Certified Ethical Hacker. Test 1 2024/2025 verified 100% correct answers, Exams of Computer Networks

Download Certified Ethical Hacker. Test 1 2024/2025 verified 100% correct answers and more Exams Computer Networks in PDF only on Docsity! Certified Ethical Hacker. Test 1 2024/2025 verified 100% correct answers Question 1: Session splicing is an IDS evasion technique that exploits how some IDSs do not reconstruct sessions before performing pattern matching on the data. The idea behind session splicing is to split data between several packets, ensuring that no single packet matches any patterns within an IDS signature. Which tool can be used to perform session splicing attacks? ● tcpsplice ● Burp ● Hydra ● Whisker ● (Correct ) Explanation «Many IDS reassemble communication streams; hence, if a packet is not received within a reasonable period, many IDS stop reassembling and handling that stream. If the application under attack keeps a session active for a longer time than that spent by the IDS on reassembling it, the IDS will stop. As a result, any session after the IDS stops reassembling the sessions will be susceptible to malicious data theft by attackers. The IDS will not log any attack attempt after a successful splicing attack. Attackers can use tools such as Nessus for session splicing attacks.» Did you know that the EC-Council exam shows how well you know their official book? So, there is no "Whisker" in it. In the chapter "Evading IDS" -> "Session Splicing", the recommended tool for performing a session-splicing attack is Nessus. Where Wisker came from is not entirely clear, but I will assume the author of the question found it while copying Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques One basic technique is to split the attack payload into multiple small packets so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'. SOAP has three major characteristics: extensibility (security and WS-Addressing are among the extensions under development) neutrality (SOAP can operate over any protocol such as HTTP, SMTP, TCP, UDP) independence (SOAP allows for any programming model) As an example of what SOAP procedures can do, an application can send a SOAP request to a server that has web services enabled—such as a real-estate price database—with the parameters for a search. The server then returns a SOAP response (an XML-formatted document with the resulting data), e.g., prices, location, features. Since the generated data comes in a standardized machine-parsable format, the requesting application can then integrate it directly. Question 3 : According to the Payment Card Industry Data Security Standard, when is it necessary to conduct external and internal penetration testing? ● At least once a year and after any significant upgrade or modification. ● (Correct) ● At least once every two years and after any significant upgrade or modification. ● At least once every three years or after any significant upgrade or modification. ● At least twice a year or after any significant upgrade or modification. Explanation https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2- 1.pdf?agreement=true&time=1608548545820 According to clause 11.3 of Payment Card Industry Data Security Standard: "Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub- network added to the environment, or a web server added to the environment)." Question 4 : ● Inverse TCP flag scanning ● IP Fragmentation Scan ● (Correct) ● TCP Scanning ● ACK flag scanning Explanation https://en.wikipedia.org/wiki/IP_fragmentation_attack IP fragmentation attacks are a kind of computer security attack based on how the Internet Protocol (IP) requires data to be transmitted and processed. Specifically, it invokes IP fragmentation, a process used to partition messages (the service data unit (SDU); typically a packet) from one layer of a network into multiple smaller payloads that can fit within the lower layer's protocol data unit (PDU). Every network link has a maximum size of messages that may be transmitted, called the maximum transmission unit (MTU). If the SDU plus metadata added at the link-layer exceeds the MTU, the SDU must be fragmented. IP fragmentation attacks exploit this process as an attack vector. Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the Internet Layer of this model. IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector. Incorrect answers: ACK scanning https://en.wikipedia.org/wiki/Port_scanner#ACK_scanning Alex, the penetration tester, performs a server scan. To do this, he uses the method where the TCP Header is split into many packets so that it becomes difficult to determine what packages are used for. Determine the scanning technique that Alex uses? An exploit kit is simply a collection of exploits, which is a simple one-in-all tool for managing a variety of exploits altogether. Exploit kits act as a kind of repository and make it easy for users without much technical knowledge to use exploits. Users can add their own exploits to it and use them simultaneously apart from the pre-installed ones. Side-Channel Attack https://en.wikipedia.org/wiki/Side-channel_attack A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited. Some side-channel attacks require technical knowledge of the internal operation of the system, although others such as differential power analysis are effective as black-box attacks. The rise of Web 2.0 applications and software-as-a-service has also significantly raised the possibility of side-channel attacks on the web, even when transmissions between a web browser and server are encrypted (e.g. through HTTPS or WiFi encryption), according to researchers from Microsoft Research and Indiana University. Which of the following wireless standard has bandwidth up to 54 Mbit/s and signals in a regulated frequency spectrum around 5 GHz? Question 6: ● 802.11i ● 802.11n ● 802.11a ● (Correct) ● 802.11g Explanation https://en.wikipedia.org/wiki/IEEE_802.11#802.11a_(OFDM_waveform) 802.11a, published in 1999, uses the same data link layer protocol and frame format as the original standard, but an OFDM based air interface (physical layer). It operates in the 5 GHz band with a maximum net data rate of 54 Mbit/s, plus error correction code, which yields realistic net achievable throughput in the mid-20 Mbit/s. It has seen widespread worldwide implementation, particularly within the corporate workspace. Incorrect answers: 802.11n 802.11n is an amendment that improves upon the previous 802.11 standards; its first draft of certification was published in 2006. The 802.11n standard was retroactively labelled as Wi-Fi 4 by the Wi-Fi Alliance. The standard added support for multiple-input multiple-output antennas (MIMO). 802.11n operates on both the 2.4 GHz and the 5 GHz bands. Support for 5 GHz bands is optional. Its net data rate ranges from 54 Mbit/s to 600 Mbit/s. The IEEE has approved the amendment, and it was published in October 2009. Prior to the final ratification, enterprises were already migrating to 802.11n networks based on the Wi-Fi Alliance's certification of products conforming to a 2007 draft of the 802.11n proposal. 802.11g In June 2003, a third modulation standard was ratified: 802.11g. This works in the 2.4 GHz band (like 802.11b), but uses the same OFDM based transmission scheme as 802.11a. It operates at a maximum physical layer bit rate of 54 Mbit/s exclusive of forward error correction codes, or about 22 Mbit/s average throughput. 802.11g hardware is fully backward compatible with 802.11b hardware, and therefore is encumbered with legacy issues that reduce throughput by ~21% when compared to 802.11a 802.11i https://en.wikipedia.org/wiki/IEEE_802.11i-2004 IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11- 2007 standard. Using Unicode representation, where each character has a unique value regardless of the platform, program, or language, is also an effective way to evade IDSs. For example, an attacker might evade an IDS by using the Unicode character c1 to represent a slash for a Web page request. Which of the following is the method of determining the movement of a data packet from an untrusted external host to a protected internal host through a firewall? Question 8: ● Session hijacking ● Network sniffing ● Firewalking ● (Correct) ● MITM Explanation https://en.wikipedia.org/wiki/Firewalk_(computing) Firewalking is a technique developed by Mike Schiffman and David Goldsmith that utilizes traceroute techniques and TTL values to analyze IP packet responses in order to determine gateway ACL (Access Control List) filters and map networks. It is an active reconnaissance network security analysis technique that attempts to determine which layer 4 protocols a specific firewall will allow. Firewalking is the method of determining the movement of a data packet from an untrusted external host to a protected internal host through a firewall. The idea behind firewalking is to determine which ports are open and whether packets with control information can pass through a packet-filtering device. Gathering information about a remote network protected by a firewall can be accomplished using firewalking. One of the uses of firewalking is to determine the hosts present inside the perimeter of the protected network. Another application is to determine the list of ports accessible via a firewall. Incorrect answers: Session Hijacking https://en.wikipedia.org/wiki/Session_hijacking In computer science, session hijacking, sometimes also known as cookie hijacking, exploits a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. It refers to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers. The HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or access to the saved cookies on the victim's computer. After successfully stealing appropriate session cookies, an adversary might use the Pass the Cookie technique to perform session hijacking. Cookie hijacking is commonly used against client authentication on the internet. Modern web browsers use cookie protection mechanisms to protect the web from being attacked. Network sniffing https://en.wikipedia.org/wiki/Sniffing_attack Sniffing attack or a sniffer attack, in context of network security, corresponds to theft or interception of data by capturing the network traffic using a sniffer (an application aimed at capturing network packets). When data is transmitted across networks, if the data packets are not encrypted, the data within the network packet can be read using a sniffer. Using a sniffer application, an attacker can analyze the network and gain information to eventually cause the network to crash or to become corrupted, or read the communications happening across the network. MITM https://en.wikipedia.org/wiki/Man-in-the-middle_attack A man-in-the-middle (MITM) is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. Identify Secure Hashing Algorithm, which produces a 160-bit digest from a message on principles similar to those used in MD4 and MD5? Question 10: ● SHA-1 ● (Correct) ● SHA-3 ● SHA-0 ● SHA-2 Explanation Correct answer: SHA-1 Explanation : https://en.wikipedia.org/wiki/SHA-1 SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as a hexadecimal number, 40 digits long. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard. SHA-1 produces a message digest based on principles similar to those used by Ronald L. Rivest of MIT in the design of the MD2, MD4 and MD5 message digest algorithms, but generates a larger hash value (160 bits vs. 128 bits). Incorrect answers: SHA-0 https://en.wikipedia.org/wiki/SHA-1#SHA-0 The original algorithm specification was published in 1993 as the Secure Hash Standard (FIPS PUB 180). This version is known as SHA-0 and soon after the issue was withdrawn by NSA which made the change on it. The change concerned the rotation bits left by n positions and should contribute to greater security. April 17, 1995 it was granted a standard and the version known as SHA-1 (FIPS PUB 180-1). SHA-2 https://en.wikipedia.org/wiki/SHA-2 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression function itself built using the Davies–Meyer structure from a specialized block cipher. SHA-2 includes significant changes from its predecessor, SHA-1. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. SHA-256 and SHA-512 are novel hash functions computed with 32-bit and 64-bit words, respectively. They use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds. SHA-224 and SHA- 384 are truncated versions of SHA-256 and SHA-512 respectively, computed with different initial values. SHA-512/224 and SHA-512/256 are also truncated versions of SHA-512, but the initial values are generated using the method described in Federal Information Processing Standards (FIPS) PUB 180-4. SHA-2 was first published by the National Institute of Standards and Technology (NIST) as a U.S. federal standard (FIPS). The SHA-2 family of algorithms are patented in US patent 6829355. The United States has released the patent under a royalty-free license. SHA-3 https://en.wikipedia.org/wiki/SHA-3 SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2. SHA-3 is a subset of the broader cryptographic primitive family Keccak (/ˈkɛtʃæk/ or /ˈkɛtʃɑːk/), designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche, building upon RadioGatún. Keccak's authors have proposed additional uses for the function, not (yet) standardized by NIST, including a stream cipher, an authenticated encryption system, a "tree" hashing scheme for faster hashing on certain architectures, and AEAD ciphers Keyak and Ketje. Keccak is based on a novel approach called sponge construction.Sponge construction is based on a wide random function or random permutation, and allows inputting ("absorbing" in sponge terminology) any amount of data, and outputting ("squeezing") any amount of data, while acting as a pseudorandom function with regard to all previous inputs. This leads to great flexibility. Question 13 : Which of the following web application attack inject the special character elements "Carriage Return" and "Line Feed" into the user’s input to trick the web server, web application, or user into believing that the current object is terminated and a new object has been initiated? ● Server-Side JS Injection. ● Log Injection. ● CRLF Injection. ● (Correct) ● HTML Injection. Explanation CRLF refers to the special character elements "Carriage Return" and "Line Feed." These elements are embedded in HTTP headers and other software code to signify an End of Line (EOL) marker. Many internet protocols, including MIME (e- mail), NNTP (newsgroups) and, more importantly, HTTP, use CRLF sequences to split text streams into discrete elements. Web application developers split HTTP and other headers based on where CRLF is located. Exploits occur when an attacker is able to inject a CRLF sequence into an HTTP stream. By introducing this unexpected CRLF injection, the attacker is able to maliciously exploit CRLF vulnerabilities in order to manipulate the web application's functions. A more formal name for CRLF injection is Improper Neutralization of CRLF Sequences. Because CRLF injection is frequently used to split HTTP responses, it can also be designated as HTTP Response Splitting or Improper Neutralization of CRLF Sequences in HTTP Headers. Question 14 : ● ICMP