Q1. Charlie is the network administrator for his company. Charlie just received a new Cisco router and wants to test its capabilities out and to see if it might be susceptible to a DoS attack resulting in its locking up. The IP address of the Cisco switch is 172.16.0.45. What command can Charlie use to attempt this task?
A. Charlie can use the command: ping -l 56550 172.16.0.45 -t.
B. Charlie can try using the command: ping 56550 172.16.0.45.
C. By using the command ping 172.16.0.45 Charlie would be able to lockup the router
D. He could use the command: ping -4 56550 172.16.0.45.
Answer: A
Q2. You want to perform advanced SQL Injection attack against a vulnerable website. You are unable to perform command shell hacks on this server. What must be enabled in SQL Server to launch these attacks?
A. System services
B. EXEC master access
C. xp_cmdshell
D. RDC
Answer: C
Q3. You are having problems while retrieving results after performing port scanning during internal testing. You verify that there are no security devices between you and the target system. When both stealth and connect scanning do not work, you decide to perform a NULL scan with NMAP. The first few systems scanned shows all ports open.
Which one of the following statements is probably true?
A. The systems have all ports open.
B. The systems are running a host based IDS.
C. The systems are web servers.
D. The systems are running Windows.
Answer: D
Explanation: The null scan turns off all flags, creating a lack of TCP flags that should never occur in the real world. If the port is closed, a RST frame should be returned and a null scan to an open port results in no response. Unfortunately Microsoft (like usual) decided to completely ignore the standard and do things their own way. Thus this scan type will not work against systems running Windows as they choose not to response at all. This is a good way to distinguish that the system being scanned is running Microsoft Windows.
Q4. Network Intrusion Detection systems can monitor traffic in real time on networks.
Which one of the following techniques can be very effective at avoiding proper detection?
A. Fragmentation of packets.
B. Use of only TCP based protocols.
C. Use of only UDP based protocols.
D. Use of fragmented ICMP traffic only.
Answer: A
Explanation: If the default fragmentation reassembly timeout is set to higher on the client than on the IDS then the it is possible to send an attack in fragments that will never be reassembled in the IDS but they will be reassembled and read on the client computer acting victim.
Q5. The network administrator at Spears Technology, Inc has configured the default gateway Cisco Router’s access-list as below:
You are tried to conduct security testing on their network. You successfully brute-force for SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection.
You want to retrieve the Cisco Configuration from the router. How would you proceed?
A. Send a customized SNMP set request with spoofed source IP Address in the range-
192.168.1.0
B. Run a network sniffer and capture the returned traffic with the configuration file from the router
C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address
D. Use the Cisco’s TFTP default password to connect and download the configuration file
Answer: AB
Explanation: SNMP is allowed only by access-list 1. Therefore you need to spoof a 192.168.1.0/24 address and then sniff the reply from the gateway.
Q6. Which of the following Trojans would be considered 'Botnet Command Control Center'?
A. YouKill DOOM
B. Damen Rock
C. Poison Ivy D. Matten Kit
Answer: C
Q7. Steven, a security analyst for XYZ associates, is analyzing packets captured by Ethereal on a Linux Server inside his network when the server starts to slow down tremendously. Steven examines the following Ethereal captures:
A. Smurf Attack
B. ARP Spoofing
C. Ping of Death
D. SYN Flood
Answer: A
Explanation: A perpetrator is sending a large amount of ICMP echo (ping) traffic to IP broadcast addresses, all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding.
Topic 9, Social Engineering
303. Your boss at ABC.com asks you what are the three stages of Reverse Social Engineering.
A. Sabotage, advertising, Assisting
B. Sabotage, Advertising, Covering
C. Sabotage, Assisting, Billing D. Sabotage, Advertising, Covering
Q8. In Trojan terminology, what is required to create the executable file chess.exe as shown below?
A. Mixer
B. Converter
C. Wrapper
D. Zipper
Answer: C
Q9. In the following example, which of these is the "exploit"?
Today, Microsoft Corporation released a security notice. It detailed how a person could bring down the Windows 2003 Server operating system, by sending malformed packets to it. They detailed how this malicious process had been automated using basic scripting. Even worse, the new automated method for bringing down the server has already been used to perform denial of service attacks on many large commercial websites.
Select the best answer.
A. Microsoft Corporation is the exploit.
B. The security "hole" in the product is the exploit.
C. Windows 2003 Server
D. The exploit is the hacker that would use this vulnerability.
E. The documented method of how to use the vulnerability to gain unprivileged access.
Answer: E
Explanations:
Microsoft is not the exploit, but if Microsoft documents how the vulnerability can be used to gain unprivileged access, they are creating the exploit. If they just say that there is a hole in the product, then it is only a vulnerability. The security "hole" in the product is called the "vulnerability". It is documented in a way that shows how to use the vulnerability to gain unprivileged access, and it then becomes an "exploit". In the example given, Windows 2003 Server is the TOE (Target of Evaluation). A TOE is an IT System, product or component that requires security evaluation or is being identified. The hacker that would use this vulnerability is exploiting it, but the hacker is not the exploit. The documented method of how to use the vulnerability to gain unprivileged access is the correct answer.
Q10. On a default installation of Microsoft IIS web server, under which privilege does the web server software execute?
A. Everyone
B. Guest
C. System
D. Administrator
Answer: C
Explanation: If not changed during the installation, IIS will execute as Local System with way to high privileges.