals having substantial financial backing. Some APT attacks are government-funded and used as cyber warfare weapons. The lifecycle of an APT is much longer and more complex than other kinds of attacks: 1. Define target: Determine who youÂ’re targeting, what you hope to accomplish – and why. 2. Find and organize accomplices: Select team members, identify required skills, and pursue insider access. 3. Build or acquire tools: Find currently available tools, or create new applications to get the right tools for the job. 4. Research target: Discover who has access you need, what hardware and software the target uses, and how to best engineer the attack. 5. Test for detection: Deploy a small reconnaissance version of your software, test communications and alarms, identify any weak spots. 6. Deployment: The dance begins. Deploy the full suite and begin infiltration. 7. Initial intrusion: Once youÂ’re inside the network, figure out where to go and find your target. 8. Outbound connection initiated: Target acquired, requesting evac. Create a tunnel to begin sending data from the target. 9. Expand access and obtain credentials: Create a “ghost network” under your control inside the target network, leveraging your access to gain more movement. 10. Strengthen foothold: Exploit other vulnerabilities to establish more zombies or extend your access to other valuable locations. 11. Exfiltrate data: Once you find what you were looking for, get it back to base. 12. Cover tracks and remain undetected: The entire operation hinges upon your ability to stay hidden on the network. Keep rolling high on your stealth checks and make sure to clean up after yourself. A little more detail about the stage of interest to us: Initial Intrusion The common technique used for initial intrusion is thru spear phishing emails or exploiting vulnerabilities on public-ally out there servers. The spear phishing emails sometimes look legitimate with attachments containing feasible malware or malicious link. These malicious links will send to the website where targetÂ’s application and software system are compromised by the assailant victimization varied exploit techniques. Sometimes, an offender might also use social engineering techniques to assemble info from the victim. once getting info from the target, attackers use that info to launch any attacks on the target network. during this phase, malicious code or the malware is deployed into the target system to initiate AN outward affiliation.
Question 60 of 65
60. Question
A post-breach forensic investigation revealed that a known vulnerability in Apache Struts was to blame for the Equifax data breach that affected 147 million people In September of 2017. At the same time fix was available from the software vendor for several months before the intrusion. In which of the following security processes has failed?
Correct
https://en.wikipedia.org/wiki/Patch_(computing) Patch management is the process of distributing and applying updates to the software. These patches are often necessary to correct errors (also referred to as “vulnerabilities” or “bugs”) in the software. Common areas that will need patches include operating systems, applications, and embedded systems (like network equipment). When a vulnerability is found after the release of a piece of software, a patch can be used to fix it. Doing so helps ensure that assets in your environment are not susceptible to exploitation.
Incorrect
https://en.wikipedia.org/wiki/Patch_(computing) Patch management is the process of distributing and applying updates to the software. These patches are often necessary to correct errors (also referred to as “vulnerabilities” or “bugs”) in the software. Common areas that will need patches include operating systems, applications, and embedded systems (like network equipment). When a vulnerability is found after the release of a piece of software, a patch can be used to fix it. Doing so helps ensure that assets in your environment are not susceptible to exploitation.
Unattempted
https://en.wikipedia.org/wiki/Patch_(computing) Patch management is the process of distributing and applying updates to the software. These patches are often necessary to correct errors (also referred to as “vulnerabilities” or “bugs”) in the software. Common areas that will need patches include operating systems, applications, and embedded systems (like network equipment). When a vulnerability is found after the release of a piece of software, a patch can be used to fix it. Doing so helps ensure that assets in your environment are not susceptible to exploitation.
Question 61 of 65
61. Question
Marketing department employees complain that their computers are working slow and every time they attempt to go to a website, they receive a series of pop-ups with advertisements. Which of the following type of malwares infected their systems?
Correct
https://en.wikipedia.org/wiki/Adware Adware is also known as advertisement-supported software. Creators of adware include advertisements or help distribute other software to earn money. In many cases, ads may be within the software itself. Alternatively, the adware may encourage you to install additional software provided by third-party sponsors. Adware programs exist across all computers and mobile devices. Most of these are perfectly safe and legitimate, but some might have dark motives that you are unaware of. You might opt to download adware if you want: – Free computer programs or mobile apps. – Personalized ads tailored to your wants and needs. – To try the software that comes bundled. Adware creators and distributing vendors make money from third-parties via either: – Pay-per-click (PPC) — they get paid each time you open an ad. – Pay-per-view (PPV) — they get paid each time an ad is shown to you. – Pay-per-install (PPI) — they get paid each time bundled software is installed on a device. The sponsoring third-parties benefit from adware by: – Gaining more users for their software. – Showing their products or services to more potential customers. – Collecting data about you to create more effective custom marketing adverts. Together, this is what makes adware profitable and beneficial for you and all people involved. By definition, adware is not inherently malicious. However, the intentions of the paying advertiser, a secondary paying distributor, or the creator may be less safe. Plus, it can be a gateway for malicious acts, like malware infection or spying on your digital habits.
Incorrect
https://en.wikipedia.org/wiki/Adware Adware is also known as advertisement-supported software. Creators of adware include advertisements or help distribute other software to earn money. In many cases, ads may be within the software itself. Alternatively, the adware may encourage you to install additional software provided by third-party sponsors. Adware programs exist across all computers and mobile devices. Most of these are perfectly safe and legitimate, but some might have dark motives that you are unaware of. You might opt to download adware if you want: – Free computer programs or mobile apps. – Personalized ads tailored to your wants and needs. – To try the software that comes bundled. Adware creators and distributing vendors make money from third-parties via either: – Pay-per-click (PPC) — they get paid each time you open an ad. – Pay-per-view (PPV) — they get paid each time an ad is shown to you. – Pay-per-install (PPI) — they get paid each time bundled software is installed on a device. The sponsoring third-parties benefit from adware by: – Gaining more users for their software. – Showing their products or services to more potential customers. – Collecting data about you to create more effective custom marketing adverts. Together, this is what makes adware profitable and beneficial for you and all people involved. By definition, adware is not inherently malicious. However, the intentions of the paying advertiser, a secondary paying distributor, or the creator may be less safe. Plus, it can be a gateway for malicious acts, like malware infection or spying on your digital habits.
Unattempted
https://en.wikipedia.org/wiki/Adware Adware is also known as advertisement-supported software. Creators of adware include advertisements or help distribute other software to earn money. In many cases, ads may be within the software itself. Alternatively, the adware may encourage you to install additional software provided by third-party sponsors. Adware programs exist across all computers and mobile devices. Most of these are perfectly safe and legitimate, but some might have dark motives that you are unaware of. You might opt to download adware if you want: – Free computer programs or mobile apps. – Personalized ads tailored to your wants and needs. – To try the software that comes bundled. Adware creators and distributing vendors make money from third-parties via either: – Pay-per-click (PPC) — they get paid each time you open an ad. – Pay-per-view (PPV) — they get paid each time an ad is shown to you. – Pay-per-install (PPI) — they get paid each time bundled software is installed on a device. The sponsoring third-parties benefit from adware by: – Gaining more users for their software. – Showing their products or services to more potential customers. – Collecting data about you to create more effective custom marketing adverts. Together, this is what makes adware profitable and beneficial for you and all people involved. By definition, adware is not inherently malicious. However, the intentions of the paying advertiser, a secondary paying distributor, or the creator may be less safe. Plus, it can be a gateway for malicious acts, like malware infection or spying on your digital habits.
Question 62 of 65
62. Question
Which of the following is the firewall evasion scanning technique that uses a zombie system with low network activity?
Correct
https://nmap.org/book/idlescan.html The idle scan is a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. This is accomplished by impersonating another computer whose network traffic is very slow or nonexistent (that is, not transmitting or receiving information). This could be an idle computer, called a “zombie“. Idle scanning can be put together from these basic facts: · One way to determine whether a TCP port is open is to send a SYN (session establishment) packet to the port. The target machine will respond with a SYN/ACK (session request acknowledgment) packet if the port is open, and RST (reset) if the port is closed. This is the basis of the previously discussed SYN scan. · A machine that receives an unsolicited SYN/ACK packet will respond with a RST. An unsolicited RST will be ignored. · Every IP packet on the Internet has a fragment identification number (IP ID). Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe.The overall intention behind the idle scan is to “check the port status while remaining completely invisible to the targeted host.“ By combining these traits, it is possible to scan a target network while forging your identity so that it looks like an innocent zombie machine did the scanning. Idle scan is the ultimate stealth scan. Nmap offers decoy scanning (-D) to help users shield their identity, but that (unlike idle scan) still requires an attacker to send some packets to the target from his real IP address in order to get scan results back. One upshot of idle scan is that intrusion detection systems will generally send alerts claiming that the zombie machine has launched a scan against them. So it can be used to frame some other party for a scan. Keep this possibility in mind when reading alerts from your IDS. A unique advantage of idle scan is that it can be used to defeat certain packet filtering firewalls and routers. IP source address filtering is a common (though weak) security mechanism for limiting machines that may connect to a sensitive host or network.
Incorrect
https://nmap.org/book/idlescan.html The idle scan is a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. This is accomplished by impersonating another computer whose network traffic is very slow or nonexistent (that is, not transmitting or receiving information). This could be an idle computer, called a “zombie“. Idle scanning can be put together from these basic facts: · One way to determine whether a TCP port is open is to send a SYN (session establishment) packet to the port. The target machine will respond with a SYN/ACK (session request acknowledgment) packet if the port is open, and RST (reset) if the port is closed. This is the basis of the previously discussed SYN scan. · A machine that receives an unsolicited SYN/ACK packet will respond with a RST. An unsolicited RST will be ignored. · Every IP packet on the Internet has a fragment identification number (IP ID). Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe.The overall intention behind the idle scan is to “check the port status while remaining completely invisible to the targeted host.“ By combining these traits, it is possible to scan a target network while forging your identity so that it looks like an innocent zombie machine did the scanning. Idle scan is the ultimate stealth scan. Nmap offers decoy scanning (-D) to help users shield their identity, but that (unlike idle scan) still requires an attacker to send some packets to the target from his real IP address in order to get scan results back. One upshot of idle scan is that intrusion detection systems will generally send alerts claiming that the zombie machine has launched a scan against them. So it can be used to frame some other party for a scan. Keep this possibility in mind when reading alerts from your IDS. A unique advantage of idle scan is that it can be used to defeat certain packet filtering firewalls and routers. IP source address filtering is a common (though weak) security mechanism for limiting machines that may connect to a sensitive host or network.
Unattempted
https://nmap.org/book/idlescan.html The idle scan is a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. This is accomplished by impersonating another computer whose network traffic is very slow or nonexistent (that is, not transmitting or receiving information). This could be an idle computer, called a “zombie“. Idle scanning can be put together from these basic facts: · One way to determine whether a TCP port is open is to send a SYN (session establishment) packet to the port. The target machine will respond with a SYN/ACK (session request acknowledgment) packet if the port is open, and RST (reset) if the port is closed. This is the basis of the previously discussed SYN scan. · A machine that receives an unsolicited SYN/ACK packet will respond with a RST. An unsolicited RST will be ignored. · Every IP packet on the Internet has a fragment identification number (IP ID). Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe.The overall intention behind the idle scan is to “check the port status while remaining completely invisible to the targeted host.“ By combining these traits, it is possible to scan a target network while forging your identity so that it looks like an innocent zombie machine did the scanning. Idle scan is the ultimate stealth scan. Nmap offers decoy scanning (-D) to help users shield their identity, but that (unlike idle scan) still requires an attacker to send some packets to the target from his real IP address in order to get scan results back. One upshot of idle scan is that intrusion detection systems will generally send alerts claiming that the zombie machine has launched a scan against them. So it can be used to frame some other party for a scan. Keep this possibility in mind when reading alerts from your IDS. A unique advantage of idle scan is that it can be used to defeat certain packet filtering firewalls and routers. IP source address filtering is a common (though weak) security mechanism for limiting machines that may connect to a sensitive host or network.
Question 63 of 65
63. Question
Your boss informed you that a problem was detected in the service running on port 389 and said that you must fix this problem as soon as possible. What service is running on this port, and how can you fix this problem?
Correct
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP, the Lightweight Directory Access Protocol, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers. ItÂ’s often used for authentication and storing information about users, groups, and applications, but an LDAP directory server is a fairly general-purpose data store and can be used in a wide variety of applications. The LDAP protocol can deal in quite a bit of sensitive data: Active Directory usernames, login attempts, failed-login notifications, and more. If attackers get ahold of that data in flight, they might be able to compromise data like legitimate AD credentials and use it to poke around your network in search of valuable assets. Encrypting LDAP traffic in flight across the network can help prevent credential theft and other malicious activity, but it‘s not a failsafe—and if traffic is encrypted, your own team might miss the signs of an attempted attack in progress. While LDAP encryption isn‘t standard, there is a nonstandard version of LDAP called Secure LDAP, also known as “LDAPS“ or “LDAP over SSL“ (SSL, or Secure Socket Layer, being the now-deprecated ancestor of Transport Layer Security). LDAPS uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.