scanning. ● ACK scanning. ● IPID scanning. ● SYN/FIN scanning using IP fragments. ● (Correct) Explanation SYN/FIN scanning using IP fragments is a process of scanning that was developed to avoid false positives generated by other scans because of a packet filtering device on the target system. The TCP header splits into several packets to evade the packet filter. For any transmission, every TCP header must have the source and destination port for the initial packet (8-octet, 64-bit). The initialized flags in the next packet allow the remote host to reassemble the packets upon receipt via an Internet protocol module that detects the fragmented data packets using field-equivalent values of the source, destination, protocol, and identification. Incorrect answers: ICMP scanning The Internet Control Message Protocol (ICMP) is like the TCP protocol; both support protocols in the internet protocol suite. ICMP is used for checking live systems; ping is the most well-known utility that uses ICMP requests. Its principle is very simple—ICMP scanning sends requests to hosts and waits for an echo request to check whether the system is alive. ACK scanning ACK scanning is one of the more unusual scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is Elon plans to make it difficult for the packet filter to determine the purpose of the packet when scanning. Which of the following scanning techniques will Elon use? especially good when attempting to probe for the existence of a firewall and its rulesets. IPID scanning https://en.wikipedia.org/wiki/Idle_scan Idle scans take advantage of predictable Identification field value from IP header: every IP packet from a given source has an ID that uniquely identifies fragments of an original IP datagram; the protocol implementation assigns values to this mandatory field generally by a fixed value (1) increment. Because transmitted packets are numbered in a sequence you can say how many packets are transmitted between two packets that you receive. An attacker would first scan for a host with a sequential and predictable sequence number (IPID). The latest versions of Linux, Solaris, OpenBSD, and Windows Vista are not suitable as zombie, since the IPID has been implemented with patches that randomized the IPID. Computers chosen to be used in this stage are known as "zombies". Once a suitable zombie is found the next step would be to try to establish a TCP connection with a given service (port) of the target system, impersonating the zombie. It is done by sending a SYN packet to the target computer, spoofing the IP address from the zombie, i.e. with the source address equal to zombie IP address. If the port of the target computer is open it will accept the connection for the service, responding with a SYN/ACK packet back to the zombie. The zombie computer will then send a RST packet to the target computer (to reset the connection) because it did not actually send the SYN packet in the first place. Since the zombie had to send the RST packet it will increment its IPID. This is how an attacker would find out if the target's port is open. The attacker will send another packet to the zombie. If the IPID is incremented only by a step then the attacker would know that the particular port is closed. The method assumes that zombie has no other interactions: if there is any message sent for other reasons between the first interaction of the attacker with the zombie and the second interaction other than RST message, there will be a false positive. 3. The root server then responds to the resolver with the address of a Top-Level Domain (TLD) DNS server (such as .com or .net), which stores the information for its domains. When searching for example.com, our request is pointed toward the .com TLD; 4. The resolver then requests the .com TLD; 5. The TLD server then responds with the IP address of the domain’s nameserver, example.com; 6. Lastly, the recursive resolver sends a query to the domain’s nameserver; 7. The IP address for example.com is then returned to the resolver from the nameserver; 8. The DNS resolver then responds to the web browser with the IP address of the domain requested initially; Once the 8 steps of the DNS lookup have returned the IP address for example.com, the browser can request the web page: 9. The browser makes an HTTP request to the IP address; 10. The server at that IP returns the webpage to be rendered in the browser. NOTE 2: DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests. And if this port is blocked, then a problem arises already in the first step. But the ninth step is performed without problems. Question 17: Which of the following options represents a conceptual characteristic of an anomaly- based IDS over a signature-based IDS? ● Requires vendor updates for a new threat. ● Can identify unknown attacks. ● (Correct) ● Cannot deal with encrypted network traffic. ● Produces less false positives. Explanation https://en.wikipedia.org/wiki/Anomaly-based_intrusion_detection_system An anomaly-based intrusion detection system is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created. In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and the testing phase (where current traffic is compared with the profile created in the training phase). Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection.[3] Other techniques used to detect anomalies include data mining methods, grammar-based methods, and the Artificial Immune System. Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host- based anomalous intrusion detection systems are one of the last layers of defense and reside on computer endpoints. They allow for fine-tuned, granular protection of endpoints at the application level. Anomaly-based Intrusion Detection at both the network and host levels have a few shortcomings; namely a high false-positive rate and the ability to be fooled by a correctly delivered attack. Attempts have been made to address these issues through techniques used by PAYL and MCPAD. Question 19: Victor, a white hacker, received an order to perform a penetration test from the company "Test us". He starts collecting information and finds the email of an employee of this company in free access. Victor decides to send a letter to this email, changing the original email address to the email of the boss of this employee, "boss@testus.com". He asks the employee to immediately open the "link with the report" and check it. An employee of the company "Test us" opens this link and infects his computer. Thanks to these manipulations, Viktor gained access to the corporate network and successfully conducted a pentest. What type of attack did Victor use? ● Eavesdropping ● Social engineering ● (Correct) ● Tailgating ● Piggybackin g Explanation https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises. Incorrect answers: Tailgating and Piggybacking are the same thing Tailgating, sometimes referred to as piggybacking, is a physical security breach in which an unauthorized person follows an authorized individual to enter a secured premise. Tailgating provides a simple social engineering-based way around many security mechanisms one would think of as secure. Even retina scanners don't help if an employee holds the door for an unknown person behind them out of misguided courtesy. People who might tailgate include disgruntled former employees, thieves, vandals, mischief-makers, and issues with employees or the company. Any of these can disrupt business, cause damage, create unexpected costs, and lead to further safety issues. Eavesdropping https://en.wikipedia.org/wiki/Eavesdropping Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information. Since the beginning of the digital age, the term has also come to hold great significance in the world of cybersecurity. The question does not specify at what level and how this attack is used. An attacker can eavesdrop on a conversation or use special software and obtain information on the network. There are many options, but this is not important because the correct answer is clearly not related to information interception. Identify the standard by the description: A regulation contains a set of guidelines that everyone who processes any electronic data in medicine should adhere to. It includes information on medical practices, ensuring that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to secure patient data. Question 20: ● COBIT ● ISO/IEC 27002 ● HIPAA ● (Correct) ● FISMA Explanation Correct answer: HIPAA Explanation : https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy–Kassebaum Act) is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It was created primarily to modernize the flow of healthcare information, stipulate how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. The act consists of five titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts. Question 21: Which of the following command-line flags set a stealth scan for Nmap? ● -sT ● -sS ● (Correct) ● -sM ● -sU Explanatio n https://nmap.org/book/synscan.html TCP SYN (Stealth) Scan (-sS) SYN scan is the default and most popular scan option for good reason. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls. SYN scan is relatively unobtrusive and stealthy since it never completes TCP connections. It also works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between open, closed, and filtered states. Incorrect answers: -sU https://nmap.org/book/scan-methods-udp-scan.html UDP Scan (-sU) While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports. UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run. -sM https://nmap.org/book/scan-methods-maimon-scan.html TCP Maimon Scan (-sM) The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as NULL, FIN, and Xmas scan, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD- derived systems simply drop the packet if the port is open. -sT https://nmap.org/book/scan-methods-connect- scan.html TCP Connect Scan (-sT) TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt. This and the FTP bounce scan (the section called “TCP FTP Bounce Scan (-b)”) are the only scan types available to unprivileged users. Question 22: What best describes two-factor authentication for a credit card (using a card and pin)? ● Something you have and something you know. ● (Correct) ● Something you know and something you are. ● Something you have and something you are. ● Something you are and something you remember. Explanation Two-factor Authentication or 2FA is a user identity verification method, where two of the three possible authentication factors are combined to grant access to a website or application.1) something the user knows, 2) something the user has, or 3) something the user is. The possible factors of authentication are: · Something the User Knows: This is often a password, passphrase, PIN, or secret question. To satisfy this authentication challenge, the user must provide information that matches the answers previously provided to the organization by that user, such as “Name the town in which you were born.” · Something the User Has: This involves entering a one-time password generated by a hardware authenticator. Users carry around an authentication device that will generate a one- time password on command. Users then authenticate by providing this code to the organization. Today, many organizations offer software authenticators that can be installed on the user’s mobile device. · Something the User Is: This third authentication factor requires the user to authenticate using biometric data. This can include fingerprint scans, facial scans, behavioral biometrics, and more. For example: In internet security, the most used factors of authentication are: something the user has (e.g., a bank card) and something the user knows (e.g., a PIN code). This is two-factor authentication. Two-factor authentication is also sometimes referred to as strong authentication, Two-Step Verification, or 2FA. Cookie Tampering Cookies are files on a user's computer which allow a web application to store information that is subsequently used to identify returning users. Actions by a user or user-specific settings for an application are also stored in cookies. Cookie tampering can be used for attacks such as session hijacking, where cookies with session identification information are stolen or modified by an attacker. XSS Reflection https://en.wikipedia.org/wiki/Cross-site_scripting#Non- persistent_(reflected) Cross-site scripting (XSS) is a web application vulnerability that permits an attacker to inject code (typically HTML or JavaScript) into an outside website's contents. When a victim views an infected page on the website, the victim’s browser executes the injected code. Consequently, the attacker has bypassed the browser’s same-origin policy and can steal private information from a victim associated with the website. Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables malicious scripts' execution. The vulnerability is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application’s functions and the activation of malicious scripts. To distribute the malicious link, a perpetrator typically embeds it into an email or third- party website (e.g., in a comment section or social media). The link is embedded inside an anchor text that provokes the user to click on it, which initiates the XSS request to an exploited website, reflecting the attack back to the user. SQL injection https://en.wikipedia.org/wiki/SQL_injection SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. Question 24: ● NIST-800-53 ● (Correct) ● PCI-DSS ● EU Safe Harbor ● HIPAA Explanation Correct answer: NIST-800-53 Explanation : https://en.wikipedia.org/wiki/NIST_Special_Publication_800- 53 https://nvd.nist.gov/800-53 NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non- regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost-effective programs to protect their information and information systems. Incorrect answers: PCI-DSS https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. Which regulation defines security and privacy controls for all U.S. federal information systems except those related to national security? Question 26: Which of the following can be designated as "Wireshark for CLI"? ● John the Ripper ● tcpdump ● (Correct) ● nessus ● ethereal Explanation https://www.tcpdump.org/ Tcpdump is a data-network packet analyzer computer program that runs under a command-line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. https://www.wireshark.org/ Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. NOTE: Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options. Incorrect answers: Nessus https://www.tenable.com/ Nessus is a program for automatically searching for known flaws in the protection of information systems. It is able to detect the most common types of vulnerabilities, for example: · Availability of vulnerable versions of services or domains; · Configuration errors (for example, no need for authorization on the SMTP server); · The presence of default passwords, blank, or weak passwords; The program has a client-server architecture, which greatly expands the scanning capabilities. Ethereal - the project was renamed Wireshark in May 2006 due to trademark issues. John the Ripper https://en.wikipedia.org/wiki/John_the_Ripper John the Ripper is a free password cracking software tool. Question 27 : Which of the following methods is best suited to protect confidential information on your laptop which can be stolen while travelling? ● BIOS password. ● Full disk encryption. ● (Correct) ● Password protected files. ● Hidden folders. Explanation https://en.wikipedia.org/wiki/Disk_encryption#Full_disk_encryption The best solution of all the above options is Full Disk encryption as it provides the highest security. Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of disk encryption: · Nearly everything including the swap space and the temporary files is encrypted. Encrypting these files is important, as they can reveal important confidential data. With a software implementation, the bootstrapping code cannot be encrypted however. For example, BitLocker Drive Encryption leaves an unencrypted volume to boot from, while the volume containing the operating system is fully encrypted. · With full disk encryption, the decision of which individual files to encrypt is not left up to users' discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files. · Immediate data destruction, such as simply destroying the cryptographic keys (crypto- shredding), renders the contained data useless. However, if security towards future attacks is a concern, purging or physical destruction is advised. Question 30 : ● Chosen-plaintext attack ● Known-plaintext attack ● Ciphertext-only attack ● Adaptive chosen-plaintext attack ● (Correct) Explanation A shape adaptive chosen-plaintext attack is a chosen-plaintext attack scenario in which the attacker has the ability to make his choice of the inputs to the encryption function based on the previous chosen-plaintext queries and their corresponding ciphertexts. The scenario is clearly more powerful than the basic chosen-plaintext attack but is probably less practical in real life since it requires the interaction of the attacker with the encryption device. Incorrect answers: Chosen-plaintext attack https://en.wikipedia.org/wiki/Chosen-plaintext_attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts. The goal of the attack is to gain information that reduces the security of the encryption scheme. Modern ciphers aim to provide semantic security, also known as ciphertext indistinguishability under chosen-plaintext attack and are therefore by design generally immune to chosen-plaintext attacks if correctly implemented. Ciphertext-only attack https://en.wikipedia.org/wiki/Ciphertext-only_attack A ciphertext-only attack (COA) or known ciphertext attack is an attack model for cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts. While the attacker has no channel providing access to the plaintext prior to encryption, You makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions. What type of attack are you trying to perform? in all practical ciphertext-only attacks, the attacker still has some knowledge of the plaintext. For instance, the attacker might know the language in which the plaintext is written or the expected statistical distribution of characters in the plaintext. Standard protocol data and messages are commonly part of the plaintext in many deployed systems and can usually be guessed or known efficiently as part of a ciphertext-only attack on these systems. Known-plaintext attack https://en.wikipedia.org/wiki/Known-plaintext_attack A known-plaintext attack (KPA) is an attack model for cryptanalysis where the attacker has access to both the plaintext (called a crib), and its encrypted version (ciphertext). These can be used to reveal further secret information such as secret keys and codebooks. Question 31: Which of the following is the type of violation when an unauthorized individual enters a building following an employee through the employee entrance? ● Pretexting. ● Announced. ● Reverse Social Engineering. ● Tailgating. ● (Correct ) Explanation The tailgating attack, also known as “piggybacking,” involves an attacker seeking entry to a restricted area that lacks the proper authentication. The attacker can simply walk in behind a person who is authorized to access the area. In a typical attack scenario, a person impersonates a delivery driver loaded down with packages and waits until an employee opens their door. The attacker asks that the employee hold the door, bypassing the security measures in place (e.g., electronic access control). Incorrect answers: Pretexting The term pretexting indicates the practice of presenting oneself as someone else to obtain private information. Usually, attackers create a fake identity and use it to manipulate the receipt of information. Attackers leveraging this specific social engineering technique adopt several identities they have created. This bad habit could expose their operations to the investigations conducted by security experts and law enforcement. Reverse Social Engineering Question 33 : With which of the following SQL injection attacks can an attacker deface a web page, modify or add data stored in a database and compromised data integrity? ● Compromised Data Integrity. ● (Correct) ● Loss of data availability. ● Unauthorized access to an application. ● Information Disclosure. Explanation With a successful attack using SQL injection, an attacker can gain: Compromised data integrity. As SQL statements are also used to modify or add the record, an attacker can use SQL injection to modify or add data stored in a database. This would lead to compromised data integrity. Unauthorized access to an application. An attacker can successfully bypass an application’s authentication mechanism to have illegitimate access to it. Information disclosure. An attack could lead to a complete data leakage from the database server. Loss of data availability. An attacker can delete records from the database server. Question 34 : How works the mechanism of a Boot Sector Virus? ● Overwrites the original MBR and only executes the new virus code. ● Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR. ● (Correct) ● Moves the MBR to another location on the Random-access memory and copies itself to the original location of the MBR. ● Modifies directory table entries to point to the virus code instead of the actual MBR. Explanation https://en.wikipedia.org/wiki/Boot_sector#Boot_Sector_Viruses Among all the viruses, boot sector viruses are one of the oldest forms of computer viruses. At the time of your PC startup time, it infects the boot sector of floppy disks or the Master Boot Record(MBR). Some also infect the boot sector of the hard disk instead of the MBR. To start the operating system and other bootable programs, the boot sector contains all the files required. Before starting any security program like your antivirus program, the boot sector virus runs to execute malicious code. When the system is booted from an infected disk, the infected code runs. If the infected code runs then, it will rapidly infect other floppy disks. The boot sector virus uses DOS commands while it infects at a BIOS level. Because this virus is located on the boot sector of your hard drive and runs before the operating system begins, the boot sector virus can cause a lot of damage. Depending on their aim, each boot sector virus works differently. Adware or malware virus creating is the common and general irritating issues. Most commonly, Boot sector computer viruses are spread using physical media. After it enters a computer, it modifies or replaces the existing boot code. After that, when a user tries to boot their pcs, the virus will be loaded and run immediately. By phishing, you can also be affected by the boot sector virus. It