1. Jason works in the sales and marketing department for a very large advertising agency located in Atlanta.

Jason is working on a very important marketing campaign for his companys largest client. Before the project could be completed and implemented, a competing advertising company comes out with the exact same marketing materials and advertising, thus rendering all the work done for Jasons client unusable. Jason is questioned about this and says he has no idea how all the material ended up in the hands of a competitor. Without any proof, Jasons company cannot do anything except move on. After working on another high profile client for about a month, all the marketing and sales material again ends up in the hands of another competitor and is released to the public before Jasons company can finish the project. Once again, Jason says that he had nothing to do with it and does not know how this could have happened. Jason is given leave with pay until they can figure out what is going on. Jasons supervisor decides to go through his email and finds a number of emails that were sent to the competitors that ended up with the marketing material. The only items in the emails were attached jpg files, but nothing else. Jasons supervisor opens the picture files, but cannot find anything out of the ordinary with them. What technique has Jason most likely used?

A. Snow Hiding Technique B. Stealth Rootkit Technique C. ADS Streams Technique D. Image Steganography Technique *

2.Sam is using Firewalk to test the security of his networks firewall. Sam is also utilizing a sniffer located in a subnet that resides deep inside the network. After analyzing the sniffers logs, he does not see any of the traffic produced by Firewalk. Why is that? A. Firewalk cannot pass through firewalls. B. Sam is not seeing any of the Firewalk traffic because it sets all packets with a TTL of one. * C. He cannot see that traffic because Firewalk sets all packets with a TTL of zero. D. Firewalk cannot be detected by network sniffers so that is why none of the traffic appears.

3. Bob has set up three web servers on Windows Server 2008 IIS 7.0. Bob has followed all the recommendations for securing the operating system and IIS. These servers are going to run numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is still concerned about the security of these servers because of the potential for financial loss. Bob has asked his companys firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no malicious data is getting into the network. Why will this not be possible?

A. Firewalls cannot inspect traffic at all, they can only block or allow certain ports *

B. Firewalls can only inspect outbound traffic C. Firewalls cannot inspect traffic coming through port 80 D. Firewalls cannot inspect traffic coming through port 443

4.Neil is a network administrator working in Istanbul. Neil wants to setup a protocol analyzer on his network that will receive a copy of every packet that passes through the main office switch. What type of port will Neil need to setup in order to accomplish this? A. He should setup a MODS port which will copy all network traffic. B. He will have to setup an Etherchannel port to get a copy of all network traffic to the analyzer. C. Neil will have to configure a Bridged port that will copy all packets to the protocol analyzer. D. Neil will need to setup SPAN port that will copy all network traffic to the protocol analyzer. *

5.Korhan was brought in as a consultant for Theason Brothers, a securities broker in the US. He has been tasked with scanning the companys network to try and find weaknesses. The company has a Windows Active directory network. What tool can Korhan use to enumerate items from their Active Directory? A. Korhan can use Jxplorer to enumerate LDAP. B. He can use Enum4 to enumerate information from their Active Directory. C. Korhan can use LDAPxplorer to enumerate their Active directory. * D. He can use the tool OpUtils.

6. Neil is a network administrator who has just run the rdisk /s command to grab the backup SAM file on a computer running Windows XP. Where should Neil navigate to on the computer to find the file? A. He should navigate to %systemroot%\system32\LSA B. He should navigate to %systemroot%\repair * C. He needs to go to %systemroot%\LSA D. Neil will need to go to %systemroot%\system32\drivers\etc

7. Joseph the Hacker breaks into Hackcme Corporation's Linux system and plants a wiretap (keylogging) program in order to sniff passwords and user accounts off the wire. The wiretap program is embedded as a trojan in one of the network utilities. Joseph is worried that network administrator might detect the wiretap program by querying the interfaces to see if they are running in promiscuous mode. Running "ifconfig -a" produces the following: # ifconfig -a lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232

inet 127.0.0.1 netmask ff000000hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST> mtu 1500 inet 192.0.2.99 netmask ffffff00 broadcast 134.5.2.255 ether 8:0:20:9c:a2:35 What can Joseph do to hide the wiretap program from being detected by ifconfig command?

A. You cannot disable Promiscuous mode detection on Linux systems B. Replace original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information from being displayed on the console * C. Run the wiretap program in stealth mode from being detected by the ifconfig command D. Block output to the console whenever the user runs ifconfig command by running screen capture utility

8.James runs a Nessus scan against an IP range in a remote office and can see some hosts are listening on ports 1521, 3938, and 5540. What can James deduce from these listening ports? A. Tlisrv uses ports 1521, 3938, 5540 as well as others. B. These ports are used exclusively by Microsoft SQL server. C. It is evident that MySQL is running on these hosts. D. James can deduce that Oracle is running from these listening ports. *

9. Trevor is a security analyst and he wants to ensure his companys external website is secure. Trevor needs to perform a Google search that will look for scripts that will let a hacker upload files, which would then in turn allow them to execute programs on the file server. What Google search would accomplish this? A. related:inurl ( default.cfm | default.asp | default.php | default.cgi | default.jsp | default.pl ) B. "index of /" ( upload.cfm | upload.asp | upload.php | upload.cgi | upload.jsp | upload.pl ) C. "upload /" ( default.cfm | default.asp | default.php | default.cgi | default.jsp | default.pl ) D. related:inurl ( upload.cfm | upload.asp | upload.php | upload.cgi | upload.jsp | upload.pl ) * 10. You are footprinting an organization and gathering competitive intelligence. You visit the companys website for contact information and telephone numbers but do not find them listed there. You know they had the entire staff directory listed on their website 12 months ago but now it is not there. Is there anyway you can retrieve information from a website that is outdated?