Incorrect
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP, the Lightweight Directory Access Protocol, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers. ItÂ’s often used for authentication and storing information about users, groups, and applications, but an LDAP directory server is a fairly general-purpose data store and can be used in a wide variety of applications. The LDAP protocol can deal in quite a bit of sensitive data: Active Directory usernames, login attempts, failed-login notifications, and more. If attackers get ahold of that data in flight, they might be able to compromise data like legitimate AD credentials and use it to poke around your network in search of valuable assets. Encrypting LDAP traffic in flight across the network can help prevent credential theft and other malicious activity, but it‘s not a failsafe—and if traffic is encrypted, your own team might miss the signs of an attempted attack in progress. While LDAP encryption isn‘t standard, there is a nonstandard version of LDAP called Secure LDAP, also known as “LDAPS“ or “LDAP over SSL“ (SSL, or Secure Socket Layer, being the now-deprecated ancestor of Transport Layer Security). LDAPS uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.
Unattempted
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol LDAP, the Lightweight Directory Access Protocol, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers. ItÂ’s often used for authentication and storing information about users, groups, and applications, but an LDAP directory server is a fairly general-purpose data store and can be used in a wide variety of applications. The LDAP protocol can deal in quite a bit of sensitive data: Active Directory usernames, login attempts, failed-login notifications, and more. If attackers get ahold of that data in flight, they might be able to compromise data like legitimate AD credentials and use it to poke around your network in search of valuable assets. Encrypting LDAP traffic in flight across the network can help prevent credential theft and other malicious activity, but it‘s not a failsafe—and if traffic is encrypted, your own team might miss the signs of an attempted attack in progress. While LDAP encryption isn‘t standard, there is a nonstandard version of LDAP called Secure LDAP, also known as “LDAPS“ or “LDAP over SSL“ (SSL, or Secure Socket Layer, being the now-deprecated ancestor of Transport Layer Security). LDAPS uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.
Question 64 of 65
64. Question
Identify the technique by description: The attacker wants to create a botnet. Firstly, he collects information about a large number of vulnerable machines to create a list. Secondly, they infect the machines. The list is divided by assigning half of the list to the newly compromised machines. The scanning process runs simultaneously. This technique ensures a very fast spreading and installation of malicious code.
Correct
https://stackingdwarves.net/public_stuff/cs_papers/Worms/worms-2.xml A worm is a malicious program similar to a virus, with the notable difference that it does not require any user interaction to spread. Instead, it exploits a programming error in server software or the underlying operating system to infect a machine. This means it requires an appropriate weakness to be present on the target. Once a target is infected, the worm activates itself and begins to use the network resources of the victim to scan for other potential targets. Since the infection happens automatically, worms spread many orders of magnitude faster than viruses. Hit-list scanning To avoid the disadvantages of scanning entirely, a list of vulnerable hosts can be composed in advance and sent along with the worm. The list data can be gathered surreptitiously over a long period of time, so that the scans will not stand out from the normal everyday portscan activity of script kiddies and curious netizens. When the actual attack starts, there will be no more scan traffic that might betray the worm, and each infection attempt will hit home. The interesting part here is the handling of the hit list. It will be huge (a few hundred k at the least), and it must be divided among worm instances so that duplicate infection attempts are avoided. At the same time, a certain amount of redundancy is necessary in case a worm instance is lost and with it part of the hit list. Hit list worms will spread orders of magnitude faster than normal scanning worms, and allow for precise targetting in advance. So far, no wide-spread hit list worm has been observed in the wild.
Incorrect
https://stackingdwarves.net/public_stuff/cs_papers/Worms/worms-2.xml A worm is a malicious program similar to a virus, with the notable difference that it does not require any user interaction to spread. Instead, it exploits a programming error in server software or the underlying operating system to infect a machine. This means it requires an appropriate weakness to be present on the target. Once a target is infected, the worm activates itself and begins to use the network resources of the victim to scan for other potential targets. Since the infection happens automatically, worms spread many orders of magnitude faster than viruses. Hit-list scanning To avoid the disadvantages of scanning entirely, a list of vulnerable hosts can be composed in advance and sent along with the worm. The list data can be gathered surreptitiously over a long period of time, so that the scans will not stand out from the normal everyday portscan activity of script kiddies and curious netizens. When the actual attack starts, there will be no more scan traffic that might betray the worm, and each infection attempt will hit home. The interesting part here is the handling of the hit list. It will be huge (a few hundred k at the least), and it must be divided among worm instances so that duplicate infection attempts are avoided. At the same time, a certain amount of redundancy is necessary in case a worm instance is lost and with it part of the hit list. Hit list worms will spread orders of magnitude faster than normal scanning worms, and allow for precise targetting in advance. So far, no wide-spread hit list worm has been observed in the wild.
Unattempted
https://stackingdwarves.net/public_stuff/cs_papers/Worms/worms-2.xml A worm is a malicious program similar to a virus, with the notable difference that it does not require any user interaction to spread. Instead, it exploits a programming error in server software or the underlying operating system to infect a machine. This means it requires an appropriate weakness to be present on the target. Once a target is infected, the worm activates itself and begins to use the network resources of the victim to scan for other potential targets. Since the infection happens automatically, worms spread many orders of magnitude faster than viruses. Hit-list scanning To avoid the disadvantages of scanning entirely, a list of vulnerable hosts can be composed in advance and sent along with the worm. The list data can be gathered surreptitiously over a long period of time, so that the scans will not stand out from the normal everyday portscan activity of script kiddies and curious netizens. When the actual attack starts, there will be no more scan traffic that might betray the worm, and each infection attempt will hit home. The interesting part here is the handling of the hit list. It will be huge (a few hundred k at the least), and it must be divided among worm instances so that duplicate infection attempts are avoided. At the same time, a certain amount of redundancy is necessary in case a worm instance is lost and with it part of the hit list. Hit list worms will spread orders of magnitude faster than normal scanning worms, and allow for precise targetting in advance. So far, no wide-spread hit list worm has been observed in the wild.
Question 65 of 65
65. Question
Which of the following keys can you share using asymmetric cryptography?
Correct
https://en.wikipedia.org/wiki/Public-key_cryptography Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys (which may be known to others), and private keys (which may never be known by any except the owner). The generation of such key pairs depends on cryptographic algorithms which are based on mathematical problems termed one-way functions. Effective security requires keeping the private key private; the public key can be openly distributed without compromising security. In such a system, any person can encrypt a message using the intended receiver‘s public key, but that encrypted message can only be decrypted with the receiver‘s private key. This allows, for instance, a server program to generate a cryptographic key intended for a suitable symmetric-key cryptography, then to use a client‘s openly-shared public key to encrypt that newly generated symmetric key. The server can then send this encrypted symmetric key over an insecure channel to the client; only the client can decrypt it using the client‘s private key (which pairs with the public key used by the server to encrypt the message). With the client and server both having the same symmetric key, they can safely use symmetric key encryption (likely much faster) to communicate over otherwise-insecure channels. This scheme has the advantage of not having to manually pre-share symmetric keys (a fundamentally difficult problem) while gaining the higher data throughput advantage of symmetric-key cryptography. With public-key cryptography, robust authentication is also possible. A sender can combine a message with a private key to create a short digital signature on the message. Anyone with the sender‘s corresponding public key can combine that message with a claimed digital signature; if the signature matches the message, the origin of the message is verified (i.e., it must have been made by the owner of the corresponding private key). Public key algorithms are fundamental security primitives in modern cryptosystems, including applications and protocols which offer assurance of the confidentiality, authenticity and non-repudiability of electronic communications and data storage. They underpin numerous Internet standards, such as Transport Layer Security (TLS), S/MIME, PGP, and GPG. Some public key algorithms provide key distribution and secrecy (e.g., Diffie–Hellman key exchange), some provide digital signatures (e.g., Digital Signature Algorithm), and some provide both (e.g., RSA). Compared to symmetric encryption, asymmetric encryption is rather slower than good symmetric encryption, too slow for many purposes. Today‘s cryptosystems (such as TLS, Secure Shell) use both symmetric encryption and asymmetric encryption.