is also possible to send you an attachment with boot sector virus code to your pcs. Question 35 : Which of the following tools is packet sniffer, network detector and IDS for 802.11(a, b, g, n) wireless LANs? ● Nmap ● Nessus ● Abel ● Kismet ● (Correct) Explanation https://en.wikipedia.org/wiki/Kismet_(software) Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. Incorrect answers: Nessus https://en.wikipedia.org/wiki/Nessus_(software) Nessus is a remote security scanning tool that scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to access any computer you have connected to a network. Nmap https://en.wikipedia.org/wiki/Nmap Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other Incorrect answers: Error-based SQLi The Error based technique, when an attacker tries to insert malicious query in input fields and get some error which is regarding SQL syntax or database. For example, SQL syntax error should be like this: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘‘VALUE’’. The error message gives information about the database used, where the syntax error occurred in the query. Error based technique is the easiest way to find SQL Injection. UNION SQLi When an application is vulnerable to SQL injection and the results of the query are returned within the application's responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in an SQL injection UNION attack. The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example: SELECT a, b FROM table1 UNION SELECT c, d FROM table2 This SQL query will return a single result set with two columns, containing values from columns a and b in table1 and columns c and d in table2. For a UNION query to work, two key requirements must be met: · The individual queries must return the same number of columns. · The data types in each column must be compatible between the individual queries. To carry out an SQL injection UNION attack, you need to ensure that your attack meets these two requirements. Out-of-band SQLi The attacker can only carry out this form of attack when certain features are enabled on the database server used by the web application. This form of attack is primarily used as an alternative to the in-band and inferential SQLi techniques. Out-of-band SQLi is performed when the attacker can’t use the same channel to launch the attack and gather information, or when a server is too slow or unstable for these actions to be performed. These techniques count on the capacity of the server to create DNS or HTTP requests to transfer data to an attacker. Question 37: Philip, a cybersecurity specialist, needs a tool that can function as a network sniffer, record network activity, prevent and detect network intrusion. Which of the following tools is suitable for Philip? ● Nmap ● Nessus ● Snort ● (Correct) ● Cain & Abel Explanation https://en.wikipedia.org/wiki/Snort_(software) Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013. Snort's open-source network-based intrusion detection/prevention system (IDS/IPS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching and matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, semantic URL attacks, buffer overflows, server message block probes, and stealth port scans. Snort can be configured in three main modes: 1. sniffer, 2. packet logger, and 3. network intrusion detection. Sniffer Mode The program will read network packets and display them on the console. Packet Logger Mode In packet logger mode, the program will log packets to the disk. Network Intrusion Detection System Mode FTP uses port 21 and port 20. TCP traffic destined to port 21 and port 20 is denied and everything else is explicitly permitted. access-list 102 deny tcp any any eq ftp access-list 102 deny tcp any any eq ftp-data access-list 102 permit ip any any Question 39 : Which one of the following Google search operators allows restricting results to those from a specific website? ● [cache:] ● [site:] ● (Correct) ● [inurl:] ● [link:] Explanation https://ahrefs.com/blog/google-advanced-search-operators/ site: Limit results to those from a specific website. Incorrect answers: inurl: Find pages with a certain word (or words) in the URL. For this example, any results containing the word “apple” in the URL will be returned. link: Find pages linking to a specific domain or URL. Google killed this operator in 2017, but it does still show some results—they likely aren’t particularly accurate though. cache: Returns the most recent cached version of a web page (providing the page is indexed, of course). Question 40 : ● Web application firewall. ● (Correct) ● Stateful firewall. ● Packet firewall. ● Hardware firewall. Explanation https://en.wikipedia.org/wiki/Web_application_firewall A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration. Incorrect answers: Stateful firewall https://en.wikipedia.org/wiki/Stateful_firewall A stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection also referred to as dynamic packet filtering, is a security feature often used in non-commercial and business networks. Packet firewall Packet filtering firewall is a network security technique that is used to control data flow to and from a network. It is a security mechanism that allows the movement of packets across the network and controls their flow on the basis of a set of rules, protocols, IP addresses, and ports. John needs to choose a firewall that can protect against SQL injection attacks. Which of the following types of firewalls is suitable for this task? Question 42 : Explanation https://www.techrepublic.com/article/avoid-these-five-common-ids-implementation- errors/ When the NIDS encounters encrypted traffic, the only analysis it can perform is packet level analysis, since the application layer contents are inaccessible. Given that exploits against today’s networks are primarily targeted against network services (application layer entities), the packet-level analysis ends up doing very little to protect our core business assets. ● Alternate Data Streams. ● Protocol Isolation. ● Encryption. ● (Correct) ● Out of band signaling. Maria conducted a successful attack and gained access to a Linux server. She wants to avoid that NIDS will not catch the succeeding outgoing traffic from this server in the future. Which of the following is the best way to avoid detection of NIDS? Question 43 : Black hat hacker Ivan wants to implement a man-in-the-middle attack on the corporate network. For this, he connects his router to the network and redirects traffic to intercept packets. What can the administrator do to mitigate the attack? ● Add message authentication to the routing protocol. ● (Correct) ● Use only static routes in the corporation's network. ● Redirection of the traffic is not possible without the explicit admin's confirmation. ● Use the Open Shortest Path First (OSPF). Explanation The area most open to attack is often the routing systems within your enterprise network. Because of some of the sniffing-based attacks, an enterprise routing infrastructure can easily be attacked with man-in-the-middle and other attacks designed to corrupt or change the routing tables with the following results: · Traffic redirection— enabling the attacker to modify traffic in transit or sniff packets; · Traffic sent to a routing black hole— the attacker can send specific routes to null0, effectively kicking IP addresses off the network; · Router denial-of-service (DoS)—attacking the routing process can crash the router or severe service degradation; · Routing protocol DoS—Similar to the attack previously described against a whole router, a routing protocol attack could be launched to stop the routing