A. Visit googles search engine and view the cached copy B. Visit Archive.org web site to retrieve the Internet archive of the companys website * C. Crawl the entire website and store them into your computer D. Visit the companys partners and customers website for this information

11. In the context of password security: a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive - though slow. Usually, it tries every possible letter and number combination in its automated exploration. If you would use both brute force and dictionary combined together to have variations of words, what would you call such an attack? A. Full Blown Attack B. Thorough Attack C. BruteDict Attack D. Hybrid Attack *

12. Simon is the network security administrator for his company, a marketing firm based in London. Soon after arriving at work one day, Simon is sent an alert from one of the companys web servers running Tripwire. The alert says that a user account, SalesMgr, attempted to run a Perl script called Eventlog.pl. Simon quickly checks out his logs that track user creation and he notices that this SalesMgr user account was only created an hour ago. Simon calls his boss to ask regarding the identified user account; According to his boss, neither he nor any of the other IT personnel created the account. Simon then quickly disables the SalesMgr user account on the network and checks all the Tripwire logs that monitor their web server. What was Simon alerted to when he came to work this morning? A. Simon received a false-positive from Tripwire since Eventlog.pl is an automatically run program on servers. * B. Simon was alerted of an attempted Vishing attack. C. He was alerted by Tripwire of a silent-line attack. D. Simon saw an attacker attempting to daisy chain his way out of the attack.

13. Nathan is the chief security analyst for his company. Nathan is currently performing a security audit of all the software that his company uses. While checking a custom Payroll application, Nathan finds instances of printf/fprint/sprintf,syslog() and setproctitle functions. With these functions, what types of attacks will the program be susceptible to?

A. This program will be susceptible to format string attacks. B. The Payroll application will be vulnerable to buffer overflow attacks. * C. SQL injection attacks will be possible to carry out against this application. D. Those functions, especially the setproctitle function, are open to query string attacks.

14.TCP/IP Session Hijacking is carried out in which OSI layer?

A. Datalink layer B. Network Layer C. Physical Layer D. Transport layer *

15. Attacking well-known system defaults is one of the most common hacker attacks. Most software is shipped with a default configuration that makes it easy to install and setup the application. You should change the default settings to secure the system. Which of the following is NOT an example of default installation?

A. Many software packages come with "samples" that can be exploited, such as the sample programs on IIS web services B. Many systems come with default user accounts with well-known passwords that administrators forget to change C. Often, the default location of installation files can be exploited which allows a hacker to retrieve a file from the system D. Enabling port 80 on Web Servers for public access and asking your customers to visit your website

16.What is the following nmap command trying to accomplish?

A. Test ability of a router to handle over-sized packets * B. Test the ability of a router to handle fragmented packets C. Test the ability of a WLAN to handle fragmented packets D. Test the ability of a router to handle under-sized packets

17. Ursula is a college student at a University in Amsterdam. Ursula originally went to college to study engineering but later changed to marine biology after spending a month at sea with her friends. These friends frequently go out to sea to follow and harass fishing fleets that illegally fish in foreign waters. Ursula eventually wants to put companies practicing illegal fishing out of business. Ursula decides to hack into the parent companys computers and destroy critical data knowing fully well that, if caught, she probably would be sent to jail for a very long time. What would Ursula be considered? A. She would be considered a suicide hacker.

B. Ursula would be considered a gray hat since she is performing an act against illegal activities. C. Ursula would be considered a black hat. D. She would be called a cracker.

18. Every company needs a formal written document which spells out to employees precisely what they are allowed to use the companys systems for, what is prohibited, and what will happen to them if they break the rules. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the companys computer systems until they have signed the policy in acceptance of its terms. What is this document called?

A. Information Security Policy (ISP) * B. Company Compliance Policy (CCP) C. Penetration Testing Policy (PTP) D. Information Audit Policy (IAP)

19.Fred is the network administrator for his company. Fred is testing an internal switch. From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer. How can Fred accomplish this? A. Fred can send an IP packet with the ACK bit set to zero and the source address of the switch. * B. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine. C. Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of his computer. D. He can send an IP packet with the SYN bit and the source address of his computer.

20. David is a security administrator working in Boston. David has been asked by the office's manager to block all POP3 traffic at the firewall because he believes employees are spending too much time reading personal email. How can David block POP3 at the firewall? A. David can block port 110 to block all POP3 traffic. * B. David can block all EHLO requests that originate from inside the office. C. David can block port 125 at the firewall. D. David can stop POP3 traffic by blocking all HELO requests that originate from inside the office.

22. David is scanning his internal subnets to see how many hosts are online and what ports they are listening on. David finds a host at 192.168.100.44 which responds to a ping. He performs a UDP scan on port 25, but the host does not respond. What can David infer from this response? A. Port 25 is open on the 192.168.100.44 host. * B. The host at 192.168.100.44 is a Microsoft Exchange Server. C. Port 25 is closed on the 192.168.100.44 host. D. Port 25 is in shadow mode on the 192.168.100.44 host. 24. Fred is the network administrator for his company. Fred is testing an internal switch. From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer. How can Fred accomplish this? A. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine. B. Fred can send an IP packet with the ACK bit set to zero and the source address of the switch. C. He can send an IP packet with the SYN bit and the source address of his computer. 25. Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of his computer.

What is the following command trying to accomplish? A. Verify that TCP port 445 is open for the 172.16.0.0 network * B. Verify that Netbios is running for the 172.16.0.0 network C. Verify that UDP port 445 is open for the 172.16.0.0 network

D. Verify that UDP port 445 is closed for the 172.16.0.0 network