Incorrect
https://en.wikipedia.org/wiki/Public-key_cryptography Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys (which may be known to others), and private keys (which may never be known by any except the owner). The generation of such key pairs depends on cryptographic algorithms which are based on mathematical problems termed one-way functions. Effective security requires keeping the private key private; the public key can be openly distributed without compromising security. In such a system, any person can encrypt a message using the intended receiver‘s public key, but that encrypted message can only be decrypted with the receiver‘s private key. This allows, for instance, a server program to generate a cryptographic key intended for a suitable symmetric-key cryptography, then to use a client‘s openly-shared public key to encrypt that newly generated symmetric key. The server can then send this encrypted symmetric key over an insecure channel to the client; only the client can decrypt it using the client‘s private key (which pairs with the public key used by the server to encrypt the message). With the client and server both having the same symmetric key, they can safely use symmetric key encryption (likely much faster) to communicate over otherwise-insecure channels. This scheme has the advantage of not having to manually pre-share symmetric keys (a fundamentally difficult problem) while gaining the higher data throughput advantage of symmetric-key cryptography. With public-key cryptography, robust authentication is also possible. A sender can combine a message with a private key to create a short digital signature on the message. Anyone with the sender‘s corresponding public key can combine that message with a claimed digital signature; if the signature matches the message, the origin of the message is verified (i.e., it must have been made by the owner of the corresponding private key). Public key algorithms are fundamental security primitives in modern cryptosystems, including applications and protocols which offer assurance of the confidentiality, authenticity and non-repudiability of electronic communications and data storage. They underpin numerous Internet standards, such as Transport Layer Security (TLS), S/MIME, PGP, and GPG. Some public key algorithms provide key distribution and secrecy (e.g., Diffie–Hellman key exchange), some provide digital signatures (e.g., Digital Signature Algorithm), and some provide both (e.g., RSA). Compared to symmetric encryption, asymmetric encryption is rather slower than good symmetric encryption, too slow for many purposes. Today‘s cryptosystems (such as TLS, Secure Shell) use both symmetric encryption and asymmetric encryption.
Unattempted
https://en.wikipedia.org/wiki/Public-key_cryptography Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys (which may be known to others), and private keys (which may never be known by any except the owner). The generation of such key pairs depends on cryptographic algorithms which are based on mathematical problems termed one-way functions. Effective security requires keeping the private key private; the public key can be openly distributed without compromising security. In such a system, any person can encrypt a message using the intended receiver‘s public key, but that encrypted message can only be decrypted with the receiver‘s private key. This allows, for instance, a server program to generate a cryptographic key intended for a suitable symmetric-key cryptography, then to use a client‘s openly-shared public key to encrypt that newly generated symmetric key. The server can then send this encrypted symmetric key over an insecure channel to the client; only the client can decrypt it using the client‘s private key (which pairs with the public key used by the server to encrypt the message). With the client and server both having the same symmetric key, they can safely use symmetric key encryption (likely much faster) to communicate over otherwise-insecure channels. This scheme has the advantage of not having to manually pre-share symmetric keys (a fundamentally difficult problem) while gaining the higher data throughput advantage of symmetric-key cryptography. With public-key cryptography, robust authentication is also possible. A sender can combine a message with a private key to create a short digital signature on the message. Anyone with the sender‘s corresponding public key can combine that message with a claimed digital signature; if the signature matches the message, the origin of the message is verified (i.e., it must have been made by the owner of the corresponding private key). Public key algorithms are fundamental security primitives in modern cryptosystems, including applications and protocols which offer assurance of the confidentiality, authenticity and non-repudiability of electronic communications and data storage. They underpin numerous Internet standards, such as Transport Layer Security (TLS), S/MIME, PGP, and GPG. Some public key algorithms provide key distribution and secrecy (e.g., Diffie–Hellman key exchange), some provide digital signatures (e.g., Digital Signature Algorithm), and some provide both (e.g., RSA). Compared to symmetric encryption, asymmetric encryption is rather slower than good symmetric encryption, too slow for many purposes. Today‘s cryptosystems (such as TLS, Secure Shell) use both symmetric encryption and asymmetric encryption.
X
Use Page numbers below to navigate to other practice tests