process from functioning properly; · Unauthorized route prefix origination—this attack aims to introduce a new prefix into the routing table that shouldn't be there. The attacker might do this to get a covert attack network to be routable throughout the victim network. There are four primary attack methods for these attacks: · Configuration modification of existing routers; · Introduction of a rogue router that participates in routing with legitimate routers; · Spoofing a valid routing protocol message or modifying a valid message in transit; · Sending of malformed or excess packets to a routing protocol process. These four attack methods can be mitigated in the following ways: · To counter configuration modification of existing routers, you must secure the routers. This includes not only the configuration of the router but also the supporting systems it makes use of, such as TFTP servers. · Anyone can attempt to introduce a rogue router, but to cause damage, the attacker needs the other routing devices to believe the sent information. This can most easily be blocked by adding message authentication to your routing protocol. Additionally, the routing protocol message types can be blocked by ACLs from networks with no need to originate them. · Message authentication can also help prevent the spoofing or modification of a valid routing protocol message. Besides, the transport layer protocol (such as TCP for BGP) can further complicate message spoofing because of the difficulty in guessing pseudo- random initial sequence numbers (assuming a remote attacker). · Excess packets can be stopped through the use of traditional DoS mitigation techniques. Malformed packets, however, are nearly impossible to stop without the participation of the router vendor. Only through exhaustive testing and years of field use do routing protocol implementations correctly deal with most malformed messages. This is an area of computer security that needs increased attention, not just in routing protocols but in all network applications. Question 46 : ● "GET/restricted/bank.getaccount("˜User1') HTTP/1.1 Host: westbank.com" ● "GET/restricted/accounts/?name=User1 HTTP/1.1 Host: westbank.com" ● (Correct) ● "GET/restricted/goldtransfer?to=Account&from=1 or 1=1' HTTP/1.1Host: westbank.com" ● "GET/restricted/\r\n\%00account%00User1%00access HTTP/1.1 Host: westbank.com" Explanation This question shows a classic example of an IDOR vulnerability. Rob substitutes Ned's name in the "name" parameter and if the developer has not fixed this vulnerability, then Rob will gain access to Ned's account. Below you will find more detailed information about IDOR vulnerability. Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. For example, an IDOR vulnerability would happen if the URL of a transaction could be changed through client-side user input to show unauthorized data of another transaction. Most web applications use simple IDs to reference objects. For example, a user in a database will usually be referred to via the user ID. The same user ID is the primary key to the database column containing user information and is generated automatically. The database key generation algorithm is very simple: it usually uses the next available integer. The same database ID generation mechanisms are used for all other types of database records. The approach described above is legitimate but not recommended because it could enable the attacker to enumerate all users. If it’s necessary to maintain this approach, the developer must at least make absolutely sure that more than just a reference is The attacker tries to take advantage of vulnerability where the application does not verify if the user is authorized to access the internal object via its name or key. Which of the following queries best describes an attempt to exploit an insecure direct object using the name of the valid account "User 1"? A malicious hacker could try to substitute the id parameter value 74656 with other similar values, for example: https://www.example.com/transaction.php?id=74656 https://www.example.com/transaction.php?id=74657 The 74657 transaction could be a valid transaction belonging to another user. The malicious hacker should not be authorized to see it. However, if the developer made an error, the attacker would see this transaction and hence we would have an insecure direct object reference vulnerability. needed to access resources. For example, let’s say that the web application displays transaction details using the following URL: Question 47: Which of the following incident handling process phases is responsible for defining rules, employees training, creating a back-up, and preparing software and hardware resources before an incident occurs? ● Containment ● Identification ● Recovery ● Preparation ● (Correct ) Explanation 1. Preparation Among the most important of all the steps in an incident response plan is the preparation stage. During the preparation phase, organizations should establish policies and procedures for incident response management and enable efficient communication methods both before and after the incident. Employees should be properly trained to address security incidents and their respective roles. Companies need to develop incident response drill scenarios that are practiced regularly and modified as needed based on changes in the environment. All aspects of an incident response plan, including training, software and hardware resources, and execution, should be fully approved and funded before an incident occurs. 2. Identification The identification phase of an incident response plan involves determining whether or not an organization has been breached. It is not always clear at first whether a breach or other security incident has occurred. Besides, breaches can originate from a wide range of sources, so it is important to gather details. When determining whether a security incident has occurred, organizations should look at when the event happened, how it was discovered, and who discovered the breach. Companies should also consider how the incident will impact operations if other areas have been impacted and the compromise's scope. 3. Containment Question 48 : Explanation https://en.wikipedia.org/wiki/Aircrack-ng Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic. The program runs under Linux, FreeBSD, macOS, OpenBSD, and Windows; the Linux version is packaged for OpenWrt and has also been ported to the Android, Zaurus PDA and Maemo platforms; and a proof of concept port has been made to the iPhone. ● wificracker ● Aircrack-ng ● (Correct) ● Airguard ● WLAN-crack Which of the following is a network software suite designed for 802.11 WEP and WPA- PSK keys cracking that can recover keys once enough data packets have been captured? Question 49 : Which of the options presented below is not a Bluetooth attack? ● Bluesmacking ● Bluesnarfing ● Bluejacking ● Bluedriving ● (Correct) Explanation https://github.com/verovaleros/bluedriving Bluedriving is a bluetooth wardriving utility. It can capture bluetooth devices, lookup their services, get GPS information and present everything in a nice web page. It can search for and show a lot of information about the device, the GPS address and the historic location of devices on a map. The main motivation of this tool is to research about the targeted surveillance of people by means of its cellular phone or car. With this tool you can capture information about bluetooth devices and show, on a map, the points where you have seen the same device in the past. Incorrect answers: Bluejacking https://en.wikipedia.org/wiki/Bluejacking Bluejacking is sending unsolicited messages over Bluetooth to Bluetooth- enabled devices such as mobile phones, PDAs, or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or blue chat) to another Bluetooth-enabled device via the OBEX protocol. Bluejacking is usually harmless, but because bluejacked people generally don't know what has happened, they may think that their phone is malfunctioning. Usually, a bluejacker will only send a text message, but it's possible to send images or sounds with modern phones. Bluejacking has been used in guerrilla marketing campaigns to promote advergames. Bluejacking is also confused with Bluesnarfing, which is how mobile phones are illegally hacked via Bluetooth. NOTE: There are several problems with this option: a) This is not feasible on modern smartphones. It was a long time ago. Why know this in 2019-2021 is not clear, even as a simple history. b) This is not an attack at all. Bluesmacking One of the older types of attacks against Bluetooth. This attack is a variation of a common attack against networks, devices, and applications known as a Denial-of- service. The specially crafted packet can make a device unusable. This attack works by transmitting a data packet that exceeds the maximum packet size available on Bluetooth devices. The result is that the device cannot process the packet, and the target becomes the victim of a Denial-of-service. NOTE: Old... but not Obsolete. Bluesnarfing https://en.wikipedia.org/wiki/Bluesnarfing The unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs. This allows access to calendars, contact lists, emails and text messages, and on some phones, users can copy pictures and private videos. Both Bluesnarfing and Bluejacking exploit others' Bluetooth connections without their knowledge. While Bluejacking is essentially harmless as it only transmits data to the target device, Bluesnarfing is the theft of information from the target device. entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, leading to a malware installation, freezing the system as part of a ransomware attack, or revealing sensitive information. Email Masquerading A masquerade attack is one where the perpetrator assumes the identity of a fellow network user or co-employee to trick victims into providing user credentials that he/she can then use to gain access to other connected accounts. Threat actors carry out masquerade attacks by stealing username-and-password combinations via phishing and other means, exploiting security weaknesses or vulnerabilities, or bypassing authentication processes. But the attacker always does so from within the organization. A masquerade attacker is comparable to a wolf in sheep's clothing. He / She assumes the identity of someone harmless to gain an unsuspecting victim’s trust. NOTE: Very similar to spoofing, isn't it? Indeed, but here the situation is a little different; the attacker can not only fake the email header, but also, for example, really write on behalf of your friend/boss by gaining access to his/her account. This is a slightly broader concept than spoofing. Email Harvesting https://en.wikipedia.org/wiki/Email-address_harvesting Email harvesting or scraping is the process of obtaining lists of email addresses using various methods. Typically these are then used for bulk email or spam. Which of the following tools is a command-line vulnerability scanner that scans web servers for dangerous files/CGIs? Question 52: ● Snort ● John the Ripper ● Kon-Boot ● Nikto ● (Correct) Explanation https://en.wikipedia.org/wiki/Nikto_(vulnerability_scanner) Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs, outdated server software, and other problems. It performs generic and server types specific checks. It also captures and prints any cookies received. The Nikto code itself is free software, but the data files it uses to drive the program are not. Incorrect answers: Snort https://www.snort.org/ Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013. John the Ripper https://www.openwall.com/john/ John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. Kon-Boot https://en.wikipedia.org/wiki/Kon-Boot Kon-Boot is a software utility that allows users to bypass Microsoft Windows passwords and Apple macOS passwords (Linux support has been deprecated) without lasting or persistent changes to system on which it is executed. It is also the first reported tool capable of bypassing Windows 10 online (live) passwords and supporting both Windows and macOS systems. Which of the following will allow you to prevent unauthorized network access to local area networks and other information assets by wireless devices? Question 54: ● AISS ● WIPS ● (Correct) ● HIDS ● NIDS Explanation https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system A Wireless Intrusion Prevention System (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention). Incorrect answers: HIDS https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates. This was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent. NIDS https://en.wikipedia.org/wiki/Intrusion_detection_system#Network_intrusion_detect ion _systems Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network. OPNET and NetSim are commonly used tools for simulating network intrusion detection systems. NIDS are also capable of comparing signatures for similar packets to link and drop harmful detected packets which have a signature matching the records in the NIDS. When we classify the design of the NIDS according to the system interactivity property, there are two types: on-line and off-line NIDS, often referred to as inline and tap mode, respectively. On-line NIDS deals with the network in real-time. It analyses the Ethernet packets and applies some rules, to decide if it is an attack or not. Off- line NIDS deals with stored data and passes it through some processes to decide if it is an attack or not. AIDS Anomaly-based intrusion detection systems were primarily introduced to detect unknown attacks, in part due to the rapid development of malware. The basic approach is to use machine learning to create a model of trustworthy activity, and then compare new behavior against this model. Since these models can be trained according to the applications and hardware configurations, machine learning based method has a better generalized property in comparison to traditional signature-based IDS. Although this approach enables the detection of previously unknown attacks, it may suffer from false positives: previously unknown legitimate activity may also be classified as malicious. Most of the existing IDSs suffer from the time-consuming during detection process that degrades the performance of IDSs. Efficient feature selection algorithm makes the classification process used in detection more reliable. Question 55 : Andrew is conducting a penetration test. He is now embarking on sniffing the target network. What is not available for Andrew when sniffing the network? ● Modifying and replaying captured network traffic. ● (Correct) ● Collecting unencrypted information about usernames and passwords. ● Capturing network traffic for further analysis. ● Identifying operating systems, services, protocols and devices. Explanation · Identifying operating systems, services, protocols and devices, · Collecting unencrypted information about usernames and passwords, · Capturing network traffic for further analysis are passive network sniffing methods since with the help of them we only receive information and do not make any changes to the target network. When modifying and replaying the captured network traffic, we are already starting to make changes and actively interact with it.