Anda di halaman 1dari 150

CEH Study Guide

The Certified Ethical Hacker certification exam is a standalone certification from EC-Council with the exam code 312-50v8. The certification is targeted at Ethical Hacking professionals involved with hacking fundamentals, footprinting, scanning. The exam covers hacking skills, Linux System Security, Trojans, Web server hacking, and Wireless hacking.
2013 TrainACE / Advanced Security.

www.trainace.com/security
Mike wants to use NMAP to do basic vulnerability scanning. What does NMAP use for protocols such as FTP and HTTP? a. NESSUS scripting engine b. Metasploit scripting engine c. SAINT scripting engine d. NMAP scripting engine Answer: D
39. Q: John is a college student. He is interested in computer security. He wants to gain knowledge about ethical hacking so that he can make information systems secure. In which of the following areas should John acquire expertise in order to fulfill his dream? Each correct answer represents a complete solution. Choose all that apply. a. b. John should have excellent knowledge of computers and their functioning, including programming and networking. Since organizations have a variety of operating systems, such as UNIX, Linux, Windows, and Macintosh, John must be an expert in dealing with these operating systems. John should be familiar with a number of hardware platforms. John should be an expert in security-related communication and report writing.

c. d.

Explanation: Answer options A, B, C, and D are correct.

According to the scenario, John should have expertise in all the areas listed in the above options. An ethical hacker should have an excellent knowledge of computers and their functioning, including programming and networking. Since organizations have a variety of operating systems, such as UNIX, Linux, Windows, and Macintosh, an ethical hacker must be an expert in dealing with these operating systems. Ethical hackers should also be familiar with a number of hardware platforms. They should be knowledgeable about security areas and related issues as well.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Routers use "routing" protocols. Which of the following would a router use? (Choose 2) a. UDP b. RIP c. TCP d. BGP e. SMTP Answer: B and D

39. Q: Which of the following classes of hackers describes an individual who uses his computer knowledge for breaking security laws, invading privacy, and making information systems insecure? a. b. c. d. Black Hat White Hat Gray Hat Security providing organizations

Explanation: Answer option A is correct. A Black Hat Hacker is an individual who uses his computer knowledge for breaking security laws, invading privacy, and making information systems insecure.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Hackers are categorized into the following classes:


Black Hat Hackers (Crackers): These are persons who are computer specialists and use their hacking skills to carry out malicious attacks on information systems. Gray Hat Hackers: These are persons who sometimes do not break laws and help to defend a network, but sometimes act as Black Hat Hackers. White Hat Hackers (Ethical Hackers): These are persons who have excellent computer skills and use their knowledge to secure information systems. Security Providing Organizations: Some organizations and communities also provide security to information systems. 39. Q: Which of the following statements is true of vulnerability? a. It is a security weakness in a Target of Evaluation due to failures in analysis, design, implementation, or operation. b. It refers to a situation in which humans or natural occurrences can cause an undesirable outcome. c. It is an agent that can take advantage of a weakness. d. It is a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.

Explanation: Answer option A is correct. Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing harm to the information systems or networks. It can exist in hardware, operating systems, firmware, applications, and configuration files. Answer options B, C, and D are incorrect. A threat is an indication of a potential undesirable event. It refers to a situation in which humans or natural occurrences can cause an undesirable outcome Vulnerability is an agent that can take the advantage of the weakness.

5. Q: Maria works as a professional Ethical Hacker. She recently has been assigned a project to test the security of www.we-are-secure.com. The company has provided the following information about the infrastructure of its network:

Network diagrams of the we-are-secure infrastructure Source code of the security tools IP addressing information of the we-are-secure network

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Which of the following testing methodologies is we-are-secure.com using to test the security of its network? a. b. c. d. Whitebox Blackbox Graybox Alpha testing

Explanation: Answer option A is correct. According to the scenario, we-are-secure.com is using the whitebox testing technique. Whitebox testing is a testing technique in which an organization provides full knowledge about the infrastructure to the testing team.

Answer option B is incorrect. Blackbox testing is a technique in which the testing team has no knowledge about the infrastructure of the organization. This testing technique is costly and time consuming. Answer option C is incorrect. Graybox testing is a combination of whitebox testing and blackbox testing. In graybox testing, the test engineer is equipped with the knowledge of system and designs test cases or test data based on system knowledge. What is the principle that a party cannot deny its role (i.e. sending a document) in an activity? a. Non-repudiation b. Availability c. Privacy d. Confidentiality Answer: A Microsoft servers (file and print) are often a target of attackers. What are common vulnerabilities? a. XSS b. SQL injection c. missing patches d. weak IVs

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

answer: C 6. Q: Samantha works as an Ethical Hacker for we-are-secure Inc. She wants to test the security of the we-are-secure server for DoS attacks. She sends a large number of ICMP ECHO packets to the target computer. Which of the following DoS attacking techniques is she using to accomplish her task? a. b. c. d. Smurf dos attack Ping flood attack Teardrop attack Land attack

Explanation: Answer option B is correct. According to the scenario, Samantha is using the ping flood attack. In a ping flood attack, an attacker sends a large number of ICMP packets to the target computer.

Answer option A is incorrect. In a smurf DoS attack, the attacker sends a large amount of ICMP echo request traffic to the IP broadcast addresses. These ICMP requests have a spoofed source address of the intended victim. Answer option C is incorrect. In a teardrop attack, a series of data packets are sent to the target system with overlapping offset field values. As a result, the target system is unable to reassemble these packets and is forced to crash, hang, or reboot. Answer option D is incorrect. In a land attack, the attacker sends the spoofed TCP SYN packet in which the IP address of the target host is filled in both the source and destination fields Q: Which individuals believe that hacking and defacing web sites can promote social changes?

e. f. g. h.

Hactivists Crackers Script kiddies Phreakers

Explanation: Answer option A is correct. Hactivists are individuals who believe that hacking and defacing web sites can promote social changes.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Hacktivism is the act of hacking or breaking into a computer system for a politically or socially motivated purpose. The person who performs the act of hacktivism is known as a hacktivist. A hacktivist uses the same tools and techniques as those used by a hacker. Answer option B is incorrect. Crackers are individuals who use their skill and knowledge for harmful activities. Answer option C is incorrect. Script kiddies are individuals who have little or no programming skills and use freely available hacking software. Answer option D is incorrect. Phreakers are individuals who focus on communication systems to steal information. To limit the possibility of a system being compromised, also referred to as reducing the attack surface, what should your security team do? a. Harvesting b. Hardening c. Scanning d. Windowing answer: B 7. Q: Which of the following statements are true about threats? Each correct answer represents a complete solution. Choose all that apply. a. A threat is a sequence of circumstances and events that allows a human or other agent to cause an information-related misfortune by exploiting vulnerability in an IT product. b. A threat is a potential for violation of security which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. c. A threat is a weakness or lack of safeguard that can be exploited by vulnerability, thus causing harm to the information systems or networks. d. A threat is any circumstance or event with the potential of causing harm to a system in the form of destruction, disclosure, modification of data, or denial of service. Explanation: Answer options A, B, and D are correct. A threat is an indication of a potential undesirable event. It refers to a situation in which humans or natural occurrences can cause an undesirable outcome.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

8. Q: John works as a professional Ethical Hacker. He is assigned a project to test the security of www.we-are-secure.com. He knows the steps taken by a malicious hacker to perform hacking. What steps are performed in malicious hacking? a. Step 1: Reconnaissance: In this phase, the attacker gathers information about the victim. b. Step 2: Scanning: In this phase, the attacker begins to probe the target for vulnerabilities that can be exploited. c. Step 3: Gaining Access: In this phase, the attacker exploits a vulnerability to gain access into the system. d. Step 4: Maintaining Access: In this phase, the attacker maintains access to fulfill his purpose of entering into the network. e. Step 5:Covering\Clearing Tracks: In this phase, the attacker attempts to cover his tracks so that he cannot be detected or penalized under criminal law. Explanation: The following are the phases of malicious hacking: When using Wireshark to acquire packet capture on a network, which device would enable the capture of all traffic on the wire? A. Layer 3 switch B. Network tap C. Network bridge D. router answer: B

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Q: John is a malicious attacker. He illegally accesses the server of We-are-secure Inc. He then places a backdoor in the We-are-secure server and alters its log files. Which of the following steps of malicious hacking includes altering the server log files? f. g. h. i. Reconnaissance Maintaining access Gaining access Covering\Clearing tracks

Explanation: Answer option i. is correct. According to the scenario, John has installed a backdoor on the We-are-secure server so that he can have access whenever he wants to log in. This process comes under the Maintaining access phase of malicious hacking. Further, John alters the server's log files, which could give a clue about his malicious intent to the Network Administrator. This process comes under the Covering tracks phase of malicious hacking. if two companies merge what must be done so that each companys Certificate Authority will trust the certificates generated by the other company? a. Cross-certification b. Federated Identity c. Public Key Exchange Authorization d. It cannot be done; a new PKI system will need to be created answer: A Which system of PKI verifies the applicant? a. Certificate Authority b. Registration Authority c. Root CA d. Validation Authority answer: B 9. Q: Which of the following statements correctly defines a script kiddie?

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

a. He is an individual who uses hacking programs developed by others to attack information systems and spoil websites. b. He is an individual who has lost respect and integrity as an employee in any organization. c. He is an individual who breaks communication systems to perform hacking. d. He is an individual who is an expert in various computer fields, such as operating systems, networking, hardware, software, etc. and enjoys the mental challenge of decoding computer programs, solving network vulnerabilities and security threats, etc. Explanation: Answer option A is correct. Answer option B is incorrect. This option defines a disgruntled employee. A disgruntled employee is an individual who has lost respect and integrity as an employee in an organization. Most of the time, he/she has more knowledge than a script kiddie.

10. Q: Which of the following penetration testing phases involves reconnaissance or data gathering? a. b. c. d. Pre-attack phase Attack phase Post-attack phase Out-attack phase

Explanation: Answer option A is correct. The pre-attack phase is the first step for a penetration tester. The pre-attack phase involves reconnaissance or data gathering. It also includes gathering data from Whois, DNS, and network scanning, which help in mapping a target network and provide valuable information regarding the operating system and applications running on the systems Q: Which of the following policies defines the acceptable methods of remotely connecting a system to the internal network? e. f. g. h. Remote access policy Network security policy Computer security policy User Account Policy

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. Remote access policy is a document, which outlines and defines acceptable methods of remotely connecting to the internal network Answer option B is incorrect. A network security policy is a generic document that outlines rules for computer network access. It also determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment Answer option C is incorrect. A computer security policy defines the goals and elements of the computer systems of an organization. The definition can be highly formal or informal. Security policies are enforced by organizational policies or security mechanisms. Answer option D is incorrect. The User Account Policy is a type of document, which focuses on the requirements for requesting and maintaining an account on computer systems or networks within an organization. Q: Security is a state of well-being of information and infrastructure in which the possibilities of successful yet undetected theft, tampering, and/or disruption of information and services are kept low or tolerable. Which of the following are the elements of security? Each correct answer represents a complete solution. Choose all that apply. a. Confidentiality b. Authenticity c. Availability d. Integrity e. Non-Repudiation Explanation: Answer options A, B, C, and D are correct. The elements of security are as follows: 1. Confidentiality: It is the concealment of information or resources. 2. Authenticity: It is the identification and assurance of the origin of information. 3. Integrity: It refers to the trustworthiness of data or resources in terms of preventing improper and unauthorized changes. 4. Availability: It refers to the ability to use the information or resources as desired. 5. Non-Repudiation - refers to inability of a sender to disassociate him/herself with a message

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer options B and C are correct.

5. Q: Which of the following is the most common way of performing social engineering attacks? a. b. c. d. Phone Email War driving Session hijacking

Explanation: Answer option A is correct. The phone is the most common way of performing social engineering attacks. Social engineering is the art of convincing people and making them disclose useful information such as account names and passwords. Answer option C is incorrect. War driving, also called access point mapping, is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere. Answer option D is incorrect. Session hijacking refers to the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine. During a wireless penetration test, a tester detects an access point using WPA2, which of the following attacks should she use to obtain the key? A. The tester must use the tool airodump-ng to crack it using the ESSID of the network. B. The tester must capture the WPA2 authentication handshake and then crack it. C. The tester must change the MAC address of the wireless network card and then use the AirCrack tool to obtain the key. D. WPA2 cannot be cracked answer: B What is the main reason the use of a stored biometric is vulnerable to an attack? A. The stored biometric data can be stolen and used by an attacker to impersonate the individual identified by the biometric.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

B. A stored biometric is no longer something you have and instead becomes something you are. C. Authentication using a stored biometric compares the original to a copy instead of the original to a copy D. The digital representation of the biometric might not be unique answer: A Which type of scan measures a persons external features through a digital video camera? A. Facial recognition scan B. Retina scan C. Signature dynamics scan D. Iris scan answer: A When creating a new Nessus policy, where would you enable Global Variable Settings? A. Plugins b. General c. Preferences D. Credentials answer: C A pentester enters the following command. What type of scan is this? nmap -N -sS -PO -p 123 192.168.2.25 a. Stealth scan b. intense scan c. idle scan d. Fin scan answer: A

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

A hacker has been successfully modifying the purchase price of several items on your clients web site. What is she using to do this? (The IDS shows no signs of alerts) a. sql injection b. hidden form fields c. XSS d. port scanning answer: B If you are sending specially designed packets to a remote system and analyzing the results what type of scan would this be considered? a. active b. passive c. directive d. bounce answer: A

6. Q: You run the following command in the command prompt: Telnet <IP Address><Port 80> HEAD /HTTP/1.0 <Return> <Return> Which of the following types of information gathering techniques are you using? a. b. c. d. Banner grabbing OS fingerprinting Dumpster diving Port scanning

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. Banner grabbing is an enumeration technique used to glean information about computer systems on a network and the services running its open ports. Administrators can use this to take inventory of the systems and services on their network. Answer option B is incorrect. OS Fingerprinting is the easiest way to detect the Operating System (OS) of a remote system. OS detection is important because, after knowing the target system's OS, it becomes easier to hack the system. The comparison of data packets that are sent by the target system is done by fingerprinting. The analysis of data packets gives the attacker a hint as to which operating system is being used by the remote system. There are two types of fingerprinting techniques as follows: 1. Active fingerprinting 2. Passive fingerprinting In active fingerprinting, ICMP messages are sent to the target system and the response message of the target system shows which OS is being used by the remote system. In passive fingerprinting, the number of hops reveals the OS of the remote system. Answer option C is incorrect. Dumpster diving is a term that refers to going through someone's trash in an attempt to find out useful or confidential information. Answer option D is incorrect. Port scanning is the first basic step to get the details of open ports on the target system. Port scanning is used to find a hackable server with a hole or vulnerability. A port is a medium of communication between two computers. Every service on a host is identified by a unique 16-bit number called a port.

Q: Which of the following involves changing data prior to or during input to a computer in an effort to commit fraud? e. f. g. h. Eavesdropping Spoofing Wiretapping Data diddling

Explanation: Answer option D is correct. Data diddling involves changing data prior to or during input to a computer in an effort to commit fraud. It also refers to the act of intentionally modifying information, programs, or documentations.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Answer option A is incorrect. Eavesdropping is the process of listening to private conversations. It also includes attackers listening the network traffic. Answer option B is incorrect. Spoofing is a technique that makes a transmission appear to have come from an authentic source by forging the IP address, email address, caller ID, etc. In IP spoofing, a hacker modifies packet headers by using someone else's IP address to hide his identity. However, spoofing cannot be used while surfing the Internet, chatting on-line, etc. because forging the source IP address causes the responses to be misdirected. Answer option C is incorrect. Wiretapping is an act of monitoring telephone and Internet conversations by a third party. It is only legal with prior consent. Legalized wiretapping is generally practiced by the police or any other recognized governmental authority. Q: Maria works as a professional Ethical Hacker. She recently got a project to test the security of www.we-are-secure.com. What are three pre-test phases of the attack to test the security of we-are-secure?

Identifying the active system Web server hacking Enumerating the system Session hijacking Placing backdoors Footprinting
Explanation: Following are the three pretest phases of the attack:

Footprinting Identifying the active system Enumerating the system

Placing backdoors, Web server hacking, and session hijacking are the phases of executing attacks. Q: Which of the following tools can a user use to hide his identity? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. War dialer Proxy server IPchains Anonymizer

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

e. Rootkit Explanation: Answer options B, C, and D are correct. A user can hide his identity using any firewall (such as IPChains), a proxy server, or an anonymizer. A proxy server hides the identity of a user's system from the outside world. Instead of creating a connection directly with the remote host, the user's system creates a direct connection with the proxy server, and the proxy server establishes a connection with the remote host to which the user wants to connect. Anonymizers are the services that help make a user's own Web surfing anonymous. An anonymizer removes all the identifying information from a user's computer while the user surfs the Internet. In this manner, it ensures the privacy of the user. IPChains is a linux packet filtering firewall that allows a Network Administrator to ACCEPT, DENY, MASQ, or REDIRECT packets. There are three built-in chains in the IPChains firewall as follows: Note: Each packet passing through the forward chain also passes through both the input and output chains. Answer option A is incorrect. A war dialer is a tool that is used to scan thousands of telephone numbers to detect vulnerable modems to provide unauthorized access to the system. THC-Scan, ToneLoc, and PhoneSweep are some good examples of war dialer tools. There are various War Dialing tools, such as THC Scan, TeleSweep Secure, ToneLoc, iWar, ShokDial, Visual NetTools, etc. Answer option E is incorrect. A rootkit is a set of tools that take Administrative control of a computer system without authorization by the computer owners and/or legitimate managers. A rootkit requires root access to be installed in the Linux operating system, but once installed, the attacker can get root access at any time. 1. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He begins to perform footprinting and scanning. Which of the following steps do footprinting and scanning include? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. e. Information gathering Determining network range Identifying active machines Finding open ports and applications Enumeration

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer options A, B, C, and D are correct. Fingerprinting services 1. Mapping the network Answer option E is incorrect. In the enumeration phase, the attacker gathers information, such as the network user and group names, routing tables, and Simple Network Management Protocol (SNMP) data. The techniques used in this phase are as follows: 1. 2. 3. 4. Obtaining Active Directory information and identifying vulnerable user accounts Discovering NetBIOS names Employing Windows DNS queries Establishing NULL sessions and queries 4. Q: Which of the following is a passive information gathering tool? a. b. c. d. Nmap Whois Snort Ettercap

Explanation: Answer option B is correct. The whois tool is a passive information gathering tool. whois queries are used to determine the IP address ranges associated with clients. A whois query can be run on most UNIX environments. In a Windows environment, the tools, such as WsPingPro and Sam Spade, can be used to perform whois queries. Whois queries can also be executed over the Web from www.arin.net and www.networksolutions.com. Answer option A is incorrect. Nmap is an active information gathering tool. The nmap utility, also commonly known as port scanner, is used to view the open ports on a Linux computer. It is used by the administrators to determine which services are available for external users. Answer option C is incorrect. Snort is an active information gathering tool. Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. The three main modes in which Snort can be configured are as follows:

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console. Packet logger mode: It logs the packets to the disk. Network intrusion detection mode: It is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user-defined rule set.

Answer option D is incorrect. Ettercap is an active information gathering tool. Ettercap is a UNIX and Windows tool for computer network protocol analysis and security auditing. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. Q: You want to retrieve password files (stored in the Web server's index directory) from various Web sites. Which of the following tools can you use to accomplish the task?

e. f. g. h.

Google Whois Sam spade Nmap

Explanation: Answer option E is correct. You can use Google to retrieve password files (stored in the Web server's index directory) from various Web sites. Google allows the search queries that can search information from the Web server's index directory. Such search technique is known as Google hacking. Q: You see the career section of a company's Web site and analyze the job profile requirements. You conclude that the company wants professionals who have a sharp knowledge of Windows server 2003 and Windows active directory installation and placement. Which of the following steps are you using to perform hacking?

i. j. k. l.

Reconnaissance Scanning Gaining access Covering tracks

Explanation: Answer option A is correct.

When an alert rule is matched in snort, the IDS does which of the following?

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

A. Blocks the connection with the source IP address in the packet B. Stops checking rules, sends an alert, and drops the packet C. Continues to evaluate the packet until all rules are checked D. Drops the packet and moves on to the next one answer: C

7. Q: Anonymizers are the services that help make a user's own Web surfing anonymous. An anonymizer removes all the identifying information from a user's computer while the user surfs the Internet. It ensures the privacy of the user in this manner. After the user anonymizes a Web access with an anonymizer prefix, every subsequent link selected is also automatically accessed anonymously. Which of the following are limitations of anonymizers? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. e. Secure protocols Plugins ActiveX controls Java applications JavaScript

Explanation: Answer options A, B, C, D, and E are correct. Anonymizers have the following limitations: 1. HTTPS: Secure protocols such as 'https:' cannot be properly anonymized, as the browser needs to access the site directly to properly maintain secure encryption. 2. Plugins: If an accessed site invokes a third-party plugin, there is no guarantee of an established independent direct connection from the user computer to a remote site. 3. Java: Any Java application accessed through an anonymizer will not be able to bypass the Java security wall. 4. ActiveX: ActiveX applications have almost unlimited access to the user's computer system. 5. JavaScript: The JavaScript scripting language is disabled with URL-based anonymizers.

8. Q: Which of the following statements are true of the TCP/IP model?

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Each correct answer represents a complete solution. Choose all that apply. a. It describes a set of general design guidelines and implementations of specific networking protocols to enable computers to communicate over a network. b. It provides end-to-end connectivity specifying how data should be formatted, addressed, transmitted, routed, and received at the destination. c. It is generally described as having five abstraction layers. d. It consists of various protocols present in each layer. Explanation: Answer options A, B, and D are correct. The TCP/IP model is a description framework for computer network protocols. It describes a set of general design guidelines and implementations of specific networking protocols to enable computers to communicate over a network. TCP/IP provides end-to-end connectivity specifying how data should be formatted, addressed, transmitted, routed, and received at the destination. Protocols exist for a variety of different types of communication services between computers. The TCP/IP model is sometimes called the Internet Model or the DoD Model. The TCP/IP model has four unique layers as shown in the image. This layer architecture is often compared with the seven-layer OSI Reference Model. The TCP/IP model and related protocols are maintained by the Internet Engineering Task Force (IETF).

Layer 4 Application The application layer is where programs communicate. Sometimes called the user interface layer because it is an easy way to think about its purpose. This is where web browsers, file sharing software, email, and other user facing software interacts. Encryption and session details are also handled in this layer. Layer 3 Transport In the transport layer, devices negotiate and decide how they will communicate over the network. The devices will decide on communication type (e.g., UDP or TCP), window size, port, error

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

handling, and sequencing. This layer does a large portion of the work in device communications. Layer 2 Internet IP addressing, internetworking, and path determination happen in the internet layer. Routers communicate at this layer to determine the path that a packet will take through a network. Given multiple possibilities, the protocols at this layer will determine the best way for one host to connect to another. Layer 1 Link Based on the type of network in use, the link layer encapsulates the data. For testing purposes this may be in the form of Ethernet, Frame Relay, PPP, HDLC or CDP encapsulation protocols. The protocol selected depends on the physical connection of the devices and the network topology. Answer option C is incorrect. This option is invalid, as TCP/IP model consists of four abstraction layers NOT five.

9. Q: You want to obtain information of a Web server whose IP address range comes in the IP address range used in Brazil. Which of the following registries can be used to get information about Web server IP addresses, reverse DNS, etc? a. b. c. d. RIPE NCC APNIC ARIN LACNIC

Explanation: Answer option D is correct. According to the scenario, you have to get information about Web server IP addresses, reverse DNS, etc. of a Web server situated in Brazil. For this, you will search information in Latin American and Caribbean Internet Addresses Registry (LACNIC). LACNIC is the Regional Internet Registry for the Latin American and Caribbean regions. LACNIC provides number resource allocation and registration services that support the global operation of the Internet. Answer option A is incorrect. The Reseaux IP Europeens Network Coordination Centre (RIPE NCC) is the Regional Internet Registry (RIR) for Europe, the Middle East and parts of Central Asia.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Answer option B is incorrect. The Asia Pacific Network Information Centre (APNIC) is the Regional Internet Registry for the Asia Pacific region. APNIC provides number resource allocation and registration services that support the global operation of the Internet Answer option C is incorrect. The American Registry for Internet Numbers (ARIN) is the Regional Internet Registry (RIR) for Canada, many Caribbean and North Atlantic islands, and the United States. What best defines the principle of least privilege? A. At a minimum, a manager should have all the privileges of his or her employees. B. People lower in the organizations hierarchy should have fewer privileges than people higher in the hierarchy. C. At a minimum, all users should supply a password before accessing a service. D. One should have access only to the data and services that are required to perform ones job. answer: D 10. Q: John works as a System Administrator for uCertify Inc. He is responsible for securing the network of the organization. He is configuring some of the advanced features of the Windows firewall so that he can block a client machine from responding to pings. Which of the following advanced setting types should John change for accomplishing the task? a. b. c. d. ICMP SMTP SNMP UDP

Explanation: Answer option A is correct. According to the scenario, John should change ICMP because it is a protocol that is used when a PING command is issued, received, and responded to. Internet Control Message Protocol (ICMP) is an integral part of IP. It is used to report an error in datagram processing. Answer option B is incorrect. Simple Mail Transfer Protocol (SMTP-25) is a protocol for sending email messages between servers

Answer option C is incorrect. The Simple Network Management Protocol (SNMP-161) allows a monitored device (for example, a router or a switch) to run an SNMP agent. This protocol is used for

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

managing many network devices remotely. Answer option D is incorrect. User Datagram Protocol (UDP) is often used for one-to-many communications, using broadcast or multicast IP datagrams. UDP is a connectionless and unreliable communication protocol. It does not guarantee delivery or verify sequencing for any datagram. UDP provides faster transportation of data between TCP/IP hosts than TCP.

Q: DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. Once a DNS server has received, such non-authentic data and caches it for future performance increase, it is considered poisoned, supplying the non-authentic data to the clients of the server. Which of the following DNS records can indicate the time up to which DNS cache poisoning will be effective? a. b. c. d. MX NS PTR SOA

Explanation: Answer option D is correct.

What is a start of authority (SOA) record?


A start of authority (SOA) record is information stored in a domain name system (DNS) zone about that zone and about other DNS records. A DNS zone is the part of a domain for which an individual DNS server is responsible. Each zone contains a single SOA record.

DNS cache poisoning attack


DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. Once a DNS server has received such non-authentic data and caches it for future performance increase, it is considered poisoned, supplying the non-authentic data to the clients of the server. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source, the server will end up caching the incorrect entries locally and serve them to other users that make the same request. Answer option A is incorrect. An MX record is also known as mail exchanger record in the zone file

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

of Domain Name Server (DNS). MX record associates the domain name to a domain name classified in an address record (A record). Answer option B is incorrect. An NS record or name server record is used to denote the server that is authoritative for a DNS zone. Answer option C is incorrect. PTR record, also known as pointer record, is a record in the Domain Name System (DNS) database that maps an Internet Protocol (IP) address to a host name in the inaddr.arpa domain. PTR records are used to perform reverse DNS lookups. Which of following is an example of two factor authentication? a. fingerprint and smartcard b. username and password c. ID and token d. Iris scan and fingerprint answer A

What is a successful method for protecting a router from potential smurf attacks? A. Disabling port forwarding on the router B. Placing the router in broadcast-only mode C. Disabling the router from accepting broadcast ping messages D. Installing the router in the DMZ answer: C
11. Q: Which of the following tools are used for footprinting? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. Traceroute Sam spade Brutus Whois

Explanation: Answer options A, B, and D are correct.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

The traceroute, sam spade, and whois tools are used for footprinting.

What is TRACEROUTE utility?


TRACEROUTE is a route-tracing utility that displays the path an IP packet takes to reach its destination. It uses Internet Control Message Protocol (ICMP) echo packets to display the Fully Qualified Domain Name (FQDN) and the IP address of each gateway along the route to the remote host.

Q: Which information can an attacker get after tracerouting any network? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. Network topology Trusted routers Firewall locations Web administrator email address

Explanation: Answer options A, B, and C are correct.

What is Google hacking?


Google hacking is a computer hacking technique that uses Google search and other Google applications to find security holes in the configuration and computer code that Web sites use. Google hacking involves using advance operators in the Google search engine to locate specific strings of text within search results. Q: Which of the following is a valid Google searching operator that is used to search a specified file type? e. f. g. h. filetype inurl file type intitle

Explanation: Answer option A is correct. The filetype google search query operator is used to search a specified file type. For example, if you want to search all pdf files having the word hacking, you will use the search query filetype:pdf pdf

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

hacking. Answer option B is incorrect. inurl is used to search a specified text in the URL of Web sites. Answer option C is incorrect. file type is not a valid search operator. Answer option D is incorrect. intitle is used to search a specified text in the title of Web sites. 12. Q: You want to retrieve the default security report of nessus. Which of the following Google search queries will you use? a. b. c. d. filetype:pdf "Assessment Report" nessus filetype:pdf nessus site:pdf nessus "Assessment report" link:pdf nessus "Assessment report"

Explanation: Answer option A is correct. Nessus is a vulnerability scanner. What techniques do vulnerability scanners use? a. Port Scanning b. banner grabbing c. analyzing service responses d. malware analysis answer: C One way to defeat a multi-level security solution is to leak data via A. asymmetric routing B. a covert channel. C. steganography. D. an overt channel answer: B Administrators access their servers through Remote Desktop. How could a hacker exploit this to gain access? a. Capture the LANMAN hashes and crack them with Cain and Abel b. capture the RDP traffic and decode it with Cain and Abel c. Use social engineering to get the domain name of the server d. scan the server to see what ports are open answer: B

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

What is the best defense against privilege escalation vulnerability? A. Require all computers and servers to be patched immediately upon release of new updates. B. Run administrator and applications on least privileges and use a content registry for tracking. C. Run services with least privileged accounts and implement multi-factor authentication D. Periodically review user roles and administrator answer: C Hardware and software devices have been created to emulate computer services, such as web and mail. These can also be used to capture various information. What is being described? a. Core Switch b. Honeypot c. Port Scanner d. Router answer: B 1. Q: You are the Security Consultant and have been hired to check security for a client's network. Your client has stated that he has many concerns but the most critical is the security of Web applications on their Web server. What should be your highest priority now in checking his network? a. b. c. d. Port scanning Setting up IDS Setting up a honey pot Vulnerability scanning

Explanation: Answer option D is correct. Q: If you want to know what services are running on a target and the possible entry points to launch an attack, what will you do? a. Nmap scan b. Ping c. Traceroute d. Banner grabbing Explanation: Answer option A is correct.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

In scanning the DMZ interface on a firewall Nmap reports that port 80 is unfiltered. What type of packet inspection is the firewall using? a. Stateless b. Proxy c. Deep d. Stateful answer: A Which of the following are detective controls? (Choose 2) a. audits b. encryption c. DRP d. CCTV e. two-factor authentication answer: A and D

IPSec can provides for which of the following? a. availability b. non-repudiation c. anti-virus protection d. DDOS protection answer: B The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities? A. The IDS will not distinguish among packets originating from different sources. B. An attacker, working slowly enough, may be able to evade detection by the IDS.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

C. Network packets will be dropped once the volume exceeds the threshold. D. Thresholding disables the IDS ability to reassemble fragmented packets. answer A

Q: Which of the following netcat command switches will you use to telnet a remote host? a. b. c. d. nc -t nc -z nc -g nc -l -p

Explanation: Answer option A is correct. Netcat is a freely available networking utility that reads and writes data across network connections using the TCP/IP protocol. Netcat has the following features: It provides outbound and inbound connections for TCP and UDP ports.

It provides special tunneling, such as UDP to TCP, with the possibility of specifying all network parameters. It is a good port scanner. It contains advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of transmitted and received data. It is an optional RFC854 telnet code parser and responder.

The common Netcat switches are as follows:

Command

Description

nc -d

It is used to detach Netcat from the console.

nc -l -p [port]

It is used to create a simple listening TCP port; adding u will put it in UDP mode.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

nc -e [program]

It is used to redirect stdin/stdout from a program.

nc -z

It is used for port scanning.

nc -g or nc -G

It is used to specify source routing flags.

nc -t

It is used for Telnet negotiation.

nc -w [timeout]

It is used to set a timeout before Netcat automatically quits.

nc -v

It is used to put Netcat into verbose mode.

Q: You are brought in as an external consultant to review the results of a vulnerability of an internal scan to be run on website hosting servers. All code has been developed in Java and the team wants to test the code for buffer overflow vulnerabilities with the SAINT scanning tool. When the internal team asks for your opinion, you discourage them from starting this exercise. What is the probable reason for your recommendation? a. b. c. d. An automated vulnerability assessment tool like SAINT is too noisy. Java is not vulnerable to buffer overflow attacks. The vulnerability signatures have to be updated prior to running the scan. The SAINT scanner does not incorporate the new OWASP Top 10 web application scanning policy.

Explanation: Answer option B is correct. Java uses a sandbox to isolate code and is therefore not vulnerable to buffer overflow attacks. Almost all known web servers, application servers, and web application environments are susceptible to buffer overflows, the notable exception being environments written in interpreted languages like Java or Python, which are immune to these attacks (except for overflows in the Interpreter itself). Q: John works as a professional Ethical Hacker. He is assigned a project to test the security of

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

www.we-are-secure.com. He has to ping 500 computers to find out whether these computers are connected to the server or not. Which of the following will he use to ping these computers?

a. b. c. d.

PING TRACEROUTE Ping sweeping NETSTAT

Explanation: Answer option C is correct. The Ping sweeping technique is used to ping a batch of devices and to get the list of active devices. Since it is a time taking and tedious task to ping every address into the network, the ping sweeping technique is used by the attacker. Answer option A is incorrect. The ping command-line utility is used to test connectivity with a host on a TCP/IP-based network. This is achieved by sending out a series of packets to a specified destination host. 2. Q: During the attack process, what method is used to discover what rules are configured on a gateway? a. Firewalking b. Firewalling c. OS Fingerprinting d. Ping Scan Explanation: Answer option A is correct. Firewalking is a technique used to discover what rules are configured on a gateway. Usually packets are sent to the remote host with the exact TTL of the target. Hping2 can also be used for firewalking. What is the process of identifying hosts or services by sending packets into the network perimeter to see which ones get through? A. firewalking B. Banner Grabbing C. Enumerating D. Trace-configuring

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

answer: A Answer option B is incorrect. There is no separate term called Firewalling.

Which of the following statements are true regarding N-tier architecture? (Choose two.) A. The N-tier architecture must have at least one logical layer B. Each layer should exchange information only with the layers above and below it. C. When a layer is changed or updated, the other layers must also be changed D. Each layer must be able to exist on a physically independent system. ANSWER: B, D Q: Which of the following is a technique used to determine which range of IP addresses is mapped to live hosts?

a. b. c. d.

TRACERT utility Ping sweep KisMAC PATHPING

Explanation: Answer option B is correct. Q: You want to determine which protocols a router or firewall will block and which they will pass on to downstream hosts. You want to map out all intermediate routers or hops between a scanning host and the target host. Based upon the results of the scans, you are going to identify which ports are open. The tool displays "A!" when it determines that the metric host is directly behind the target gateway. Which tool are you using for the scan?

a. b. c. d.

Firewalk nmap hping traceroute

Explanation: Answer option A is correct. Answer option C is incorrect. hping is a free packet generator and analyzer for the TCP/IP protocol.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique. 9. Q: You are running an nmap scan to determine which ports are filtered. You send an ACK flag and receive a RST packet for open and closed ports. What kind of nmap scan are you running? a. b. c. d. Null Scan -sN Fin Scan -sF XMAS Scan -sX TCP ACK scan -sA

Explanation: Answer option D is correct. TCP ACK Scan does not determine open/closed ports; instead it determines which ports are filtered/unfiltered. When ACK flag is sent, Open/Closed ports will send RST. Ports that do not send a response are considered Filtered. Answer option A is incorrect. In a NULL Scan, no flags are set on the packet. Target must follow RFC 793. It will receive no response if the port is open or filtered; it will receive RST if the port is closed. Answer option B is incorrect. In Fin Scan, the Fin flag is set on the packet. Target must follow RFC 793. It will receive no response if the port is open or filtered; it will receive RST if the port is closed. Answer option C is incorrect. In XMAS Scan, the FIN, URG, and PSH flags are set on the packet. Target must follow RFC 793. It will receive no response if the port is open or filtered; it will receive RST if the port is closed. Reference: http://nmap.org/

11.

Q: A war dialer is a tool that is used to scan thousands of telephone numbers to detect vulnerable modems. It provides an attacker unauthorized access to a computer. Which of the following tools can an attacker use to perform war dialing? Each correct answer represents a complete solution. Choose two. a. THC-Scan b. ToneLoc c. NetStumbler

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

d. Wingate Explanation: Answer options A and B are correct. THC-Scan and ToneLoc are tools used for war dialing. A war dialer is a tool that is used to scan thousands of telephone numbers to detect vulnerable modems. It provides the attacker unauthorized access to a computer. Q: Which of the following network scanning tools is a TCP/UDP port scanner that works as a ping sweeper and hostname resolver?

a. b. c. d.

SuperScan Nmap Netstat Hping

Explanation: Answer option A is correct. SuperScan is a TCP/UDP port scanner. It also works as a ping sweeper and hostname resolver. It can ping a given range of IP addresses and resolve the host name of the remote system. Q: Which of the following is the correct sequence of packets to perform the 3-way handshake method? e. f. g. h. SYN, SYN/ACK, ACK SYN, ACK, SYN/ACK SYN, ACK, ACK SYN, SYN, ACK

Explanation: Answer option A is correct. The TCP/IP 3-way handshake method is used by the TCP protocol to establish a connection between a client and the server. It involves three steps: 1. In the first step of the three-way handshake method, a SYN message is sent from a client to the server. 2. In the second step of the three-way handshake method, SYN/ACK is sent from the server to the client. 3. In the third step of the three-way handshake method, ACK (usually called SYN-ACK-ACK) is sent from the client to the server. At this point, both the client and server have received an acknowledgment of the TCP connection.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

13. Q: In which of the following scanning methods do Windows operating systems send only RST packets irrespective of whether the port is open or closed? a. TCP FIN b. FTP bounce c. UDP port d. TCP SYN Explanation: Answer option A is correct. In the TCP FIN scanning method, Windows operating systems send only RST packets irrespective of whether the port is open or closed. TCP FIN scanning is a type of stealth scanning through which the attacker sends a FIN packet to the target port. If the port is closed, the victim assumes that this packet was sent mistakenly by the attacker and sends the RST packet to the attacker Q: Which of the following Nmap commands is used to perform a UDP port scan? e. nmap -sU f. nmap -sS g. nmap -sF h. nmap -sN Explanation: Answer option A is correct.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

The nmap -sU command is used to perform a UDP port scan.

Answer option B is incorrect. The nmap -sS command is used to perform stealth scanning.

Answer option C is incorrect. The nmap -sF command is used to perform FIN scanning. Answer option D is incorrect. The nmap -sN command is used to perform TCP NULL port scanning.

14. Q: In which of the following scanning methods does an attacker send SYN packets and then a RST packet? a. TCP FIN scan b. IDLE scan c. TCP SYN scan d. XMAS scan Explanation: Answer option C is correct. In a TCP SYN scan, an attacker sends SYN packets and then a RST packet. TCP SYN scanning is also known as half-open scanning because in this type of scanning, a full TCP connection is never opened. The steps of TCP SYN scanning are as follows: 1. 2. 3. 4. 15. Answer option D is incorrect. Xmas scanning is just the opposite of null scanning. In Xmas Tree scanning, multiple flags( at least FIN, URG and PSH) are turned on. If the target port is open, the service running on the target port discards the packets without any reply. According to RFC 793, if the port is closed, the remote system replies with the RST packet The attacker sends a SYN packet to the target port. If the port is open, the attacker receives the SYN/ACK message. Now the attacker breaks the connection by sending an RST packet. If the RST packet is received, it indicates that the port is closed.

16. Q: In which of the following scanning methods does an attacker send the spoofed IP address to send a SYN packet to the target? a. IDLE b. NULL c. TCP FIN d. XMAS

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. In the IDLE scan method, an attacker sends the spoofed IP address to send a SYN packet to the target. The IDLE scan is initiated with the IP address of a third party; hence, the scan is the only totally stealth scan. Since the IDLE scan uses the IP address of a third party, it becomes difficult to detect the hacker.

What is a sequence number?


A sequence number is a 32-bit number ranging from 1 to 4,294,967,295. When data is sent over the network, it is broken into fragments (packets) at the source and reassembled at the destination system. Each packet contains a sequence number that is used by the destination system to reassemble the data packets in the correct order. Each time a system boots, it has an initial sequence number (ISN), e.g. 1. After every second, the ISN is incremented by 128,000. When the system connects to another system and establishes a connection, the ISN is incremented by 64,000. For example, if a host has the ISN 1,254,332,454 and the host sends one SYN packet, the ISN value will be incremented by 1, i.e., the new ISN will be 1,254,332,455.

Conditions Transfer of SYN packet Transfer of FIN packet Transfer of ACK packet Transfer of SYN/ACK packet Transfer of FIN/ACK packet Passage of 1 second Establishment of one connection

Increment in the ISN Value 1 1 0 1 1 128,000 64,000

17. Q: Which of the following scanning methods is most accurate and reliable, although it is easily detectable and hence avoided by a hacker?

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

a. b. c. d.

TCP SYN/ACK TCP half-open TCP FIN Xmas Tree

Explanation: Answer option A is correct. Although the TCP SYN/ACK connection method is most reliable, it can be easily detected. A hacker should avoid this scanning method Q: Which nmap switch have you used to retrieve as many different protocols as possible being used by the remote host? e. f. g. h. nmap -sO nmap -vO nmap -sT nmap -sS

Explanation: Answer option E is correct. the nmap -sO switch, which is used for IP scanning. The IP protocol scan is used for searching additional IP protocols, such as ICMP, TCP, and UDP. It locates uncommon IP protocols that may be in use on a system.. Answer option F is incorrect. Nmap doesn't permit you to combine the verbose and OS scanning options. It produces this error: Invalid argument to -v: "O" Answer option G is incorrect. The nmap -sT switch is used to perform a TCP full scan. Answer option D is incorrect. The nmap -sS is used to perform a TCP half scan. The attacker sends a SYN packet to the target port. 18. 19. Q: Mark is performing a security assessment of a Web server. He wants to identify a cross-site scripting vulnerability also. Which of the following recommendations can Mark give to correct the vulnerability? a. Inform the Web Administrator to validate all Web application data inputs before processing.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

b. Inform Website users to ensure that cookies are transferred only over secure connections. c. Disable ActiveX support within Web browsers. d. Disable Java applet support within Web browsers. Explanation: Answer option A is correct. The best way to address cross-site scripting vulnerabilities is to validate data input. It will fix occurrences of cross-site scripting on ActiveX controls and Java applets that are downloaded to the client and any vulnerability located on server-side code within the application. Answer option B is incorrect. Disabling cookies is not a countermeasure against cross-site scripting. Answer options C and D are incorrect. XSS vulnerabilities can exist within downloaded Java applets or ActiveX controls, but these controls are executed on the client and will not address the server-side cross-site scripting vulnerability. Q: Which of the following are packet capturing tools? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. Aero peek Cain Wireshark Aircrack-ng

Explanation: Answer options A, B, and C are correct. Q: Which of the following is a type of stealth scanning through which the attacker sends a FIN packet to the target port? a. b. c. d. TCP FIN scanning TCP FTP proxy scanning UDP port scanning TCP SYN scanning

Explanation: Answer option A is correct. Port scanning is the process by which an attacker connects to TCP and UDP ports to find the services and applications running on the target system. In port scanning, data packets are sent to a port to gather information about it. The following are Q: You are sending a file to an FTP server. The file will be broken into several pieces of information packets (segments) and will be sent to the server. The file will again be reassembled and

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

reconstructed once the packets reach the FTP server. Which of the following information should be used to maintain the correct order of information packets during the reconstruction of the file? e. f. g. h. Sequence number Acknowledge number Checksum TTL

Explanation: Answer option A is correct. 29. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He performs a Teardrop attack on the we-aresecure server and observes that the server has crashed. Which of the following is the most likely cause of this? a. b. c. d. The we-are-secure server cannot handle the overlapping data fragments. Ping requests at the server are too high. The ICMP packet is larger than 65,536 bytes. The spoofed TCP SYN packet containing the IP address of the target is filled in both the source and destination fields.

Explanation: Answer option A is correct. In such a situation, while performing a Teardrop attack, John sends a series of data packets with overlapping offset field values to the we-are-secure server. As a result, the server is unable to reassemble these packets and is forced to crash, hang, or reboot. Q: Which of the following techniques uses a modem in order to automatically scan a list of telephone numbers?

e. f. g. h.

War dialing Warchalking War driving Warkitting

Explanation: Answer option A is correct. War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, BBS systems, and fax machines. Hackers use the resulting lists for various purposes, hobbyists for exploration, and crackers (hackers that specialize in computer security) for password guessing.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Answer option B is incorrect. Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi wireless network. Having found a Wi-Fi node, the warchalker draws a special symbol on a nearby object, such as a wall, the pavement, or a lamp post. The name warchalking is derived from the cracker terms war dialing and war driving. Q: You work as a Database Manager for uCertify Inc. Due to a lot of pending work, you decide to install remote control software on your desktop at work, so that you can work from anywhere in the organization. After installing the remote desktop connection, you connect a modem to a fax line that is not being used yet. As you have no authentication to configure a password for host connection of the remote connection, the remote connection is open for anyone to connect to the remotely controlled host system. Which of the following types of attacks can be performed by an attacker on the remote connection?

i. j. k. l.

War dialing Warchalking War driving Zero-day

Explanation: Answer option A is correct. Q: John works as a contract Ethical Hacker. He has recently got a project to do security checking for www.we-are-secure.com. He wants to find out the operating system of the we-are-secure server in the information gathering step. Which of the following commands will he use to accomplish the task? Each correct answer represents a complete solution. Choose two. m. n. o. p. nmap -v -O 208. 100. 2. 25 nc -v -n 208. 100. 2. 25 80 nc 208. 100. 2. 25 23 nmap -v -O www.we-are-secure.com

Explanation: Answer options A and D are correct. According to the scenario, John will use "nmap -v -O 208. 100. 2. 25" to detect the operating system of the we-are-secure server. Here, -v is used for verbose and -O is used for TCP/IP fingerprinting to guess the remote operating system. John may also use the DNS name of we-are-secure instead of using the IP address of the we-are-secure server. So, he can also use the nmap command "nmap -v -O www.we-are-secure.com ". Q: Which of the following techniques are NOT used to perform active OS fingerprinting?

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. ICMP error message quoting Sniffing and analyzing packets Sending FIN packets to open ports on the remote system Analyzing email headers

Explanation: Answer options B and D are correct. Sniffing and analyzing packets and analyzing email headers are some of the techniques used to perform passive OS fingerprinting.

What is email header passive OS fingerprinting?


Email header passive OS fingerprinting is a method by which an attacker can use the email header for remote OS detection. The email header is analyzed to get information about the remote OS. Email headers usually give information about the mail daemon of a remote computer. Since a specific mail daemon is usually used for a particular OS, an attacker can easily guess the OS of the remote computer with the help of the mail daemon information. Answer options A and D are incorrect. ICMP error message quoting and sending FIN packets to open ports on the remote system are some of the techniques used to perform active OS fingerprinting. 29. Q: You have received a file named new.com in your email as an attachment. When you execute this file in your laptop, you get the following message: 'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!' When you open the file in Notepad, you get the following string: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* What step will you take as a countermeasure against this attack? a. b. c. d. Clean up your laptop with antivirus. Do nothing. Traverse to all of your drives, search new.com files, and delete them. Immediately shut down your laptop.

Explanation: Answer option B is correct.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

When you get the new.com file and execute it, the following error message is displayed: 'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!' This indicates it might be the EICAR virus, which is a test virus to check whether an antivirus is working or not. The EICAR (EICAR Standard Anti-Virus Test File) virus is a file that is used to test the response of computer antivirus (AV) programs. The rationale behind it is to allow people, companies, and antivirus programmers to test their software without having to use a real computer virus that could cause actual damage should the antivirus not respond correctly 30. Q: TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote operating system (OS fingerprinting), or incorporated into a device fingerprint. Which of the following Nmap switches can be used to perform TCP/IP stack fingerprinting? a. b. c. d. nmap -O -p nmap -sU -p nmap -sS nmap -sT

Explanation: Answer option A is correct.

Q: Which of the following tools allow you to perform HTTP tunneling? Each correct answer represents a complete solution. Choose all that apply. e. f. g. h. HTTPort Tunneled BackStealth Nikto

Explanation: Answer options A, B, and C are correct. The HTTPort, Tunneled, and BackStealth tools are used to perform HTTP tunneling. Answer option D is incorrect. Nikto is a Web scanner

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Q: Your company has blocked all the ports via an external firewall and only allows port 80/443 to connect to the Internet. You want to use FTP to connect to some remote server on the Internet. Which of the following tools will you use to accomplish the task? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. HTTPort Backstealth Nmap BiDiBLAH

Explanation: Answer options A and B are correct. HTTP tunneling is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol. . The HTTP protocol therefore acts as a wrapper for a covert channel that the network protocol being tunneled uses to communicateHTTPort: The HTTPort tool is used to create a transparent tunnel through a proxy server or a firewall. It allows a user to use all sorts of Internet software from behind the proxy. This tool bypasses HTTPS and HTTP proxies, transparent accelerators, and firewalls. 29. Q: You have been called in as a security consultant to investigate the case of an internal employee who is suspected of doing ftp of sensitive corporate data to a competitor's remote ftp server. The system and network administrators confirm that ftp protocol and ports are disallowed by the firewall. You suspect that the employee is bypassing the firewall by using the following technique. a. IP spoofing b. Tor Proxy Chaining software c. HTTP tunneling Explanation: Answer option C is correct. Answer option A is incorrect. IP-spoofing is when an attacker changes his source address. By forging the header to contain a different address, an attacker can make it appear that the packet was sent by a different machine. The machine that receives spoofed packets will send a response back to the forged source address. Answer option B is incorrect. Tor is a network of virtual tunnels connected together and works like a big chained proxy. It masks the identity of the originating computer from the Internet and uses a random set of intermediary nodes to reach the target system.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

30. Q: You configure a rule on your gateway device to block packets from outside of the network that have a source address from inside the network. Which attacks are you trying to protect your network from? a. b. c. d. ARP spoofing IP spoofing Egress filtering DOS attack

Explanation: Answer option B is correct. Packet filtering is one defense against IP spoofing attacks. The gateway to a network usually performs ingress filtering, which is blocking of packets from outside the network with a source address inside the network. This prevents from an outside attacker spoofing the address of an internal machine. Answer option A is incorrect. ARP spoofing, also known as ARP cache poisoning or ARP poison routing, is a technique used to attack a local-area network. ARP spoofing may allow an attacker to intercept data frames on a LAN, modify the traffic, or stop the traffic altogether. The attack can only be used on local networks. Answer option C is incorrect. Egress filtering is performed on outgoing packets, which is blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network performing filtering from launching IP spoofing attacks against external machines.

1. Q: Brutus is a password cracking tool that can be used to crack the following authentications:

HTTP (Basic Authentication) HTTP (HTML Form/CGI) POP3 (Post Office Protocol v3) FTP (File Transfer Protocol) SMB (Server Message Block) Telnet

Which of the following attacks can be performed by Brutus for password cracking? Each correct answer represents a complete solution. Choose three.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

a. b. c. d. e.

Brute force attack Dictionary attack Hybrid attack Man-in-the-middle attack Replay attack

Explanation: Answer options A, B, and C are correct. Brutus can be used to perform brute force attacks, dictionary attacks, or hybrid attacks.

Brute force attack


In a brute force attack, the attacker uses software that tries a large number of key combinations in order to get a password. To prevent such attacks, users should create passwords more difficult to guess, e.g., using a minimum of six characters, alphanumeric combinations, lower-upper case combinations, etc. 2. Q: You are a Network Administrator of a TCP/IP network. You are facing DNS resolution problems. Which of the following utilities will you use to diagnose the problem? a. b. c. d. NSLOOKUP PING TRACERT IPCONFIG

Explanation: Answer option A is correct. NSLOOKUP is a tool for diagnosing and troubleshooting Domain Name System (DNS) problems. It performs its function by sending queries to the DNS server and obtaining detailed responses at the command prompt. This information can be useful for diagnosing and resolving name resolution issues, verifying whether or not the resource records are added or updated correctly in a zone, and debugging other server-related problems.

Q: Which of the following tools can be used to perform tasks such as Windows password cracking, Windows enumeration, and VoIP session sniffing?

a. b. c. d.

Cain L0phtcrack John the Ripper Obiwan

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. Cain and Abel is a multipurpose tool that can be used to perform many tasks, such as Windows password cracking, Windows enumeration, and VoIP session sniffing. This password-cracking program can perform the following types of password cracking attacks:

Dictionary attack Brute force attack Rainbow attack Hybrid attack

Answer option B is incorrect. L0phtcrack is a tool that identifies and remediates security vulnerabilities that result from the use of weak or easily guessed passwords. It recovers Windows and Unix account passwords to access user and administrator accounts. Answer option C is incorrect. John the Ripper is a fast password-cracking tool that is available for most versions of UNIX, Windows, DOS, BeOS, and Open VMS. It also supports Kerberos, AFS, and Windows NT/2000/XP/2003 LM hashes.

An attacker has captured VOIP traffic on your network. What tool can he use to recreate the conversation from these captured packets. a. HPing b. NMAP c. Cain and Abel d. VOIP-killer answer: C

You have been instructed to open ports on your firewall to allow web and email services. Which ports must you open. (choose 4) a. 80 b. 53 c. 25

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

d. 139 e. 443 f. 21 3. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He notices that UDP port 137 of the We-are-secure server is open. Assuming that the Network Administrator of We-are-secure Inc. has not changed the default port values of the services, which of the following services is running on UDP port 137? a. NetBIOS b. HTTP c. HTTPS d. TELNET Explanation: Answer option A is correct. NetBIOS is a Microsoft service that enables applications on different computers to communicate within a LAN. The default port value of NetBIOS Name Resolution Service is 137/UDP.

Q: In the DNS Zone transfer enumeration, an attacker attempts to retrieve a copy of the entire zone file for a domain from a DNS server. The information provided by the DNS zone can help an attacker gather user names, passwords, and other valuable information. To attempt a zone transfer, an attacker must be connected to a DNS server that is the authoritative server for that zone. Besides this, an attacker can launch a Denial of Service attack against the zone's DNS servers by flooding them with a lot of requests. Which of the following tools can an attacker use to perform a DNS zone transfer? Each correct answer represents a complete solution. Choose all that apply.

a. b. c. d.

Host Dig NSLookup DSniff

Explanation: Answer options A, B, and C are correct. An attacker can use Host, Dig, and NSLookup to perform a DNS zone transfer.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Answer option D is incorrect. DSniff is a sniffer that can be used to record network traffic. 4. Q: John works as a Security Professional. He is assigned a project to test the security of www.we-are-secure.com. John wants to get information of all network connections and listening ports in numerical form. Which of the following commands will he use? a. b. c. d. netstat -an netstat -e netstat -r netstat -s

Explanation: Answer option A is correct. According to the scenario, John will use the netstat -an command to accomplish the task. The netstat -an command is used to get information of all network connections and listening ports in numerical form. Answer option B is incorrect. The netstat -e command displays Ethernet information. Answer option C is incorrect. The netstat -r command displays routing table information. Answer option D is incorrect. The netstat -s command displays per-protocol statistics. By default, statistics are shown for TCP, UDP, and IP. 5. Q: Which of the following can be the countermeasures to prevent NetBIOS NULL session enumeration in Windows 2000 operating systems? Each correct answer represents a complete solution. Choose all that apply. a. Disabling TCP port 139/445 b. Disabling SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface c. Editing the registry key HKLM\SYSTEM\CurrentControlSet\LSA and adding the value RestrictAnonymous d. Denying all unauthorized inbound connections to TCP port 53 Explanation: Answer options A, B, and C are correct. NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL session vulnerabilities:

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

1. Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a Network Administrator. 2. A Network Administrator can also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface. 3. A Network Administrator can also restrict the anonymous user by editing the registry values: a. Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA. b. Choose edit > add value. Value name: RestrictAnonymous Data Type: REG_WORD Value: 2 Answer option D is incorrect. TCP port 53 is the default port for DNS zone transfer. Although disabling it can help restrict DNS zone transfer enumeration, it is not useful as a countermeasure against NetBIOS NULL session enumeration.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

6. Q: You have just installed a Windows 2003 server. What action should you take regarding the default shares? a. b. c. d. Disable them. Disable them only if this is a domain server. Make them hidden shares. Leave them, as they are needed for Windows Server operations.

Explanation: Answer option A is correct. Default shares should be disabled, unless they are absolutely needed. They pose a significant security risk by providing a way for an intruder to enter your machine. Q: Which of the following is an attempt to give false information or to deny that a real event or transaction should have occurred?

a. b. c. d.

A DDoS attack A repudiation attack A reply attack A dictionary attack

Explanation: Answer option B is correct. A repudiation attack is an attempt to give false information or to deny that a real event or transaction should have occurred. Answer option A is incorrect. In a distributed denial of service (DDOS) attack, the attacker uses multiple computers throughout the network that it has previously infected. Such computers act as zombies and work together to send out bogus messages, thereby increasing the amount of phony traffic. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track down and shut down. Answer option C is incorrect. A replay attack is a type of attack in which attackers capture packets containing passwords or digital signatures whenever packets pass between two hosts on a network. In an attempt to obtain an authenticated connection, the attackers then resend the captured packet to the system. Answer option D is incorrect. A dictionary attack is a type of password guessing attack. This type of

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

attack uses a dictionary of common words to find out the password of a user. It can also use common words in either upper or lower case to find a password. 7. Q: You work as a Network Administrator for Infonet Inc. The company's network has an FTP server. You want to secure the server so that only authorized users can access it. What will you do to accomplish this? a. b. c. d. Disable anonymous authentication. Enable anonymous authentication. Stop the FTP service on the server. Disable the network adapter on the server.

Explanation: Answer option A is correct. You will have to disable anonymous authentication. This will prevent unauthorized users from accessing the FTP server. Using this method, a user can establish a Web connection to the IIS server without providing a username and password. Q: You work as a Network Administrator for NetTech Inc. Your computer has the Windows 2000 Server operating system. You want to harden the security of the server. Which of the following changes are required to accomplish this? Each correct answer represents a complete solution. Choose two.

a. b. c. d.

Enable the Guest account. Remove the Administrator account. Rename the Administrator account. Disable the Guest account.

Explanation: Answer options C and D are correct. A company has publicly hosted web applications and an internal Intranet protected by a firewall. Which technique will help protect against enumeration? A. Enable null session pipes B. Remove A records for internal hosts. C. Allow full DNS zone transfers to non-authoritative servers D. Reject all email received via POP3

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

answer: B

Q: John works as a professional Ethical Hacker. He has been assigned a project for testing the security of www.we-are-secure.com. He runs an SNMP scanner named snmpbulkwalk to send SNMP requests to multiple IP addresses. He tries different community strings and waits for a reply. However, he does not get any response. Which of the following statements may be valid reasons for getting no response? Each correct answer represents a complete solution. Choose all that apply. a. The target system is unreachable due to low Internet connectivity. b. The target system has stopped SNMP services. c. John is searching for Public and Private community strings, but the Network administrator has changed their default names. d. The target system is using SNMP version 2, which cannot be scanned by snmpbulkwalk. Explanation: Answer options A, B, and C are correct. What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack? A. Injecting parameters into a connection string using semicolons as a separator B. Adding multiple parameters with the same name in HTTP requests C. Inserting malicious Javascript code into input parameters D. adding a single quote after a URP answer: A

What is snmpwalk?
The SNMP application snmpwalk retrieves SNMP GETNEXT requests to query a network entity for a tree of information. The command syntax for SNMP is as follows: Q: Which of the following statements are true about SNMPv1 and SNMPv3 enumeration? Each correct answer represents a complete solution. Choose all that apply. a. All the versions of SNMP protocols use community strings in clear text format, which is easily recognizable. b. Simple Network Management Protocol (SNMP) is a TCP/IP standard protocol that is used for remote monitoring and managing hosts, routers, and devices on a network.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

c. Gathering information about host, routers, devices etc. with the help of SNMP is known as SNMP enumeration. d. Implementing Access control list filtering to allow only access to the read-write community from approved stations or subnets can be a valid countermeasure against SNMP enumeration. Explanation: Answer options B, C, and D are correct. Although SNMP version 3 provides data encryption, the more widely used SNMP version 1 is a clear text protocol that offers limited security by using community strings. The names of the default community strings are public and private, which are transmitted in clear text 22. Q: John works as a professional Ethical Hacker. He has been assigned a project for testing the security of www.we-are-secure.com. He wants to perform an SNMP enumeration of the We-are-secure server so that he can gather information about the hosts, routers, devices, etc. of We-are-secure Inc. However, he is unable to perform an SNMP scan until he gives the password for the SNMP service. Now, he thinks that it may be possible that the Network Administrator of We-are-secure Inc. has not changed the default password of the SNMP service. He enters the default password and gets the SNMP service details. Which of the following passwords does SNMP use as a default password? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. Password Administrator Public Private

Explanation: Answer options C and D are correct. Public and Private are the default passwords that are used by SNMP. Q: Which of the following SNMP versions does not send passwords and messages in clear text format?

a. b. c. d.

SNMPv3 SNMPv2 SNMPv1 SNMPv2c

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. Q: IP Network Browser scans an IP subnet and shows what devices are responding on that subnet. Each of the responding devices is then queried via SNMP. Which of the following ports is used by IP Network Browser to scan SNMP enabled devices? a. 80 b. 161 c. 22 d. 21 Explanation: Answer option B is correct. Q: Which of the following are countermeasures against SNMP enumeration? Each correct answer represents a complete solution. Choose all that apply. a. Removing the SNMP agent or disabling the SNMP service b. Changing the default PUBLIC community name when 'shutting off SNMP' is not an option c. Implementing the Group Policy security option called Additional restrictions for anonymous connections d. Allowing access to NULL session pipes and NULL session shares Explanation: Answer options A, B, and C are correct. Following are the countermeasures against SNMP enumeration: 1. Removing the SNMP agent or disabling the SNMP service 2. Changing the default PUBLIC community name when 'shutting off SNMP' is not an option 3. Implementing the Group Policy security option called Additional restrictions for anonymous connections 4. Restricting access to NULL session pipes and NULL session shares 5. Upgrading SNMP Version 1 with the latest version 6. Implementing Access control list filtering to allow only access to the read-write community from approved stations or subnets

22. Q: SNMP is not usually audited, and may pose a significant threat if it is not configured properly. SNMP can be used to enumerate user accounts and devices on a target system. SNMP has two passwords to access and configure the SNMP agent from the management

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

station: read and read-write community string. What tool or utility would you use for SNMP enumeration? Each correct answer represents a complete solution. Choose two. a. b. c. d. SNMP Util SNMP Agent SNMP Manager SNMPEnum

Explanation: Answer option A is correct.

Which Open Web Application Security Project (OWASP) implements a web application with known vulnerabilities? A. WebVuln B. Hackme.com C. BackTrack D. WebGoat answer: D Which of the following best dictates whether or not a certain behavior is allowed? a. Network Firewall b. Data Loss Prevention Policy c. Acceptable Use Policy d. Information Security Policy answer: D WebScarab SNMPUtil is a command-line tool which gathers Windows user accounts information via SNMP in Windows system. Information such as routing tables, ARP tables, IP Addresses, MAC Addresses, TCP/UDP open ports, user accounts and shares can be obtained using this tool.

What risk could this pose? A server shows port 25 is open.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

A. Web portal data leak B. Active mail relay C. Clear text authentication D. Open printer sharing answer: B Which of the following is an example of an asymmetric encryption implementation? (choose 2) A. PGP B. 3DES C. RSA D. SHA1 E. 3DES answer: A and C

1. \Q: John works as a Network Security Professional. He is assigned a project of testing the security of www.we-are-secure.com. He analyzes that the company has blocked all ports except port 80. Which of the following attacking methods can he use to send insecure software protocols? a. b. c. d. HTTP tunneling MAC spoofing URL obfuscation Banner grabbing

Explanation: Answer option A is correct. According to the scenario, the company has blocked all ports except port 80. Hence, John can use HTTP tunneling to send insecure software protocols. Answer option B is incorrect. MAC spoofing is a hacking technique of changing an assigned Media Access Control (MAC) address of a networked device to a different one.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Answer option C is incorrect. URL obfuscation is a technique through which an attacker changes the format of URLs so that they can bypass filters or other application defenses that have been put in place to block specific IP addresses. The Advanced Encryption Standard (AES) is primarily used for? A. key exchange B. bulk data encryption c. key creation d. IPSec answer: B 1. Q: Which of the following password cracking attacks is based on a pre-calculated hash table to retrieve plain text passwords? a. b. c. d. Dictionary attack Rainbow attack Hybrid attack Brute Force attack

Explanation: Answer option B is correct. A rainbow attack uses a hash table to retrieve plain text passwords. A rainbow attack is one of the fastest method of password cracking. This method of password cracking is implemented by calculating all the possible hashes for a set of characters and then storing them in a table known as the Rainbow table. Q: Which of the following password cracking tools can work on UNIX and Linux environments?

a. b. c. d.

Cain and Abel Brutus John the Ripper Ophcrack

Explanation: Answer option C is correct. John the Ripper (JTR) is a password cracking tool that works successfully on UNIX, Linux, and Windows environments. JTR implements the dictionary and brute force attacks.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

4. Q: Which of the following attacks allow the bypassing of access control lists on servers or routers, and help an attacker to hide? Each correct answer represents a complete solution. Choose two. a. b. c. d. MAC spoofing attack DNS cache poisoning attack DDoS attack IP spoofing attack

Explanation: Answer options A and D are correct. Either the IP spoofing attack or the MAC spoofing attack can be performed to hide the identity in the network. MAC spoofing is a hacking technique of changing an assigned Media Access Control (MAC) address of a networked device to a different one. The changing of the assigned MAC address may allow the bypassing of access control lists on servers or routers, either hiding a computer on a network or allowing it to impersonate another computer.

Answer option B is incorrect. DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. Once a DNS server has received such non-authentic data and caches it for future performance increase, it is considered poisoned, supplying the non-authentic data to the clients of the server Q: Fill in the blank with the appropriate attack name. It is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. Such type of attack is known as attack.

Correct Answer: It is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. Such type of attack is known as
DNS cache poisoning

attack.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

5. Q: Which of the following statements are true of session hijacking? Each correct answer represents a complete solution. Choose all that apply. a. It is the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. b. TCP session hijacking occurs when a hacker takes over a TCP session between two machines. c. It uses a long random number or string as the session key reduces session hijacking. d. It is used to slow down the working of the victim's network resources. Explanation: Answer options A, B, and C are correct. Session hijacking refers to the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. How do operating systems protect login passwords? A. The operating system stores all passwords in a protected segment of non-volatile memory. B. The operating system encrypts the passwords, and decrypts them when needed. C. The operating system stores the passwords in a secret file that users cannot find. D. The operating system performs a one-way hash of the passwords. answer: D Which of the following are password cracking tools? (choose 3) A. NMAP B. John the Ripper C. WebGoat D. KerbCrack E. Wireshark F. Cain and Abel answer: A, B and D Q: In which of the following attacks does an attacker use packet sniffing to read network traffic between two parties to steal the session cookie? e. Session sidejacking f. Session fixation g. Cross-site scripting h. ARP spoofing

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. In Session sidejacking, the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many Web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or Web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised.

Answer option B is incorrect. In Session fixation, the attacker sets a user's session id to one known to him, for example, by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in. Answer option C is incorrect. In cross-site scripting, the attacker tricks the user's computer into running code, which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.

6. Q: Which of the following statements are true of firewalking? Each correct answer represents a complete solution. Choose all that apply. a. malicious attacker can use firewalking to determine the types of ports/protocols that can bypass the firewall. b. To use firewalking, the attacker needs the IP address of the last known gateway before the firewall and the IP address of a host located behind the firewall. c. Firewalking works on UDP packets. d. In this technique, the attacker sends a crafted packet with a TTL value that is set to expire one hop past the firewall. Explanation: Answer options A, B, and D are correct.

Q: Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is eavesdropping the conversation and keeps the password. After the interchange is over, Eve connects to Bob posing as Alice; when asked for a proof of identity, Eve sends Alice's password read from the last session, which Bob accepts. Which of the following attacks is being performed by Eve?

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

e. f. g. h.

Replay Cross-site scripting Firewalking Session fixation

Explanation: Answer option A is correct. Q: Which of the following commands can be used for port scanning?

i. j. k. l.

nc -z nc -g nc -t nc -w

Explanation: Answer option A is correct. The nc -z command is used to switch the netcat command in port scanning mode. Netcat is a freely available networking utility that reads and writes data across network connections using the TCP/IP protocol. Netcat has the following features:

Q: John works as a Security Administrator for Enet Inc. He uses a 4-digit personal identification number (PIN) to access his laptop, and a token to perform offline checking whether he has entered the correct PIN or not. Which of the following attacks is possible on John's computer? a. b. c. d. Brute force Man-in-the-middle Smurf Replay

Explanation: Answer option A is correct. A brute force attack is possible on John's laptop. According to the scenario, John uses a 4-digit personal identification number (PIN) to access his computer and a token to perform offline checking whether he has entered the correct PIN or not. Since the PIN contains only 4 digits, it is vulnerable to a brute force attack. Answer option B is incorrect. Since the token is checking the PIN offline, it is not possible to perform a man-in-the-middle attack. Man-in-the-middle attacks occur when an attacker successfully inserts an intermediary software or program between two communicating hosts. The intermediary software

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

or program allows attackers to listen to and modify the communication packets passing between the two hosts. The software intercepts the communication packets and then sends the information to the receiving host. The receiving host responds to the software, presuming it to be the legitimate client. Q: John works as a contract Ethical Hacker. He recently got a project to do a security check for www.we-are-secure.com. While performing the security check, he successfully steals the SAM file from the server of we-are-secure. The output of the SAM file is given below:
Mark:501:D4DCC2975DC76FB2AAD3B435B51404EE James:500:5351CF62FC930923AAD3B435B51404EE Administrator:1002:8AD7EAA34F1A9A31DA5A59A9D0150C17 Samantha:1001:F1402A82F3AB3A2EBA12F405D7E7327B

Which of the following user accounts, given in the above list, will John break to get administrative privileges? a. b. c. d. Administrator Samantha James Mark

Explanation: Answer option C is correct. RID 500 is used for the Administrator account. In the given scenario, the RID code of James is 500. Therefore, John will break the user account of James to get administrative privileges.

Q: Which of the following tools can be used for cracking the password of Server Message Block (SMB)? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. L0phtCrack KrbCrack SMBRelay Pwddump2

Explanation: Answer options A and C are correct. L0phtCrack is a Windows password recovery tool that performs dictionary, brute-force, and hybrid password cracking attacks. It can also capture a Server Message Block (SMB) packet on the local network segment and capture individual login sessions. SMBRelay is an SMB server that

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

captures usernames and password hashes from incoming SMB traffic. Answer option B is incorrect. KrbCrack is a Kerberos password cracker and sniffer. Answer option D is incorrect. Pwddump2 is a program that extracts the password hashes from a SAM file on a Windows system. Q: You want to connect to your friend's computer and run a Trojan on it. Which of the following tools will you use to accomplish the task? a. b. c. d. PSExec Remoxec GetAdmin.exe Hk.exe

Explanation: Answer option A is correct. You will use the PSExec tool to accomplish the task. PsExec is a light-weight telnet-replacement tool that executes processes on remote computers and has full interactivity for console applications. The main advantage of using PsExec is that there is no need to manually install client software on remote computers for executing processes remotely Q: You are auditing the security of a client company. You find that their password policy only requires a minimum of 5 characters with letters and numbers. What, if anything, is wrong with this policy? e. Nothing, this is a strong password policy. f. The only flaw is that the password policy should require symbols as well.

g. The password policy is too weak for multiple reasons. h. The only flaw is that the password policy should require a minimum of 6 characters. Explanation: Answer option G is correct. A good password policy is a minimum of 6 characters, but also has letters and numbers required. However, a good password policy also sets how often passwords are changed, and how long the password history should be kept. Answer A is incorrect. This password policy is very weak. Q: LAN Manager hash is the primary hash used by Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT to store user passwords. It is very much vulnerable to various types of password cracking attacks. Which of the following are known weaknesses of LAN Manager hash?

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. e. It converts passwords to uppercase. Hashes are sent in clear text over the network. Its effective length is 7 characters. It does not use cryptographic salt. It uses only 16-bit encryption.

Explanation: Answer options A, B, C, and D are correct. LAN Manager hash is the primary hash used by Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT to store user passwords. It is very much vulnerable to various types of password cracking attacks. Security caveats in LAN Manager hash are as follows:

It converts passwords to uppercase. Hashes are sent in clear text over the network. Its effective length is 7 characters. It does not use cryptographic salt. 5. Q: Passwords are the most common access control methods used by system administers to manage the usage of network resources and applications. Password stealing is used by hackers to exploit user credentials and may cause serious data loss in the system. Which of these is NOT a type of password attack? a. Social engineering b. Phishing c. Password hashing d. Shoulder surfing

Explanation: Answer option C is correct.

Password hashing is a way of encrypting a password before it's stored so that if your database gets into the wrong hands, the damage is limited. A hash or message digest can be thought of as the digital fingerprint of a piece of data.

Answer option A is incorrect. Social engineering is the human side of breaking into a corporate network to get personal information. In a typical example, an unknown person gets hold of user credentials from the victim by manipulating him or her into believing a contrived situation.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Answer option B is incorrect. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Phishing is typically carried out by e-mail spoofing and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Answer option D is incorrect. Shoulder surfing is done using direct observation techniques, such as looking over someone's shoulder when they enter a password or PIN code Q: Which of the following is generally practiced by the police or any other recognized governmental authority? a. SMB signing b. Wiretapping c. Spoofing d. Phishing Explanation: Answer option B is correct.

Answer option A is incorrect. Server Message Block (SMB) signing is a security feature of Windows operating systems. SMB signing ensures that the transmission and reception of files across a network are not altered in any way. Note: Enabling SMB signing on the network reduces the performance of the network because of the increased processing and network traffic required to digitally sign each SMB packet. Q: Which of the following records everything a person types using the keyboard? e. Line conditioner f. Port scanner

g. Keystroke logger h. Firewall Explanation: Answer option G is correct. A keystroke logger records everything a person types using the keyboard. Keystroke logging is a method of logging and recording user keystrokes. It can be performed with software or hardware devices.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Answer option B is incorrect. A port scanner is a software tool that is designed to search a network host for open ports. This tool is often used by administrators to check the security of their networks. It is also used by hackers to compromise the network and systems. Answer option D is incorrect. A firewall is a tool to provide security to a network. It is used to protect an internal network or intranet against unauthorized access from the Internet or other outside networks. It restricts inbound and outbound access and can analyze all traffic between an internal network and the Internet. Q: Which of the following user authentications are supported by the SSH-1 protocol but not by the SSH-2 protocol? Each correct answer represents a complete solution. Choose all that apply. a. Rhosts (rsh-style) authentication b. TIS authentication c. Password-based authentication d. Kerberos authentication Explanation: Answer options A, B, and D are correct.

The SSH-2 protocol supports the following user authentications:


Public key authentication (DSA, RSA*, OpenPGP) Host-based authentication Password-based authentication

Note: SSH-1 supports a wider range of user authentications, i.e., the public-key, RSA only, RhostsRSA, password, Rhosts (rsh-style), TIS, and Kerberos authentications. Q: Which of the following are the drawbacks of the NTLM Web authentication scheme? Each correct answer represents a complete solution. Choose all that apply. e. f. g. h. It can be brute forced easily. It works only with Microsoft Internet Explorer. The password is sent in clear text format to the Web server. The password is sent in hashed format to the Web server.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer options E and F are correct. The following are drawbacks of the NTLM Web Authentication Scheme:

NTLM Web authentication is not entirely safe because NTLM hashes (or challenge/response pairs) can be cracked with the help of brute force password guessing. The "cracking" program would repeatedly try all possible passwords, hashing each and comparing the result to the hash that the malicious user has obtained. This authentication technique works only with Microsoft Internet Explorer. 5. Q: Which of the following statements is true of the Digest Authentication scheme? a. It uses the base64 encoding encryption scheme. b. The password is sent over the network in clear text format. c. In this authentication scheme, the username and password are passed with every request, not just when the user first types them. d. A valid response from the client contains a checksum of the username, the password, the given random value, the HTTP method, and the requested URL.

Explanation: Answer option D is correct. The Digest Authentication scheme is a replacement of the Basic Authentication scheme. This authentication scheme is based on the challenge response model. In Digest authentication, the password is never sent across the network in clear text format but is always transmitted as an MD5 digest of the user's password. Q: Which of the following Web authentication techniques uses a single sign-on scheme?

a. b. c. d.

Basic authentication Digest authentication NTLM authentication Microsoft Passport authentication

Explanation: Answer option D is correct. Microsoft Passport authentication is based on single sign-on authentication in which a user needs to remember only one username and password to be authenticated for multiple services 5. Q: What is L0phtcrack (LC4) used for? a. Launch Denial of service attacks through cracks in the network

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

b. Run lofty port scans for open services in a network c. Windows password cracking tool d. Network traffic sniffing tool Explanation: Answer option C is correct. Q: According to a password policy, which of the following rules should be followed by a user while creating a password? Each correct answer represents a complete solution. Choose all that apply. e. f. g. h. Use of both upper- and lower-case letters (case sensitivity) Inclusion of one or more numerical digits Inclusion of special characters Inclusion of words found in a dictionary or the user's personal information

Explanation: Answer options E, F and G are correct. A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly Q: You work as a professional Ethical Hacker. You are assigned a project to test the security of www.we-are-secure.com. You are working on the Windows Server 2003 operating system. You suspect that your friend has installed the keyghost keylogger onto your computer. Which of the following countermeasures would you employ in such a situation? Each correct answer represents a complete solution. Choose all that apply.

a. Monitor the programs running on the server to see whether any new process is running on the server or not. b. Use on-screen keyboards and speech-to-text conversion software which can also be useful against keyloggers, as there are no typing or mouse movements involved. c. Use commercially available anti-keyloggers such as PrivacyKeyboard. d. Remove the SNMP agent or disable the SNMP service. e. 5. Q: In which of the following malicious hacking steps does email tracking come under? a. b. c. d. Reconnaissance Scanning Gaining access Maintaining Access

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. Email tracking comes under the reconnaissance step of malicious hacking. Q: In which of the following attacks does an attacker create the IP packets with a forged (spoofed) source IP address with the purpose of concealing the identity of the sender or impersonating another computing system?

a. b. c. d.

IP address spoofing Rainbow attack Cross-site request forgery Polymorphic shell code attack

Explanation: Answer option A is correct.

Answer option C is incorrect. Cross-site request forgery, also known as one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. The attack works by including a link or script in a page that accesses a site to which the user is known to have authenticated. Q: Which of the following tools can be used for anti-phishing?

e. f. g. h.

Netcraft Legion eblaster Spector

Explanation: Answer option E is correct. The Netcraft Web site stores data of phishing Web sites and provides a toolbar that tells whether or not a Web site is authenticated. Netcraft is a Web site that periodically polls Web servers to determine the operating system version and the Web-server software version. It provides Web server and Web hosting market-share analysis, including Web server and operating system detection.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Q: John works as a Network Administrator for We-are-secure Inc. The We-are-secure server is Linux-based. John wants to install a tool that can be used to filter packets according to the MAC address and TCP header flag values. Which of the following tools will he use to accomplish his task? a. Chkrootkit b. PsLogList c. PsExec d. IPTables Explanation: Answer option D is correct. IPTables is a firewall that is a replacement of the IPChains firewall for the Linux 2.4 kernel and later versions. 5. Q: John works as a professional Ethical Hacker. He is assigned a project to test the security of www.we-are-secure.com. He installs a rootkit on the Linux server of the We-are-secure network. Which of the following statements are true about rootkits? Each correct answer represents a complete solution. Choose all that apply. a. They allow an attacker to run packet sniffers secretly to capture passwords. b. They allow an attacker to conduct a buffer overflow. c. They allow an attacker to set a Trojan in the operating system and thus open a backdoor for anytime access. d. They allow an attacker to replace utility programs that can be used to detect the attacker's activity. Explanation: Answer options A, C, and D are correct. 6. Q: You have placed a Trojan file trojan.exe inside another text file readme.txt using NTFS streaming. Which of the following commands will you execute to extract the Trojan from the readme.txt file? a. b. c. d. c:\> cat readme.txt:trojan.exe > trojan.exe c:\> cat trojan.exe > readme.txt > trojan.exe c:\> cat readme.txt > trojan.exe c:\> cat trojan.exe

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. Alternate Data Streams (ADS) is a feature of the NTFS file system that allows more than one data stream to be associated with a filename, using the filename format "filename:streamname". Alternate streams are not listed in Windows Explorer, and their size is not included in the file size. ADS provides the hacker a place to hide root kits or hacker tools, which can be executed without being detected by the system administrator. 7. Q: You work as a Network Security Administrator for we-are-secure Inc. You feel that someone has accessed your computer and used your e-mail account. To check whether there is any virus installed on your computer, you scan your computer but do not find any illegal software. Which of the following types of security attacks generally runs behind the scenes on your computer? a. b. c. d. Rootkit Zero-day Hybrid Replay

Explanation: Answer option A is correct. Answer option B is incorrect. A zero-day attack, also known as zero-hour attack, is a computer threat that tries to exploit computer application vulnerabilities which are unknown to others, undisclosed to the software vendor, or for which no security fix is available. Q: Victor works as a professional Ethical Hacker for SecureNet Inc. He wants to use the Steganographic file system method to encrypt and hide some secret information. Which of the following disk spaces will he use to store this secret information? Each correct answer represents a complete solution. Choose three. e. f. g. h. Unused sectors Dumb space Hidden partition Slack space

Explanation: Answer options E , G and H are correct. The Steganographic file system is a technique of storing files in such a manner that it encrypts data and hides it in an efficient way so that it cannot be traced. There are three basic methods of hiding data in disk space:

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Unused sectors Slack space Hidden partition 8. Q: John used to work as a Network Administrator for We-are-secure Inc. Now he has resigned from the company for personal reasons. He wants to send out some secret information of the company. To do so, he takes an image file and simply uses a tool image hide and embeds the secret file within an image file of the famous actress, Jennifer Lopez, and sends it to his Yahoo mail id. Since he is using the image file to send the data, the mail server of his company is unable to filter this mail. Which of the following techniques is he performing to accomplish his task? a. b. c. d. Web ripping Social engineering Email spoofing Steganography

Explanation: Answer option D is correct. According to the scenario, John is performing the Steganography technique for sending malicious data. Steganography is an art and science of hiding information by embedding harmful messages within other seemingly harmless messages 9. Q: Which of the following tools is used to hide secret data in text files and is based on the concept that spaces and tabs are generally not visible in text viewers, and therefore a message can be effectively hidden without affecting the text's visual representation for the casual observer? a. b. c. d. Image hide Snow.exe SARA Fpipe

Explanation: Answer option B is correct. Snow.exe is a Steganography tool that is used to hide secret data in text files. It is based on the concept that spaces and tabs are generally not visible in text viewers and therefore a message can be effectively hidden without affecting the text's visual representation for the casual observer

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Watermarking is the irreversible process of embedding information into digital media. The purpose of digital watermarks is to provide copyright protection for intellectual property that is in digital form. Watermarking is basically divided into two main sections Q: You have physical access to Maria's laptop. You have downloaded a keylogger and installed there with password protection. Now, in the covering tracks step, what will you perform before leaving the laptop? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. e. Clear recent docs from registry Clear caches Delete cookies Disabling auditing Changing OS password

Explanation: Answer options A, B, C, and D are correct. Covering Tracks is the last and important step of remote hacking, which includes the deletion of all logs on the remote system. In Linux or UNIX, all entries of the /var folder need to be deleted, and if it is a Windows operating system, all events and logs are deleted. This step is used by hackers to keep their identity anonymous. The hacker generally removes security events or error messages that have been logged to avoid being detected. To prevent detection, hackers either clear the event logs or disable auditing. Q: A hacker broke into an application, but forgot to cover his track within the enterprise systems. You have been called in as a forensics investigator and were easily able to trace back the activities of the hacker. What should the hacker have done to cover her tracks and make her difficult to identify? Each correct answer represents a complete solution. Choose all that apply. a. Disable auditing b. Clear the event log c. Run Traceless d. Use Armor Tools Explanation: Answer option A is correct. Q: A Windows server has been hacked and you have been brought in to investigate how the

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

incident may have occurred. You look for malicious activity traces in the event logs to investigate the hacker's attack pattern. Which of the following is a tool that system administrators often use to enable auditing on Windows systems to capture such events? a. Auditpol b. WinZapper c. Evidence Eliminator d. ELSave Explanation: Answer option A is correct. Auditpol is a tool included in the Windows NT Resource Kit for system administrators. This tool can disable or enable auditing from the Windows command line. It can also be used to determine the level of logging implemented by a system administrator.

The EC-Council group has divided Trojans into seven primary types:

1. Remote Access Trojans: They allow attackers to gain full control over computer systems.
Remote access Trojans are usually set up as client/server programs, so that an attacker can connect to the infected system and control it remotely. Data Sending Trojans: They are used to capture and redirect data. eBlaster is an example of this type of Trojan. It can capture keystrokes, passwords, or any other type of information and send them back to the attacker via email. Destructive Trojans: They are used to destroy files or operating systems. DoS Attack Trojans: They are designed to cause a DoS attack. Proxy Trojans: They are designed to work as proxies. These programs can help a hacker hide and perform activities from the victim's computer. FTP Trojans: They are specifically designed to work on port 21. These Trojans allow a hacker to upload, download, or move files on the victim's computer. Security Software Disabler Trojans: They are designed to attack and kill antivirus or software firewalls. The goal of disabling these programs is to make it easier for the hacker to control the system.

2.

3. 4. 5. 6.

7.

A Trojan horse is a malicious software program code that masquerades itself as a normal program. When a Trojan horse program is run, its hidden code runs to destroy or scramble data on the hard disk.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

4. Q: Ralph wants to provide a demo to his team of an attack type that cannot be detected by regular firewall and IDS systems. The attack can be detected only with tcpdump used to capture all packets entering and leaving the server machine. He initiates a TCP connection with the server on port 80. Two separate hosts on two separate networks were used - one machine served as a server and the other as a client. The latest version of Snort with all the current rule sets was installed and kept running, yet could not identify the attacks. What method of attack is Ralph planning to use? a. Covert channel attack b. Tor attacks c. Inside-Out Attack d. White-listing attack Explanation: Answer option A is correct. A Covert Channel is a communication channel that allows a process to transfer information in a manner that violates the system's security policy without alerting any firewalls and IDS's on the network. 5. Q: Which of the following are uses of the covert channel? Each correct answer represents a complete solution. Choose all that apply. a. Transferring a file from the victim's computer to the hacker's computer and vice-versa b. Launching applications on the victim's computer c. Interactive remote control access from the hacker's computer to the victim's computer d. Vigilance of any corporate filtered firewall rules Explanation: Answer options A, B, and C are correct.

Q: A company suspects that a disgruntled employee or a malicious insider is sending information to an accomplice outside the corporate network. You are brought in as a security consultant to test for insider attacks which are initiated from inside the corporate network. What are some of the tests that you perform? Each correct answer represents a complete solution. Choose two. a. Reverse Engineering

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

b. Bypass corporate filter firewall rules from inside-out c. DNS Tunneling d. Social Engineering Explanation: Answer options B and C are correct.

Q: You check your snort log and get the following suspicious part:

What type of attack might it be? a. Back orifice b. Netbus c. SubSeven d. BoBo Explanation: Answer option A is correct. In the log used in the question, you can see that packets are coming from 31337, Q: Which of the following parameters of the NETSTAT command is used to display all active connections and the TCP and UDP ports on which the computer is listening?

a. b. c. d.

-a -b -e -f

Explanation: Answer option A is correct.

-a: It is used to display all active connections and the TCP and UDP ports on which the computer is listening.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

-b: It is used to display the binary program's name involved in creating each connection or listening port. -e: It is used to display ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s. -f: It is used to display fully qualified domain names <FQDN> for foreign addresses. 5. Q: Which of the following parameters of the NETSTAT command is used to display the contents of the IP routing table? a. b. c. d. -r -p -s -t

Explanation: Answer option A is correct. Q: You have placed a Trojan in the we-are-secure.com server, which is transmitting data from the server to the attacker . In the meantime, the attacker runs the following command: nc -l -u -p 22222 < /etc/passwd What does this command do? a. b. c. d. It loads the /etc/passwd file on the server. It downloads the /etc/password from the server. It deletes the /etc/password from the server. It updates the /etc/password of the server.

Explanation: Answer option B is correct. Q: Which of the following statements are true about ICMP tunneling? Each correct answer represents a complete solution. Choose all that apply. a. It is a method in which ICMP packets are sent in encrypted form via the HTTP port. b. It is a method in which tunneling of another protocol through ICMP is performed. c. An example of this technique is tunneling complete TCP traffic over ping requests and replies. d. ICMP tunneling is used to bypass firewalls, which do not block ICMP packets. Explanation: Answer options B, C, and D are correct. A wrapper is a program that is used to combine a harmful executable file with a harmless

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

executable file.

Q: You want to add a netbus Trojan in the chess.exe game program so that you can gain remote access to a friend's computer. Which of the following tools will you use to accomplish the task? Each correct answer represents a complete solution. Choose all that apply. a. Wrapper b. Yet Another Binder c. Beast d. Tripwire Explanation: Answer options A are correct. Q: Mark works as a Network Security Administrator for uCertify Inc. He is responsible for securing and analyzing the network of the organization. Mark is concerned about the current network security, as individuals can access the network with bypass authentication, thus allowing them to get more permissions than allotted. Which of the following is responsible for this type of privilege escalation? a. b. c. d. Backdoor Rootkit Boot sector Master Boot Record

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. According to the scenario, a backdoor is responsible for this type of privilege escalation. A backdoor is a program or account that allows access to a system by skipping the security checks. Many vendors and developers implement backdoors to save time and effort by skipping the security checks while troubleshooting. A backdoor is considered to be a security threat and should be treated with the highest security. If a backdoor becomes known to attackers and malicious users, they can use it to exploit the system. Q: Which of the following are symptoms of a virus attack on your computer? Each correct answer represents a complete solution. Choose two. a. b. c. d. Faster read/write access of the CD-ROM drive Sudden reduction in system resources Corrupted or missing files Unclear monitor display

Explanation: Answer options B and C are correct. Q: Your Web server crashes at exactly the point where it reaches 1 million total visits. You discover the cause of the server crash is malicious code. Which description best fits this code? a. Virus b. Polymorphic Virus c. Worm d. Logic Bomb Explanation: Answer option D is correct. A logic bomb is malware that executes its malicious activity when a certain condition is met, often when a certain date/time is reached. In this case it waited for the Web server to pass a certain threshold. Worms are programs that replicate themselves from system to system without the use of a host file. 5. Q: John works as a Marketing Manager for we-are-secure Inc. Today, when he opens his email account, he gets an email of subject security issue. In the email, he gets the following message:

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Remove the Boot.ini file because it is harmful for operating system. When John reads about the Boot.ini file on the Internet, he discovers that it is a system file that is used to load the operating system on the computer. Which of the following types of virus has attacked John's computer? a. b. c. d. Hoax Polymorphic Macro Multipartite

Explanation: Answer option A is correct. According to the scenario, John's computer has been attacked by a virus hoax. A computer virus hoax is a message warning the recipient of a non-existent computer virus threat. the system.

6. Q: Which of the following statements is true about the difference between worms and Trojan horses? a. b. c. d. Trojan horses are a form of malicious code, while worms are not. Trojan horses are harmful to computers while worms are not. Worms replicate themselves while Trojan horses do not. Worms can be distributed through emails while Trojan horses cannot.

Explanation: Answer option C is correct. Worms replicate themselves while Trojan horses do not. A worm is a software program that uses computer networks and security holes to replicate itself from one computer to another. Q: Which of the following is used to describe the type of FTP access in which a user does not have permissions to list the contents of directories, but can access the contents if he knows the path and file name? e. Blind FTP f. Secure FTP

g. Passive FTP h. Hidden FTP

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. Blind FTP (sometimes called anonymous FTP) gives a user the ability to go directly to specific directories if the user knows the path and file name. However, they cannot peruse items. This is a more secure way of allowing FTP. Q: Which of the following tasks can be performed by a malicious bot/botnet? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. e. Performing DDoS attacks Harvesting email addresses from contact forms or guestbook pages Downloading entire Web site to suck the bandwidth of a target Stealing information like credit card numbers, login, ids, etc. Performing a spoofing attack

Explanation: Answer options A, B, C, and D are correct. A malicious bot is automated software that is used for various unethical activities. A bot/botnet can be used to perform any or all of the following malicious activities: Q: A user has opened a Web site that automatically starts downloading malicious code onto his computer. What should he do to prevent this? Each correct answer represents a complete solution. Choose two. a. Configure Security Logs b. Disable ActiveX Controls c. Implement File Integrity Auditing d. Disable Active Scripting Explanation: Answer options B and D are correct. In order to prevent malicious code from being downloaded from the Internet onto a computer, you will have to disable unauthorized ActiveX Controls and Active Scripting on the Web browser. Disabling Active Scripting and ActiveX controls makes browsers safer for browsing the Web.

4. Q: John works as a professional Ethical Hacker. He has been assigned a project to test the security of www.we-are-secure.com. He wants to test the effect of a virus on the We-are-secure server. He injects the virus on the server and, as a result, the server becomes infected with the virus even though an established antivirus program is

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

installed on the server. Which of the following do you think are the reasons why the antivirus installed on the server did not detect the virus injected by John? Each correct answer represents a complete solution. Choose all that apply. a. John has changed the signature of the virus. b. John has created a new virus. c. The virus, used by John, is not in the database of the antivirus program installed on the server. d. The mutation engine of the virus is generating a new encrypted code. Explanation: Answer options A, B, C, and D are correct. Every virus cannot be detected by a signature-based antivirus, largely for the following reasons:

If an attacker has changed the signature of a virus, any signature-based antivirus will not be able to find the virus. Any new virus will not be captured by the antivirus, as it will not be on the list in the antivirus database. If the virus is not in the database of a signature-based antivirus, it will be virtually impossible for the antivirus to detect that virus. If the mutation engine of a polymorphic virus is generating a new encrypted code, this changes the signature of the virus. Therefore, polymorphic viruses cannot be detected by a signaturebased antivirus.

Promiscuous mode is a configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just packets addressed to it. Q: Which of the following tools is an open source protocol analyzer that can capture traffic in real time?

a. b. c. d.

Snort NetWitness Netresident Wireshark

Explanation: Answer option D is correct. Wireshark is an open source protocol analyzer that can capture traffic in real time. Wireshark is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Q: Which of the following is a network maintenance protocol of the TCP/IP protocol suite that is responsible for the resolution of IP addresses to media access control (MAC) addresses of a network interface card (NIC)? e. ARP f. DHCP

g. RARP h. PIM Explanation: Answer option A is correct. Address Resolution Protocol (ARP) is a network maintenance protocol of the TCP/IP protocol suite. It is responsible for the resolution of IP addresses to media access control (MAC) addresses. 2. Q: Which of the following is the Windows GUI tool that can perform MITM attacks, along with sniffing and ARP poisoning? a. b. c. d. CAIN Ettercap wsniff Airjack

Explanation: Answer option A is correct.

3. Q: In which of the following attacks does an attacker change the MAC address on the sniffer to one that is the same in another system on the local subnet? a. b. c. d. MAC duplicating MAC flooding ARP spoofing IP spoofing

Explanation: Answer option A is correct. In a MAC duplicating attack, the attacker confuses the switch and the switch begins to think that two ports have the same MAC address. To perform a MAC duplicating attack, the attacker changes the MAC address on the sniffer to one that is the same in another system on the local subnet. This differs from ARP Spoofing because, in ARP Spoofing, the attacker confuses the host by poisoning its ARP cache.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Q: Which of the following tools can be used for an ARP poisoning attack? Each correct answer represents a complete solution. Choose all that apply.

e. f. g. h.

Arpspoof Cain and Abel Ettercap Brutus

Explanation: Answer options A, B, and C are correct. Arpspoof (part of the DSniff suite of tools), Cain and Abel, and Ettercap are the tools that can be used to carry out ARP poisoning attacks. 4. Q: Which of the following attacks allows an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether? a. b. c. d. ARP spoofing Port scanning Man-in-the-middle Session hijacking

Explanation: Answer option A is correct. Q: As a security consultant, you are investigating a possible attack scenario where corporate employees within a corporation get redirected an unknown website page when entering a public email site address in the browser. This new site requests their user id and password to validate credentials, before forwarding the request to the email site. As a consultant, you want to validate this website change, and when you access this site from your iPhone, you directly go to the original webpage of the email site. What possible attack has the company been subjected to? a. DNS cache poisoning attack b. DNS zone transfer attack c. Webcache poisoning attack of the email server d. Directory traversal attack Explanation: Answer option A is correct.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Q: You want to install Windump, the Windows substitute of the TCPDump packet sniffer, which is Linux-based. For this, you need to install a library. Which of the following is the name of the library? a. WinPCAP b. idconfig c. Winconf d. WinTCP Explanation: Answer option A is correct. WinDump is the Windows version of tcpdump that is used to view, diagnose, and save to disk network traffic as defined in the various rules. It is used in Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows 2003, and Windows Vista. WinDump uses the WinPcap library and drivers for packet capturing. It also uses the 802.11b/g wireless capturing technique and the CACE Technologies AirPcap adapter. WinPcap is the tool that is used for link-layer network access in Windows environments. It allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, which includes kernel-level packet filtering, a network statistics engine and support for remote packet capture.

2. Q: In which of the following conditions does Ethereal(Wireshark) work best? a. b. c. d. When you are targeting networks using hubs When you are targeting switched networks When you are targeting Windows-based networks When you are targeting Linux-based networks

Explanation: Answer option A is correct. Q: Which of the following attacks can be performed by attacking the CAM switches?

a. b. c. d.

MAC flooding ARP spoofing IP address spoofing DNS cache poisoning

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. MAC flooding is an attack that can be performed by attacking the CAM switches. MAC flooding is a technique employed to compromise the security of network switches. In a typical MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-tophysical port translation table. The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation Q: Which of the following statements are true of spoofing and session hijacking? Each correct answer represents a complete solution. Choose all that apply.

e. Spoofing is an attack in which an attacker can spoof the IP address or other identity of the target but the valid user can be active. f. Session hijacking is an attack in which the attacker takes over the session, and the valid user's session is disconnected. g. Session hijacking is an attack in which the attacker takes over the session, and the valid user's session is not disconnected. h. Spoofing is an attack in which the attacker can spoof the IP address or other identity of the target, and the valid user cannot be active. Explanation: Answer options E and G are correct. Q: Which of the following options is used by hackers to control a malicious bot?

a. b. c. d.

IRC channels IM tools Websites FTP servers

Explanation: Answer option A is correct. IRC connections are usually unencrypted and typically span long time periods, they are an attractive target for malicious crackers. Q: Against which of the following does SSH provide protection? Each correct answer represents a complete solution. Choose two.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

a. b. c. d.

IP spoofing Broadcast storm DoS attack Password sniffing

Explanation: Answer options A and D are correct. Secure Shell (SSH) is a protocol that provides strong authentication and secure communications over insecure channels. It uses public key encryption as the main method for user authentication. SSH secures connections over the Internet by encrypting passwords and other data. It also protects networks against IP spoofing, packet spoofing, password sniffing, and eavesdropping. SSH uses TCP port 22 as the default port and operates at the application layer. Q: Which of the following are the parts of active sniffing? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. MAC flooding ARP spoofing MAC duplicating OS fingerprinting

Explanation: Answer options A, B, and C are correct.

Q: Which Snort mode reads the packets of the network and displays them in a continuous stream on the console? a. b. c. d. Sniffer Packet logger Network intrusion detection Output module

Explanation: Answer option A is correct. Q: Which of the following steps can be taken as countermeasures against sniffer attacks? Each correct answer represents a complete solution. Choose all that apply. a. Use encrypted protocols for all communications.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

b. Use switches instead of hubs since they switch communications, which means that information is delivered only to the predefined host. c. Use tools such as StackGuard and Immunix System to avoid attacks. d. Reduce the range of the network to avoid attacks into wireless networks. Explanation: Answer options A, B, and D are correct.

1. Q: John works as a claims processor for an Insurance company. He gets an email marked urgent from a customer who says she uploaded all her accident pictures online and that John could click on the link to view pictures of the damaged vehicle. John understands that this is not the usual process to review accident claims, but clicks on the link out of curiosity. It takes him to a website which he does not recognize, and after a few moments, he closes his browser. Later on, John notices that his workstation has become slower and documents are taking significantly longer time to open up. What could be a probable cause for this slowness? a. The system has been subjected to a pharming attack. b. John has been subjected to a vishing attack. c. John has been subjected to a phishing attack. d. The system slowness is due to inadequate capacity planning. Explanation: Answer option C is correct. Phishing involves sending emails that appear to come from reliable sources and that try to get users click on a link to a spoofed web page.

2. Q: Please identify from the scenario described what kind of hacking attack it is - A coworker hacker renames or moves a file so that the target thinks that it no longer exists. The hacker speculates that they can get the file back. The target, keen to get on with their work, or concerned that the loss of the information could be their own fault, leaps at this offer. The hacker states that this could only be done if they were to log on as the target. He or she may even say company policy prohibits this. The target will beg the hacker to log on as them and try to reinstate the file. Grudgingly, the hacker agrees, reinstates the original file, and steals the target's user ID and password. He or she has even embellished their reputation such that they receive requests to assist other coworkers. This approach can bypass the regular IT support channels and make it easier for the hacker to remain unnoticed.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

a. Tailgating b. Piggybacking c. Reverse social engineering d. Dumpster diving Explanation: Answer option B is correct.

Answer option A is incorrect. In tailgating, an unauthorized person wearing a fake ID badge enters a secured area by closely following an authorized person through a door requiring key access. An authorized person may not be aware of having provided an unauthorized person access to a secured area. Answer option B is incorrect. Piggybacking occurs when an authorized person allows the hacker to pass through a secure door either intentionally or unintentionally. The attacker may fabricate a story of having forgotten the ID or badge and the victim may fall for it. Sometimes piggybacking can happen without awareness or intention.

4. Q: John works as an IT Technician for uCertify Inc. One morning, John receives an email from the company's Manager asking him to provide his logon ID and password, but the company policy restricts users from disclosing their logon IDs and passwords. Which type of possible attack is this? a. b. c. d. DoS Replay attack Social engineering Trojan horse

Explanation: Answer option C is correct. Q: You work as an IT Technician for BlueBell Inc. Your work includes implementing security for the company's network to protect users against social engineering attacks. Which of the following are most commonly used by a social engineering hacker? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. E-mail Telephone Personal approaches Brute force

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

e. Trojan horse Explanation: Answer options A, B, and C are correct. Q: Which of the following are examples of passive attacks? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. Eavesdropping Dumpster diving Shoulder surfing Placing a backdoor

Explanation: Answer options A, B, and C are correct. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He is using dumpster diving to gather information about We-are-secure, Inc. In which of the following steps of malicious hacking does dumpster diving come under?

a. b. c. d.

Reconnaissance Scanning Gaining access Maintaining access

Explanation: Answer option A is correct. According to the scenario, John is performing dumpster diving, which comes under the Reconnaissance step of malicious hacking. Reconnaissance is the first step in malicious hacking in which the attacker gathers information about the victim.

5. Q: John works as a Programmer for We-are-secure Inc. On one of his routine visits to the company, he noted down the passwords of some employees while they were typing them on their computer screens. Which of the following social engineering attacks did he just perform? a. Dumpster diving b. Shoulder surfing c. Important user posing d. Authorization by third party

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option B is correct. In the given scenario, John was performing a shoulder surfing attack. Shoulder surfing is a type of in person attack in which the attacker gathers information about the premises of an organization. This attack is often performed by looking surreptitiously at the keyboard of an employee's computer while he is typing in his password at any access point such as a terminal/Web site. Q: In which of the following social engineering attacks does an attacker first damage any part of the target's equipment and then advertise himself as an authorized person who can help fix the problem?

e. f. g. h.

Reverse social engineering attack Impersonation attack Important user posing attack In person attack

Explanation: Answer option A is correct. A reverse social engineering attack is a person-to-person attack in which the attacker convinces the target that he or she has a problem or might have a certain problem in the future and that he, the attacker, is ready to help solve the problem. 6. Q: You are the Network Administrator for a bank. In addition to the usual security issues, you are concerned that your customers could be the victim of phishing attacks that use fake bank Web sites. Which of the following would protect against this? a. b. c. d. Mutual authentication Two factor authentication Three factor authentication MAC

Explanation: Answer option A is correct. In mutual authentication, not only does the server (in this case, the banks Web server) authenticate the client, but the client authenticates the server.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

7. Q: Which of the following statements are true about a phishing attack? a. It is a way of attempting to obtain sensitive information, such as usernames, passwords, and credit card details. b. It is usually carried out by e-mail spoofing or instant messaging. c. It frequently directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. d. In a phishing attack, an attacker sends multiple SYN packets to the target computer. Explanation: Answer options A, B, and C are correct. Q: Which of the following is a technique through which an attacker changes the format of URLs so that they can bypass filters or other application defenses that have been put in place to block specific IP addresses? a. b. c. d. URL obfuscation Reverse social engineering Dumpster diving Shoulder surfing

Explanation: Answer option A is correct. Q: Into which two primary categories can all social engineering attacks be divided? a. Human-based and computer-based attacks b. Fear-based and persuasion-based attacks c. Phishing-based and spear-phishing based attacks d. Insider-based attacks and outsider-based attacks Explanation: Answer option A is correct. Q: A social engineer is someone who uses deception, persuasion, and influence to get information that would otherwise be unavailable. Please order as per sequence the general methodology used by a hacker to complete a social engineering attack. a. Select victim, Research, Develop relationship, Exploit relationship b. Research, Develop relationship, Select victim, Exploit relationship c. Research, Select victim, Develop relationship, Exploit relationship d. Select victim, Develop relationship, Research, Exploit relationship

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option C is correct.

5. Q: What are some of the possible countermeasures for social engineering attacks? Each correct answer represents a complete solution. Choose all that apply. a. Use relevant firewalls and updated tools. b. Enforce appropriate security policies. c. Have an open-minded corporate culture. d. Implement relevant security training and awareness methods. Explanation: Answer option B is correct. Appropriate security policies around passwords, auditability, separation of duties and accountability will make the employees less susceptible to social engineering attacks. Specify that service desk is the single point of contact for reporting user issues.

1. Q: In which of the following DoS attacks does an attacker send an ICMP packet larger than 65,536 bytes to the target system? a. b. c. d. Jolt Ping of death Teardrop Fraggle

Explanation: Answer option B is correct. In the ping of death attack, the attacker sends an ICMP packet larger than 65,536 bytes.

Answer option C is incorrect. In a teardrop attack, a series of data packets are sent to the target system with overlapping offset field values. As a result, the target system is unable to reassemble these packets and is forced to crash, hang, or reboot. Answer option D is incorrect. In a fraggle DoS attack, an attacker sends a large amount of UDP echo request traffic to the IP broadcast addresses. These UDP requests have a spoofed source address of the intended victim. Q: Maria works as a professional Ethical Hacker. She has been assigned a project to test the security of www.we-are-secure.com. She wants to test a DoS attack on the We-are-secure

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

server. She finds that the firewall of the server is blocking the ICMP messages, but it is not checking the UDP packets. Therefore, she sends a large amount of UDP echo request traffic to the IP broadcast addresses. These UDP requests have a spoofed source address of the We-are-secure server. Which of the following DoS attacks is Maria using to accomplish her task? a. Fraggle DoS attack b. Smurf DoS attack c. Ping flood attack d. Teardrop attack Explanation: Answer option A is correct.

A honeypot is a computer that is used to attract potential intruders or attackers. It is for this reason that a honey pot has low security permissions. A honeypot is used to gain information about the intruders and their attack strategies. 2. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He is using the TFN and Trin00 tools to test the security of the We-are-secure server, so that he can check whether the server is vulnerable or not. Using these tools, which of the following attacks can John perform to test the security of the We-are-secure server? e. f. g. h. DDoS attack Reply attack Brute force attack Cross site scripting attack

Explanation: Answer option E is correct.

DDoS attack
In a distributed denial of service (DDOS) attack, the attacker uses multiple computers throughout the network that it has previously infected. Such computers act as zombies and work together to send out bogus messages, thereby increasing the amount of phony traffic. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track down and shut down. TFN, TRIN00, etc. are tools used for the DDoS attack.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

4. Q: In which of the following attacks does an attacker send a spoofed TCP SYN packet in which the IP address of the target is filled in both source and destination fields? a. b. c. d. Land attack Jolt DoS attack Smurf DoS attack Fraggle DoS attack

Explanation: Answer option A is correct. In a land attack, the attacker sends the spoofed TCP SYN packet in which the IP address of the target host is filled in both the source and destination fields. Q: Which of the following can be applied as countermeasures against DDoS attacks? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. e. Using Intrusion detection systems Limiting the amount of network bandwidth Using network-ingress filtering Blocking the IP address Using LM hashes for passwords

Explanation: Answer options A, B, C, and D are correct. The techniques to prevent DDoS attacks are as follows:

Applying router filtering Blocking undesired IP addresses Permitting network access only to desired traffic Disabling unneeded network services Updating antivirus software regularly Establishing and maintaining appropriate password policies, especially for access to highly privileged accounts such as UNIX root or Microsoft Windows NT Administrator Limiting the amount of network bandwidth Using network-ingress filtering Using automated network-tracing tools

5. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He observes that the We-are-secure server is vulnerable to a special type of DoS attack and he makes the following

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

suggestions to the security authority to protect the server from this DoS attack. The countermeasures against this type of DoS attack are as follows:

Disabling IP-directed broadcasts at the We-are-secure router Configuring local computers so as not to respond to such ICMP packets that are configured to be sent to IP broadcast addresses

Which of the following DoS attacks has John discovered as a vulnerability for the We-are-secure security network? a. b. c. d. Teardrop attack Smurf attack Fraggle attack Jolt attack

Explanation: Answer option B is correct. According to the countermeasures, John has discovered that the We-are-secure server is vulnerable to a smurf DoS attack. In a smurf DoS attack, the attacker sends a large amount of ICMP echo request traffic to the IP broadcast addresses. These ICMP requests have a spoofed source address of the intended victim.

6. Q: Which of the following are malicious activities performed by a bot/botnet? Each correct answer represents a complete solution. Choose three. a. It can work as spambots that harvest email addresses from contact forms or guestbook pages. b. It can be a malicious downloader program that sucks bandwidth by downloading entire Web sites. c. It can work as a virus or as a worm. d. It can detect honeypots. Explanation: Answer options A, B, and C are correct. A malicious bot is automated software that is used for various unethical activities. A bot/botnet can be used to perform any or all of the following malicious activities:

It can work as spambots, which harvest email addresses from contact forms or guestbook pages.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

It can be a malicious downloader program that sucks bandwidth by downloading entire Web sites. It can be Web site scrapers that grab the content of Web sites and re-use it without permission on automatically generated doorway pages. It can work as virus or as a worm. It can perform DDoS attacks. It can be malicious File-name modifiers on peer-to-peer file-sharing networks. These change the names of files (often containing malware) to match user search queries.

Botnet is a type of malware that allows an attacker to take control over an infected computer. It is also known as Web robots. Botnets are usually part of a network of infected machines, which is typically made up of victim machines that stretch across the globe 7. Q: As part of a forensic investigation done on a hacked network, the investigator discovered that the password of the administrator account had been discovered locally, despite preventative measures like anti-virus and anti-spyware software being installed on the domain controller servers. What technique did the attacker possibly use? a. Stealth anonymizer b. Hardware keylogger c. SNMP community strings d. SMB signing Explanation: Answer option B is correct. A hardware keylogger cannot be detected by anti-virus or anti-spyware products

Q: You suspect that your server is being subjected to SYN flooding attacks, as the server is becoming unresponsive and the listen queue is filling up very quickly. This attack works by filling up the table reserved for half open TCP connections in the operating system's TCP IP stack. In a 3 way TCP handshake, what missing process is contributing to this attack? a. SYN b. SYN-ACK c. ACK-SYN d. ACK

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option D is correct.

1. Q: Which of the following are methods to prevent session hijacking? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. Regenerating the session id after a successful login Using a short straight number or string as the session key Encrypting data passed between the parties, in particular the session key Changing the value of the cookie with each and every request

Explanation: Answer options A, C, and D are correct. Following are the methods to prevent session hijacking:

Use a long random number or string as the session key. This reduces the risk that an attacker could simply guess a valid session key through trial and error or brute force attacks. Regenerate the session id after a successful login. This prevents session fixation because the attacker does not know the session id of the user after he has logged in. Encrypt the data passed between the parties, in particular the session key. This technique is widely relied-upon by Web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. Some services make secondary checks against the identity of the user. For example, a Web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session. Alternatively, some services will change the value of the cookie with each and every request. This dramatically reduces the window in which an attacker can operate and makes it easy to identify whether an attack has taken place, but can cause other technical problems (for example, preventing the back button from working properly on the Web).

1. Q: You are in the process of recommending mitigation attacks against possible session hijacking threats. You advise the development team to use a random long number as the session key. Which session hijacking attack are you trying to mitigate? a. Brute force b. Misdirected Trust

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

c. Blind Hijacking d. IP Spoofing Explanation: Answer option A is correct.

2. Q: John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. John notices that the We-are-secure network is vulnerable to the man-in-the-middle attack since the key exchange process of the cryptographic algorithm does not authenticate participants. Which cryptographic algorithm is being used by the We-are-secure server? a. b. c. d. RSA Diffie-Hellman Blowfish Twofish

Explanation: Answer option B is correct. Diffie-Hellman encryption is a key agreement protocol

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Cryptography
Cryptography is a technique of encrypting and decrypting messages. When the text is encrypted, it is unreadable by humans but when it is decrypted, it is readable. The terms used in cryptography are as follows:

Plaintext: This text can be read by a user. Ciphertext: This text can be converted to a non-readable format. Encryption: It is the process of creating ciphertext from plaintext. Decryption: It is the process of converting ciphertext to plaintext. Cipher: It is an algorithm that is used to encrypt and decrypt text. Key: Keys are the elements used in the technology of encrypting and decrypting text.

Q: Which type of attack is the Man in the middle attack? e. Active f. Passive

g. Both active and passive h. Neither active nor passive. Explanation: Answer option E is correct. Q: Which of the following can be used to perform session hijacking? Each correct answer represents a complete solution. Choose all that apply. i. j. k. l. Session fixation Session sidejacking Cross-site scripting ARP spoofing

Explanation: Answer options A, B, and C are correct. 3. Q: Which of the following types of attack techniques forces a user's session ID to an explicit value? a. Session Fixation attack b. FMS attack c. Zero-day attack d. Max Age attack

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. Q: In this particular mode of hijacking, the authentication check is performed only when the session is open. A hijacker who successfully launches this attack is able to take control of the connection throughout the duration of the session. If an attacker is able to steal the session cookie, he can pretend to be the same user, or hijack the session during its lifetime. What countermeasures can the developer implement to prevent this kind of hijacking? Each correct answer represents a complete solution. Choose two. a. Ignore or report unknown or suspicious links forwarded through mails or IM's. b. Clear cookie after browser session is closed. c. Reduce the life span of a session or a cookie. d. Regenerate the session id after a successful login. Explanation: Answer option C is correct. Reducing the life or session of a cookie can increase security, as the expiration of the cookie after a certain time will cause an interruption in application usage. Q: You have been tasked with finding vulnerabilities in a web application. You run a sniffer and try to predict the sessionID number, and try to establish connection impersonating as another user. What vulnerability are you checking for? a. Session hijacking b. Cross site scripting c. SQL injection d. Insecure direct object reference Explanation: Answer option A is correct.

4. Q: Which of the following consists of exploiting insufficient security validation/sanitization of user-supplied input file names? a. Directory traversal b. Dictionary c. Hybrid d. Smart Force

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct Directory traversal (or path traversal) is an attacking method to exploit insufficient security validation/sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.

Q: Jack was provided a pre-installed Apache server. The server came with default and sample files, including applications, configuration files, scripts, and web pages. In addition, it also had content management and remote administration services enabled. Debugging functions were enabled and administrative functions were made accessible to anonymous users. When Jack's manager takes a look at the server, what does he recommend? a. Appreciate Jack's willingness to leave the default features enabled, so that the server functionalities can be leveraged. b. Alerts Jack that this opens up the possibility that server misconfiguration attacks exploit configuration weaknesses found in web servers and application servers. c. Runs a performance test on the server to check CPU utilization with default files and passwords. d. Gives a go ahead to deploy the server for production applications. Explanation: Answer option B is correct. Q: Jill is a senior developer who is aware of security threats. She writes her code so that when a malicious user makes a URI request for a file/directory , it will build a full path to the file/directory if it exists, and normalize all characters (e.g., %20 converted to spaces). Which web application vulnerability is Jill securing the application against? a. SQL injection b. Cross site scripting c. Security misconfiguration d. Directory traversal attacks Explanation: Answer option D is correct. Q: You are trying to test your webserver security and try navigating to web pages such as http://target.tgt/../../etc/password or http://target.tgt/../../etc/shadown in an effort to pull the files containing user accounts and hashed passwords. What kind of attack are you initially performing?

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

a. Rainbow table attack b. Brute force attack c. Dictionary-based attack d. Directory traversal attack Explanation: Answer option D is correct. Q: You have come to know that your online store page has changed. However, you have not performed any Website update. Which of the following attacks can be the cause of this?

e. f. g. h.

Session hijacking DoS DNS cache poisoning Social engineering

Explanation: Answer option G is correct. This situation is caused by a DNS cache poisoning attack. DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources.

Q: Mark is trying to mitigate again his application so that user-supplied parameters which are placed into HTTP headers should be checked for illegal characters such as carriage returns (%0d) and newlines (%0a). Which web vulnerability is Mark securing his application for? a. SQL injection b. Http response splitting attacks c. Broken authentication and session management d. Security misconfiguration Explanation: Answer option B is correct.

5. Q: On which port is an SSH brute force attack usually executed and what is the purpose of the attack? a. On port 22 to try to do remote login to guess passwords on user accounts b. On port 25 to send emails from the open port

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

c. On port 80 to send multiple TCP handshake attacks d. On port 21 to check for ftp accounts Explanation: Answer option A is correct. Q: You are investigating SSH logs and notice different patterns of attack. In one instance, you see a user ID, and guess with password1, password2, password3, etc. One log file showed that instead of the password changing, the user ID was changed. For example, pick a password and try it with userid1, userid2, userid3, etc. Quite a few IP addresses showed up in different logs examined. The most common user IDs were root, admin, administrator, mysql, oracle, nagios. What kind of attack are you seeing? Each correct answer represents a complete solution. Choose two. a. Replay attack b. Bit flipping attack c. Dictionary attack d. Brute force attack Explanation: Answer options C and D are correct.

5. Q: Which of the following types of attacks occurs when an attacker successfully inserts an intermediary program between two communicating hosts? a. Denial-of-service attack b. Password guessing attack c. Dictionary attack d. Man-in-the-middle attack Explanation: Answer option D is correct.

Q: In which of the following processes would a DNS server return an incorrect IP address, diverting traffic to another computer? e. TCP FIN scanning f. DNS poisoning

g. TCP SYN scanning

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

h. Snooping Explanation: Answer option B is correct.

6. Q: Encrypted viruses use cryptographic techniques to avoid detection. Which of the following statements are true of encrypted viruses? Each correct answer represents a complete solution. Choose all that apply. a. Encrypted viruses are quite similar to polymorphic viruses in their outward appearance. b. Each infected system has a virus with a different signature. c. Encrypted viruses protect Internet clients from forged DNS data, such as DNS cache poisoning. d. Encrypted viruses facilitate slave DNS servers to transfer records from the master server to a slave server. Explanation: Answer options A and B are correct. Q: Which of the following is designed to protect the Internet resolvers (clients) from forged DNS data created by DNS cache poisoning? e. Domain Name System Extension (DNSSEC) f. Split-horizon DNS

g. Stub resolver h. BINDER Explanation: Answer option A is correct. Domain Name System Security Extension (DNSSEC) was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server.

What is DNSSEC?
Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

1. Q: Which of the following protocols is designed to secure a wireless network and can be considered equivalent to the security of a wired network? a. b. c. d. WPA2 WTLS WEP WAP

Explanation: Answer option A is correct. WPA2 is an updated version of WPA. This standard is also known as IEEE 802.11i. WPA2 offers enhanced protection to wireless networks than WPA and WEP standards. It is also available as WPA2-PSK and WPA2-EAP for home and enterprise environment respectively. Answer option B is incorrect. Wireless Transport Layer Security (WTLS) is a security layer of WAP which is specifically designed for a wireless environment. It provides privacy, data integrity, and authentication for client-server communications over a wireless network 3. Q: A developer assigns the value of a watch as $500. A hacker alters the value of the watch using an HTML Editor and changes it from $500 to $20. He submits the slightly altered HTML page and concludes a transaction of the item. What kind of attack has the website been subjected to? a. Buffer overflow b. Hidden field manipulation c. Cross site scripting d. SQL injection Explanation: Answer option B is correct. Sometimes developers working under tight timelines may take the help of hidden fields to store information. Sensitive information should not be made available in the client code where a malicious user can change it. In this case, even though the hidden fields are beyond the reach of usual users, a curious hacker with the knowledge of programming can unearth the fields and data and exploit them. Hidden field manipulation attacks can expose crucial business information of a website and make the online store face huge losses. Q: An attacker posts a message that contains malicious code to any newsgroup site. When another user views this message, the browser interprets this code and executes it and, as a result, the

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

attacker takes control of the user's system. Which of the following attacks has the attacker performed? a. b. c. d. Cross-site scripting attack Code injection attack Replay attack Buffer-overflow attack

Explanation: Answer option A is correct. A cross-site scripting attack is one in which an attacker enters malicious data into a Website Q: John works as a Network Security Administrator for uCertify Inc. An employee of the company meets John and tells him that a few months ago, he had filled an online bank form for some account related work. Today, when he revisits the same site, he finds that some of his personal information is still being displayed on the web page. Which of the following types of cookies should John disable to resolve the issue?

a. b. c. d.

Persistent Temporary Session Secure

Explanation: Answer option A is correct. According to the scenario, John should disable the persistent cookie. Persistent cookies are those that remain on a computer even when Internet Explorer is closed Q: You visit a malicious website soon after visiting your bank website. Your session on the previous site might still be valid. The malicious website causes a form post to the previous website. Your browser sends the authentication cookie back to that site and appears to be making a request on your behalf, even though you did not authorize it. What kind of attack have you been exposed to? a. CSRF attack b. Stored cross site scripting attack c. Reflected cross site scripting attack d. Dom based cross-site scripting attack Explanation: Answer option A is correct.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

CSRF exploits the trust that a site has in a user's browser. The attack works by including a script in a malicious site that accesses a site to which the user is known to have been authenticated. CSRF exploits vulnerable web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. Q: Which of the following is a proxy server for security testing of Web applications?

e. f. g. h.

BURP BlackWidow cURL Instant Source

Explanation: Answer option A is correct.

BURP: Burp Proxy is a proxy server for security testing of Web applications, which operates as a man-in-the-middle between the browser and the target application.

4. Q: You have been invited as a web application security architect to recommend important countermeasures to the development team that will protect web application against common attacks. What is one of the most basic checks that you would recommend developers implement in their code for malicious user entries? a. Input validation b. ESAPI locators c. Security Misconfiguration d. Randomizers Explanation: Answer option A is correct. A malicious user may enter scripts where data or numerical variables are expected. Input validation can be done by sanitizing, encoding or replacing user inputs.

5. Q: You are an application security architect who is designing a defense in depth security for common website vulnerabilities like cross-site scripting, SQL injection etc. You ensure that secure coding practices are followed by developers and the network team deploys IDS/IPS appliances. Personal firewalls and anti-virus systems are deployed. What else do you configure to counter web application attacks?

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

a. Honeypot b. Web application firewalls c. VPN d. RBAC Explanation: Answer option B is correct. A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. Answer option A is incorrect. A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally, it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.

Chapter 14 SQL Injection


1. Q: John works as a professional Ethical Hacker. He is assigned a project to test the security of www.we-are-secure.com. He enters a single quote in the input field of the login page of the We-are-secure Web site and receives the following error message: Microsoft OLE DB Provider for ODBC Drivers error '0x80040E14' This error message shows that the We-are-secure Website is vulnerable to __________. a. b. c. d. An XSS attack A Denial-of-Service attack A buffer overflow A SQL injection attack

Explanation: Answer option D is correct.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

3. Q: You work as a Network Penetration tester in Secure Inc. Your company takes the projects to test the security of various companies. Recently, Secure Inc. has assigned you a project to test the security of a Web site. You go to the Web site login page and you run the following SQL query:
1. SELECT email, passwd, login_id, full_nameFROM membersWHERE email ='attacker@somehwere.com'; DROP TABLE members;--'

What task will the above SQL query perform? a. Deletes the entire members table. b. Deletes the rows of members table where email id is 'attacker@somehwere.com' given. c. Deletes the database in which members table resides. d. Performs the XSS attacks. Explanation: Answer option A is correct.

4. Q: Which of the following characters will you use to check whether an application is vulnerable to a SQL injection attack? a. b. c. d. Single quote (') Double quote (") Semi colon (;) Dash (-)

Explanation: Answer option A is correct. A single quote (') can be used to explore a SQL injection attack. A SQL injection attack is a process in which an attacker tries to execute unauthorized SQL statements.

5. Q: The security department of a financial company has mandated that developers secure applications against SQL injection. Developers must never allow client supplied data to modify the syntax of the SQL statements. All SQL statements required by the applications should be in stored procedures and kept on a database server. However, the organization is worried about the increasing number of attacks, and asks you if any additional defensive security scanning tools should be deployed. What would you recommend? a. Acutenix

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

b. sqlninja c. SQLIer d. sqlmap Explanation: Answer option A is correct. Acunetix Web Vulnerability Scanner automatically checks web applications for SQL Injection, XSS, and other web vulnerabilities. 6. Q: The Voyager worm is a computer worm that was posted on the Internet on October 31, 2005, and is designed to target Oracle databases. If activated, it will grant DBA to PUBLIC. What methodology does the Voyager worm use to attack Oracle servers? a. SQL Injection b. Buffer Overflow c. Code Injection attack d. By using default accounts and passwords Explanation: Answer option D is correct.

Chapter 15 Hacking Wireless Networks


1. Q: Every network device contains a unique built-in Media Access Control (MAC) address, which is used to identify the authentic device to limit network access. Which of the following addresses is a valid MAC address? a. 1011-0011-1010-1110-1100-0001 b. A3-07-B9-E3-BC-F9 c. 132.298.1.23 d. F936.28A1.5BCD.DEFA Explanation: Answer option B is correct.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

The general format for writing MAC addresses is to use six groups of two hexadecimal digits, each separated by a hyphen

Q: Which of the following wireless security features provides the best wireless security mechanism?

a. b. c. d.

WEP WPA with Pre Shared Key WPA with 802.1X authentication WAP

Explanation: Answer option C is correct. WPA with 802.1X authentication provides the best wireless security mechanism. 802.1X authentication, also known as WPA-Enterprise, is a security mechanism for wireless networks. 802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server.

What is an Initialization Vector (IV)?

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

An initialization vector (IV) is a block of bits that is required to allow a stream cipher or a block cipher to be executed in any of several streaming modes of operation to produce a unique stream independent from other streams produced by the same encryption key, without having to go through a re-keying process. The size of the IV depends on the encryption algorithm and on the cryptographic protocol in use and is normally as large as the block size of the cipher or as large as the encryption key. The IV must be known to the recipient of the encrypted information to be able to decrypt it. 2. Q: Victor works as a professional Ethical Hacker for SecureEnet Inc. He wants to scan the wireless network of the company. He uses a tool that is a free open-source utility for network exploration. The tool uses raw IP packets to determine the following:

To determine what ports are open on network systems To determine what hosts are available on the network To identify unauthorized wireless access points To determine what services (application name and version) those hosts are offering To determine what operating systems (and OS versions) they are running To determine what type of packet filters/firewalls are in use

Which of the following tools is Victor using? a. b. c. d. Kismet Nessus Nmap Sniffer

Explanation: Answer option C is correct. Nmap is an active information gathering tool. The nmap utility, also commonly known as port scanner, is used to view the open ports on a Linux computer. It is used by administrators to determine which services are available for external users. 5. Q: Victor works as a network administrator for DataSecu Inc. He uses a dual firewall Demilitarized Zone (DMZ) to insulate the rest of the network from the portions that are available to the Internet. Which of the following security threats may occur if DMZ protocol attacks are performed? Each correct answer represents a complete solution. Choose three. a. The attacker can gain access to the Web server in a DMZ and exploit the database.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

b. The attacker can exploit any protocol used to go into the internal network or intranet of the company. c. The attacker can perform a Zero Day attack by delivering a malicious payload that is not a part of the intrusion detection/prevention systems guarding the network. d. The attacker managing to break the first firewall defense can access the internal network without breaking the second firewall if it is different. Explanation: Answer options A, B, and C are correct.

Q: Which of the following statements are true about SSIDs? Each correct answer represents a complete solution. Choose three. e. An SSID is used to identify a wireless network. f. SSIDs are case insensitive text strings and have a maximum length of 64 characters. g. All wireless devices on a wireless network must have the same SSID in order to communicate with one another. h. Configuring the same SSID as that of the other Wireless Access Points (WAPs) of other networks will create a conflict. Explanation: Answer options A, C, and D are correct. SSID stands for Service Set Identifier. It is used to identify a wireless network. SSIDs are case sensitive text strings and have a maximum length of 32 characters. What is the main advantage that a network-based IDS/IPS system has over a host-based solution? A. They will slow down the interfaces on the user's machine B. They are easier to install and configure. C. They do not use the host system's resources. D. They are placed at the boundary answer: C Which security strategy requires using several, varying methods to protect IT systems against attacks? A. Data Loss Prevention

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

B. Overt channels C. Three-way handshake D. Defense in depth answer: D

6. Q: Which of the following statements are true for WPA? Each correct answer represents a complete solution. Choose all that apply. a. WPA provides better security than WEP. b. WPA-PSK requires that a user enter an 8-character to 63-character passphrase into a wireless client. c. WPA-PSK converts the passphrase into a 256-bit key. d. Shared-key WPA is vulnerable to password cracking attacks if a weak passphrase is used. Explanation: Answer options A, B, C, and D are correct. WPA stands for Wi-Fi Protected Access. It is a wireless security standard. It provides better security than WEP (Wired Equivalent Protection). Windows Vista supports both WPA-PSK and WPA-EAP. 7. Q: You are concerned about attackers simply passing by your office, discovering your wireless network, and getting into your network via the wireless connection. Which of the following are NOT the steps involved in securing your wireless connection? Each correct answer represents a complete solution. Choose two. a. b. c. d. e. Using either WEP or WPA encryption MAC filtering on the router Hardening the server OS Not broadcasting SSID Using strong password policies on workstations

Explanation: Answer options C and E are correct. Both hardening the server OS and using strong password policies on workstations are good ideas, but neither has anything to do with securing your wireless connection.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Q: A Web developer with your company wants to have wireless access for contractors that come in to work on various projects. The process of getting this approved takes time. So rather than wait, he has put his own wireless router attached to one of the network ports in his department. What security risk does this present? a. None, adding a wireless access point is a common task and not a security risk. b. It is likely to increase network traffic and slow down network performance. c. An unauthorized WAP is one way for hackers to get into a network. d. This circumvents network intrusion detection. Explanation: Answer option C is correct.

What is WAP?
Wireless Access Point (WAP) is a communication device that is capable of both transmitting and receiving signals in a wireless LAN. This unit is connected to servers or directly to a network and other devices using a standard cabled network protocol. Q: You are concerned about rogue wireless access points being connected to your network. What is the best way to detect and prevent these? a. Network anti-virus software b. Network anti-spyware software c. Site surveys d. Protocol analyzers Explanation: Answer option C is correct.

Q: You have detected what appears to be an unauthorized wireless access point on your network. However, this access point has the same MAC address as one of your real access points and is broadcasting with a stronger signal. What is this called? a. The evil twin attack b. Bluesnarfing c. DOS d. WAP cloning

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. In the evil twin attack, a rogue wireless access point is set up that has the same MAC address as one of your legitimate access points. That rogue WAP will often then initiate a denial of service attack on your legitimate access point, making it unable to respond to users, so they are redirected to the 'evil twin'. Q: You are concerned about war driving bringing the hacker's attention to your wireless network. What is the most basic step you can take to mitigate this risk? a. Don't broadcast SSID b. Implement WEP c. Implement WPA d. Implement MAC filtering Explanation: Answer option A is correct. Q: Which of the following statements are true about locating rogue access points using WLAN discovery software such as NetStumbler, Kismet, or MacStumbler if you are using a Laptop integrated with Wi-Fi compliant MiniPCI card? Each correct answer represents a complete solution. Choose all that apply. a. These tools cannot detect rogue access points if the victim is using data encryption. b. These tools detect rogue access points if the victim is using IEEE 802.11 frequency bands. c. These tools can determine the rogue access point even when it is attached to a wired network. d. These tools can determine the authorization status of an access point. Explanation: Answer options B and D are correct.

Q: Which of the following tools monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools? a. b. c. d. WIPS IDS Snort Firewall

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. Wireless intrusion prevention system (WIPS) monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools. The system monitors the radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever a rogue access point is detected. Q: You work as an Administrator for Bluesky Inc. The company has 145 Windows XP Professional client computers and eighty Windows 2003 Server computers. You want to install a security layer of WAP specifically designed for a wireless environment. You also want to ensure that the security layer provides privacy, data integrity, and authentication for client-server communications over a wireless network. Moreover, you want a client and server to be authenticated so that wireless transactions remain secure and the connection is encrypted. Which of the following options will you use to accomplish the task? a. b. c. d. Wireless Transport Layer Security (WTLS) Recovery Console Wired Equivalent Privacy (WEP) Virtual Private Network (VPN)

Explanation: Answer option A is correct. Wireless Transport Layer Security (WTLS) is a security layer of WAP which is specifically designed for a wireless environment. It provides privacy, data integrity, and authentication for clientserver communications over a wireless network Q: Ryan wants to create an ad hoc wireless network so that he can share some important files with another employee of his company. Which of the following wireless security protocols should he choose for setting up an ad hoc wireless network? Each correct answer represents a complete solution. Choose two. e. WEP f. WPA2 -EAP

g. WPA-PSK h. WPA-EAP Explanation: Answer options E and G are correct.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

6. Q: An executive in your company reports odd behavior on her PDA. After investigation, you discover that a trusted device is actually copying data of the PDA. The executive tells you that the behavior started shortly after accepting an e-business card from an unknown person. What type of attack is this? a. Bluesnarfing b. PDA hijacking c. Session hijacking d. Privilege escalation Explanation: Answer option A is correct. Bluesnarfing is a rare attack in which an attacker takes control of a Bluetooth-enabled device. One way to do this is to get your PDA to accept the attacker's device as a trusted device. 7. Q: One of the sales people in your company complains that sometimes he gets a lot of unsolicited messages on his PDA. After asking a few questions, you determine that the issue only occurs in crowded areas such as airports. What is the most likely problem? a. Bluesnarfing b. Bluejacking c. A virus d. Spam Explanation: Answer option B is correct. Bluejacking is the process of using another Bluetooth device that is within range (about 30' or less) and sending unsolicited messages to the target.

Q: Mark works as a project engineer in Tech Perfect Inc. His office is configured with Windows XPbased computers. The computer that he uses is not configured with a default gateway. He is able to access the Internet, but is not able to use e-mail services via the Internet. However, he is able to access e-mail services via the intranet of the company. Which of the following could be the reason of not being able to access e-mail services via the Internet?

a. Protocols other than TCP/IP b. IP packet filter

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

c. Router d. Proxy server Explanation: Answer option D is correct. A proxy server exists between a client's Web-browsing program and a real Internet server

1. Q: When no anomaly is present in an Intrusion Detection, but an alarm is generated, the response is known as __________. a. b. c. d. False positive False negative True positive True negative

Explanation: Answer option A is correct. The following are the types of responses generated by an IDS : 1. True Positive: A valid anomaly is detected, and an alarm is generated. 2. True Negative: No anomaly is present, and no alarm is generated. 3. False Positive: No anomaly is present, but an alarm is generated. This is the worst case scenario. If any IDS generates a false positive response at a high rate, the IDS is ignored and not used. 4. False Negative: A valid anomaly is present, and no alarm is generated. 2. Q: Host-based IDS (HIDS) is an Intrusion Detection System that runs on the system to be monitored. HIDS monitors only the data that it is directed to, or originates from the system on which HIDS is installed. Besides monitoring network traffic for detecting attacks, it can also monitor other parameters of the system such as running processes, file system access and integrity, and user logins for identifying malicious activities. Which of the following tools are examples of HIDS? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. Tripwire BlackIce Defender HPing Legion

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer options A and B are correct. Tripwire and BlackIce Defender are examples of HIDS. Tripwire is an HIDS tool that automatically calculates the cryptographic hashes of all system files as well as any other file that a Network Administrator wants to monitor for modifications. It then periodically scans all monitored files and recalculates the information to see whether the files have been modified or not Q: You work as a Network Administrator for Tech2tech Inc. You have configured a networkbased IDS for your company. You have physically installed sensors at all key positions throughout the network such that they all report to the command console. What will be the key functions of the sensors in such a physical layout? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. To analyze for known signatures To collect data from operating system logs To collect data from Web servers To notify the console with an alert if any intrusion is detected

Explanation: Answer options A and D are correct. In a network-based IDS, when sensors are installed at key positions throughout a network-based IDS, they work as full detection engines. In such a case, they have the ability to sniff the packets, analyze them for known signatures, and notify to the console as soon as an intrusion is detected. Q: You work as a Network Administrator for Tech Perfect Inc. The company has a TCP/IPbased routed network. You have recently come to know about the Slammer worm, which attacked computers in 2003 and doubled the number of infected hosts every 9 seconds or so. Slammer infected 75000 hosts in the first 10 minutes of the attack. To mitigate such security threats, you want to configure security tools on the network. Which of the following tools will you use?

e. f. g. h.

Intrusion Detection Systems Intrusion Prevention Systems Anti-x Firewall

Explanation: Answer option B is correct.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Intrusion Prevention System (IPS) is a tool that is used to prevent sophisticated attacks on the network. The IPS tool detects such attacks by keeping an eye on the trends, looking for attacks that use particular patterns of messages, and other factors 6. Q: John works as a Network Security Administrator for uCertify Inc. He has been assigned the task of installing a MySQL server. John wants to monitor only the data that is directed to or originating from the server. He also wants to monitor running processes, file system access and integrity, and user logins for identifying malicious activities. Which of the following intrusion detection techniques will John use to accomplish the task? a. b. c. d. Host-based Network-based Anomaly-based Signature-based

Explanation: Answer option A is correct. A host-based IDS (HIDS) is an Intrusion Detection System that runs on the system that is to be monitored. HIDS monitors only the data that is directed to or originating from the system on which HIDS is installed. Besides relying on network traffic for detecting attacks, Q: Adam works as a Security Analyst for Umbrella Inc. He is retrieving a large amount of log data from various resources such as Apache log files, IIS logs, streaming servers, and some FTP servers. He is facing difficulties in analyzing the logs that he has retrieved. To solve this problem, Adam decides to use the AWStats application. Which of the following statements are true of AWStats? Each correct answer represents a complete solution. Choose all that apply. e. It generates advanced Web, streaming, or mail server statistics graphically. f. It works only as a CGI and shows all possible information contained in the log. g. It can analyze log files server tools such as Apache log files, WebStar, IIS and other Web, proxy, and some ftp servers. h. It can work with all Web hosting providers, which allow Perl, CGI, and log access. