Q1. Identify SQL injection attack from the HTTP requests shown below:
A. http://www.victim.com/example?accountnumber=67891&creditamount=999999999
B. http://www.xsecurity.com/cgiin/bad.cgi?foo=..%fc%80%80%80%80%af../bin/ls%20-al
C. http://www.myserver.com/search.asp?lname=smith%27%3bupdate%20usertable%20set%20pass wd%3d%27hAx0r%27%3b--%00
D. http://www.myserver.com/script.php?mydata=%3cscript%20src=%22http%3a%2f%2fwww.yourser ver.c0m%2fbadscript.js%22% 3e%3c%2fscript%3e
Answer: C
Explantion: The correct answer contains the code to alter the usertable in order to change the password for user smith to hAx0r
Q2. One of your team members has asked you to analyze the following SOA record. What is the version?
Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.
A. 200303028
B. 3600
C. 604800
D. 2400
E. 60
F. 4800
Answer: A
Explanation: The SOA starts with the format of YYYYMMDDVV where VV is the version.
Q3. Which of the following is true of the wireless Service Set ID (SSID)? (Select all that apply.)
A. Identifies the wireless network
B. Acts as a password for network access
C. Should be left at the factory default setting
D. Not broadcasting the SSID defeats NetStumbler and other wireless discovery tools
Answer: AB
Q4. In an attempt to secure his wireless network, Bob turns off broadcasting of the SSID. He concludes that since his access points require the client computer to have the proper SSID, it would prevent others from connecting to the wireless network. Unfortunately unauthorized users are still able to connect to the wireless network.
Why do you think this is possible?
A. Bob forgot to turn off DHCP.
B. All access points are shipped with a default SSID.
C. The SSID is still sent inside both client and AP packets.
D. Bob’s solution only works in ad-hoc mode.
Answer: B
Explanation: All access points are shipped with a default SSID unique to that manufacturer, for example 3com uses the default ssid comcomcom.
Q5. During the intelligence gathering phase of a penetration test, you come across a press release by a security products vendor stating that they have signed a multi-million dollar agreement with the company you are targeting. The contract was for vulnerability assessment tools and network based IDS systems. While researching on that particular brand of IDS you notice that its default installation allows it to perform sniffing and attack analysis on one NIC and caters to its management and reporting on another NIC. The sniffing interface is completely unbound from the TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing interfaces?
A. Use a ping flood against the IP of the sniffing NIC and look for latency in the responses.
B. Send your attack traffic and look for it to be dropped by the IDS.
C. Set your IP to that of the IDS and look for it as it attempts to knock your computer off the network.
D. The sniffing interface cannot be detected.
Answer: D
Explanation: When a Nic is set to Promiscuous mode it just blindly takes whatever comes through to it network interface and sends it to the Application layer. This is why they are so hard to detect. Actually you could use ARP requests and Send them to every pc and the one which responds to all the requests can be identified as a NIC on Promiscuous mode and there are some very special programs that can do this for you. But considering the alternatives in the question the right answer has to be that the interface cannot be detected.
Q6. You have discovered that an employee has attached a modem to his telephone line and workstation. He has used this modem to dial in to his workstation, thereby bypassing your firewall. A security breach has occurred as a direct result of this activity. The employee explains that he used the modem because he had to download software for a department project. What can you do to solve this problem?
A. Install a network-based IDS
B. Reconfigure the firewall
C. Conduct a needs analysis
D. Enforce your security policy
Answer: D
Explanation: The employee was unaware of security policy.
Q7. You are conducting a port scan on a subnet that has ICMP blocked. You have discovered 23 live systems and after scanning each of them you notice that they all show port 21 in closed state.
What should be the next logical step that should be performed?
A. Connect to open ports to discover applications.
B. Perform a ping sweep to identify any additional systems that might be up.
C. Perform a SYN scan on port 21 to identify any additional systems that might be up.
D. Rescan every computer to verify the results.
Answer: C
Explanation: As ICMP is blocked you’ll have trouble determining which computers are up and running by using a ping sweep. As all the 23 computers that you had discovered earlier had port 21 closed, probably any additional, previously unknown, systems will also have port 21 closed. By running a SYN scan on port 21 over the target network you might get replies from additional systems.
Q8. Attackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this?
A. RST flag scanning
B. FIN flag scanning
C. SYN flag scanning
D. ACK flag scanning
Answer: D
Q9. Microsoft Authenticode technology is used for:
A. Digital Signing Activex controls
B. Digitally signing SSL Certificates
C. Digitally Signing JavaScript Files
D. Digitally Signing Java Applets
Answer: A
Explanation: Authenticode identifies the publisher of signed software and verifies that it hasn't been tampered with, before users download software to their PCs. As a result, end users can make a more informed decision as to whether or not to download code. Authenticode relies on digital certificates and is based on specifications that have been used successfully in the industry for some time, including Public Key Cryptography Standards (PKCS) #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and Secure Hash Algorithm (SHA) and MD5 hash algorithms.
Q10. Dave has been assigned to test the network security of Acme Corp. The test was announced to the employees. He created a webpage to discuss the progress of the tests with employees who were interested in following the test. Visitors were allowed to click on a sand clock to mark the progress of the test. Dave successfully embeds a keylogger. He also added some statistics on the webpage. The firewall protects the network well and allows strict Internet access. How was security compromised and how did the firewall respond?
A. The attack did not fall through as the firewall blocked the traffic
B. The attack was social engineering and the firewall did not detect it
C. The attack was deception and security was not directly compromised
D. Security was not compromised as the webpage was hosted internally
Answer: B
Explanation: This was just another way to trick the information out of the users without the need to hack into any systems. All traffic is outgoing and initiated by the user so the firewall will not react.