GSNA Exam - GIAC Systems and Network Auditor

NEW QUESTION 1

John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based network. John is working as a root user on the Linux operating system. He is configuring the Apache Web server settings. He does not want the commands being used in the settings to be stored in the history. Which of the following commands can he use to disable history?

• A. history !!
• B. set +o history
• C. history !N
• D. set -o history

Answer: B

Explanation:

According to the scenario, John can use the set +o history command to disable history. Answer D is incorrect. John cannot use the set -o history command to accomplish his task. This command is used to enable disabled history.
Answer A is incorrect. John cannot use the history !! command to accomplish his task. This command is used to see the most recently typed command. Answer C is incorrect. John cannot use the history !N command to accomplish his task. This command is used to display the Nth history command.

NEW QUESTION 2

You work as a Network Administrator for Infosec Inc. Nowadays, you are facing an unauthorized access in your Wi-Fi network. Therefore, you analyze a log that has been
recorded by your favorite sniffer, Ethereal. You are able to discover the cause of the unauthorized access after noticing the following string in the log file: (Wlan.fc.type_subtype eq 32 and llc.oui eq 0x00601d and llc.pid eq 0x0001) When you find All your 802.11b are belong to us as the payload string, you are convinced about which tool is being used for the unauthorized access. Which of the following tools have you ascertained?

• A. AiroPeek
• B. AirSnort
• C. Kismet
• D. NetStumbler

Answer: D

Explanation:

NetStumbler, a war driving tool, uses an organizationally unique identifier (OID) of 0x00601A, D protocol identifier (PID) of 0x0001. Each version has a typical payload string. For example, NetStumbler 3.2.3 has a payload string: 'All your 802.11b are belong to us'. Therefore, when you see the OID and PID values, you discover that the attacker is using NetStumbler, and when you see the payload string, you are able to ascertain that the attacker is using NetStumbler 3.2.3.

NEW QUESTION 3

Which of the following commands can you use to search a string 'pwd' in all text files without opening them? (Choose two)

• A. vi
• B. grep
• C. sed
• D. locate

Answer: BC

Explanation:

sed and grep are the two commands that can be used to search a specified string in all text files without opening them. sed is a stream editor that is used to perform basic text transformations on an input stream (a file or input from a pipeline).

NEW QUESTION 4

Choose the benefits of deploying switches over hubs in your infrastructure. (Choose two)

• A. Layer 2 switches allow for the creation of Virtual LANs providing options for further segmentation and security.
• B. Switches lower the number of collisions in the environment.
• C. Switches create an environment best suited for half duplex communication
• D. This improves network performance and the amount of available bandwidth.
• E. Layer 2 switches increase the number of broadcast domains in the environment.

Answer: AB

Explanation:

Switches differ from hubs in that they break up Collision Domains. Each port on a switch equals one Collision Domain. Therefore, a switch will lower the number of collisions within the infrastructure. Managed switches typically offer the ability to create Virtual LANs. Virtual LANs allow the switch to create multiple LANs/network segments that are Virtual. This allows the switch to create additional environments where needed.

NEW QUESTION 5

On which of the following does a CGI program execute?

• A. Router
• B. Web server
• C. Client
• D. Client and Web server

Answer: B

Explanation:

The Common Gateway Interface (CGI) specification is used for creating executable programs that run on a Web server. CGI defines the communication link between a Web server and Web applications. It gives a network or Internet resource access to specific programs. For example, when users submit an HTML form on a Web site, CGI is used to pass this information to a remote application for processing, and retrieve the results from the application. It then returns these results to the user by means of an HTML page. Answer A is incorrect. CGI programs do not execute on routers.

NEW QUESTION 6

You work as a Network Administrator for Tech Perfect Inc. The company has a TCP/IP- based network. You have configured a firewall on the network. A filter has been applied to block all the ports. You want to enable sending and receiving of emails on the network. Which of the following ports will you open? (Choose two)

• A. 25
• B. 20
• C. 80
• D. 110

Answer: AD

Explanation:
In order to enable email communication, you will have to open ports 25 and 110. Port 25 is used by SMTP to send emails. Port 110 is used by POP3 to receive emails.

NEW QUESTION 7

Which of the following tools combines two programs, and also encrypts the resulting package in an attempt to foil antivirus programs?

• A. Tiny
• B. NetBus
• C. Trojan Man
• D. EliteWrap

Answer: C

Explanation:

The Trojan Man is a Trojan wrapper that not only combines two programs, but also encrypts the resulting package in an attempt to foil antivirus programs.

NEW QUESTION 8

You work as a Software Developer for Mansoft Inc. You create an application and use it to create users as members of the local Users group. Which of the following code snippets
imperatively demands that the current user is a member of the local Users group?

• A. System.AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); PrincipalPermission MyPermission = new PrincipalPermission(null, @"BUILTIN\Users", true); MyPermission.Demand();
• B. PrincipalPermission MyPermission = new PrincipalPermission(null, @"BUILTIN\Users", true); MyPermission.Demand();
• C. System.AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); PrincipalPermission MyPermission = new PrincipalPermission(null, @"Users", true); MyPermission.Demand();
• D. PrincipalPermission MyPermission = new PrincipalPermission(null, @"Users", true); MyPermission.Demand();

Answer: AC

Explanation:

The PrincipalPermission class allows security checks against the active principal. This is done by using the language constructs that are defined for both imperative and declarative security actions. To perform an imperative security demand for membership in a built-in Microsoft Windows group, you must first set the default principal policy to the Windows principal by calling the SetPrincipalPolicy (PrincipalPolicy.WindowsPrincipal) statement. Construct a PrincipalPermission object specifying the group name. To specify the group name, you can provide just the group name, or you can preface the group name with either "BUILTIN\" or the computer name and a backslash. Finally, call the PrincipalPermission.Demand method. There is another method of identifying group membership, i.e. by using the PrincipalPermission class or the PrincipalPermissionAttribute attribute derived from the System.Security.Permissions namespace. The PrincipalPermission object identifies that the identity of the active principal should match its information with the identity information that is passed to its constructor. The identity information contains the user's identity name and role.

NEW QUESTION 9

You work as a Network Administrator for XYZ CORP. The company has a Windows-based network. You have been assigned the task to design the authentication system for the remote users of the company. For security purposes, you want to issue security tokens to the remote users. The token should work on the one-time password principle and so once used, the next password gets generated. Which of the following security tokens should you issue to accomplish the task?

• A. Virtual tokens
• B. Event-based tokens
• C. Bluetooth tokens
• D. Single sign-on software tokens

Answer: B

Explanation:

An event-based token, by its nature, has a long life span. They work on the one-time password principle and so once used, the next password is generated. Often the user has a button to press to receive this new code via either a token or via an SMS message. All CRYPTOCard's tokens are event-based rather than time-based. Answer C is incorrect. Bluetooth tokens are often combined with a USB token, and hence work in both a connecteA, D disconnected state. Bluetooth authentication works when closer than 32 feet (10 meters). If the Bluetooth is not available, the token must be inserted into a USB input device to function. Answer A is incorrect. Virtual tokens are a new concept in multi-factor authentication first introduced in 2005 by security company Sestus. Virtual tokens work by sharing the token generation process between the Internet website and the user's computer and have the advantage of not requiring the distribution of additional hardware or software. In addition, since the user's device is communicating directly with the authenticating website, the solution is resistant to man-in-the-middle attacks and similar forms of online fraud. Answer D is incorrect. Single sign-on software tokens are used by the multiple, related, but independent software systems. Some types of single sign-on (SSO) solutions, like enterprise single sign-on, use this token to store software that allows for seamless authentication and password filling. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned.

NEW QUESTION 10

The Security Auditor's Research Assistant (SARA) is a third generation network security analysis tool. Which of the following statements are true about SARA? (Choose two)

• A. It operates under Unix, Linux, MAC OS/X, or Windows (through coLinux) OS.
• B. It cannot be used to perform exhaustive XSS tests.
• C. It cannot be used to perform SQL injection tests.
• D. It supports plug-in facility for third party apps.

Answer: AD

Explanation:

The Security Auditor's Research Assistant (SARA) is a third generation network security analysis tool. It has the following functions: It operates under Unix, Linux, MAC OS/X, or Windows (through coLinux) OS. It integrates the National Vulnerability Database (NVD). It can be used to perform SQL injection tests. It can be used to perform exhaustive XSS tests. It can be adapted to multiple firewalled environments. It supports remote self scan and API facilities. It is used for CIS benchmark initiatives. It also supports plug-in facility for third party apps. It supports CVE standards. It works as an enterprise search module. It works in both standalone or demo mode. Answer C is incorrect. SARA can be used to perform SQL injection tests. Answer B is incorrect. SARA can be used to perform exhaustive XSS tests.

NEW QUESTION 11

Mark works as a Network Administrator for We-are-secure Inc. He finds that the We-are- secure server has been infected with a virus. He presents to the company a report that describes the symptoms of the virus. A summary of the report is given below: This virus has a dual payload, as the first payload of the virus changes the first megabyte of the hard drive to zero. Due to this, the contents of the partition tables are deleted and the computer hangs. The second payload replaces the code of the flash BIOS with garbage values. This virus spreads under the Portable Executable File Format under Windows 95, Windows 98, and Windows ME. Which of the following viruses has the symptoms as the one described above?

• A. I Love You
• B. Nimda
• C. Chernobyl
• D. Melissa

Answer: C

Explanation:

The Chernobyl (CIH) virus is a good example of a dual payload virus. Since the first payload of the virus changes the first megabyte of a computer's hard drive to zero, the contents of the partition tables are deleted, resulting in the computer hanging. The second payload of CIH replaces the code of the flash BIOS with garbage values so that the flash BIOS is unable to give a warning, the end result being that the user is incapable of changing the BIOS settings. CIH spreads under the Portable Executable file format under Windows 95, Windows 98, and Windows ME.
Answer A is incorrect. The I LOVE YOU virus is a VBScript virus in which a victim gets an email attachment titled as "I Love You" with an attachment file named as "Love-Letter-For- You.txt.vbs". When the victim clicks on this attachment, the virus script infects the victim's computer. The virus first scans system's memory for passwords, which are sent back to the virus' creator. In the next step, the virus replicates itself and sends its copy to each address in the victim's Outlook address book. Finally, the virus corrupts files with extensions .vbs, .vbe, .js, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp2, and .mp3 by overwriting them with a copy of itself. Answer D is incorrect. The Melissa virus infects Word 97 documents and the NORMAL.DOT file of Word 97 and Word 2000. This macro virus resides in word documents containing one macro named as "Melissa". The Melissa virus has the ability to spread itself very fast by using an e-mail. When the document infected by the Melissa virus is opened for the first time, the virus checks whether or not the user has installed Outlook on the computer. If it finds the Outlook, it sends e-mail to 50 addresses from the address book of the Outlook. This virus can spread only by using the Outlook. This virus is also known as W97M/Melissa, Kwyjibo, and Word97.Meliss Answer B is incorrect. Nimda is a mass mailing virus that spreads itself in attachments named README.EXE. It affects Windows 95, 98, ME, NT4, and Windows 2000 users. Nimda uses the Unicode exploit to infect IIS Web servers.

NEW QUESTION 12

You work as a Java Programmer for JavaSkills Inc. You are working with the Linux operating system. Nowadays, when you start your computer, you notice that your OS is taking more time to boot than usual. You discuss this with your Network Administrator. He suggests that you mail him your Linux bootup report. Which of the following commands will you use to create the Linux bootup report?

• A. touch bootup_report.txt
• B. dmesg > bootup_report.txt
• C. dmesg | wc
• D. man touch

Answer: B

Explanation:

According to the scenario, you can use dmesg > bootup_report.txt to create the bootup file. With this command, the bootup messages will be displayed and will be redirected towards bootup_report.txt using the > command.

NEW QUESTION 13

Which of the following tools can be used to read NetStumbler's collected data files and present street maps showing the logged WAPs as icons, whose color and shape indicates WEP mode and signal strength?

• A. Kismet
• B. StumbVerter
• C. WEPcrack
• D. NetStumbler

Answer: B

Explanation:

StumbVerter tool is used to read NetStumbler's collected data files and present street maps showing the logged WAPs as icons, whose color and shape indicates WEP mode and signal strength. Answer C is incorrect. WEPcrack is a wireless network cracking tool that exploits the vulnerabilities in the RC4 Algorithm, which comprises the WEP security parameters. Answer A is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode. Answer D is incorrect. NetStumbler is a Windows- based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. It detects wireless networks and marks their relative position with a GPS.

NEW QUESTION 14

Which of the following statements are true about a hot site?

• A. It is a duplicate of the original site of the organization, with full computer systems as well as near-complete backups of user data.
• B. It is the most inexpensive backup site.
• C. It can be used within an hour for data recovery.
• D. It is cheaper than a cold site but more expensive than a worm site.

Answer: AC

Explanation:

A hot site is a duplicate of the original site of the organization, with full computer systems as well as near-complete backups of user data. A hot site can be used within an hour for data recovery. The capacity of the hot site may or may not match the capacity of the original site depending on the organization's requirements. This type of backup site is the most expensive to operate. Hot sites are popular with organizations that operate real time processes such as financial institutions, government agencies, and
ecommerce providers. the original site. A cold site is the most inexpensive type of backup site for an organization to operate since it does not include backed up copies of data and information from the original location of the organization, nor does it include hardware already set up. A warm site is, quite logically, a compromise between hot and cold in terms of resources and cost.

NEW QUESTION 15

John works as a professional Ethical Hacker. He is assigned a project to test the security of www.we-are-secure.com. He is working on the Linux operating system. He wants to sniff the we-are-secure network and intercept a conversation between two employees of the company through session hijacking. Which of the following tools will John use to accomplish the task?

• A. IPChains
• B. Tripwire
• C. Hunt
• D. Ethercap

Answer: C

Explanation:
In such a scenario, John will use Hunt which is capable of performing both the hacking techniques, sniffing and session hijacking. Answer D is incorrect. Ethercap is a network sniffer and packet generator. It may be an option, but John wants to do session hijacking as well. Hence, he will not use Ethercap. Answer A is incorrect. IPChains is a firewall. Answer B is incorrect. Tripwire is a file and directory integrity checker.

NEW QUESTION 16

In which of the following does a Web site store information such as user preferences to provide customized services to users?

• A. Protocol
• B. ActiveX control
• C. Cookie
• D. Keyword

Answer: C

Explanation:

A cookie is a small bit of text that accompanies requests and pages as they move between Web servers and browsers. It contains information that is read by a Web application, whenever a user visits a site. Cookies are stored in the memory or hard disk of client computers. A Web site stores information, such as user preferences and settings in a cookie. This information helps in providing customized services to users. There is absolutely no way a Web server can access any private information about a user or his computer through cookies, unless a user provides the information. A Web server cannot access cookies created by other Web servers.
Answer A is incorrect. A protocol is a set of predefined rules that govern how two or more processes communicate and interact to exchange data. Protocols are considered as the building blocks of network communication. Computer protocols are used by communicating
devices and software services to format data in a way that all participants understand. It provides a context in which to interpret communicated information. Answer B is incorrect. ActiveX controls are software components that can be integrated into Web pages and applications, within a computer or among computers in a network, to reuse the functionality. Reusability of controls reduces development time of applications and improves program interfaces. They enhance the Web pages with formatting features and animation. ActiveX controls can be used in applications written in different programming languages that recognize Microsoft's Component Object Model (COM). These controls always run in a container. ActiveX controls simplify and automate the authoring tasks, display data, and add functionality to Web pages. Answer D is incorrect. Keywords are important terms used to search Web pages on a particular topic. For example, if a user enters a keyword "Networking" in a search engine form, all Web pages containing the term "Networking" will be displayed.

NEW QUESTION 17

You check performance logs and note that there has been a recent dramatic increase in the amount of broadcast traffic. What is this most likely to be an indicator of?

• A. Misconfigured router
• B. DoS attack
• C. Syn flood
• D. Virus

Answer: B

Explanation:

There are several denial of service (DoS) attacks that specifically use broadcast traffic to flood a targeted computer. Seeing an unexplained spike in broadcast traffic could be an indicator of an attempted denial of service attack. Answer D is incorrect. Viruses can cause an increase in network traffic, and it is possible for that to be broadcast traffic. However, a DoS attack is more likely than a virus to cause this particular problem. Answer C is incorrect. A syn flood does not cause increased broadcast traffic. Answer A is incorrect. A misconfigured router could possibly cause an increase in broadcast traffic. However, this a recent problem, the router is unlikely to be the issue.

NEW QUESTION 18

Which of the following commands can be used to format text files?

• A. wc
• B. ps
• C. tail
• D. pr

Answer: D

Explanation:

The pr command is used to format text files according to the specified options. This command is usually used to paginate or columnate files for printing. Answer B is incorrect. The ps command reports the status of processes that are currently running on a Linux computer. Answer A is incorrect. The wc command is used to count the number of bytes, words, and lines in a given file or in the list of files. Answer C is incorrect. The tail command is used to display the last few lines of a text file or piped data.

NEW QUESTION 19
......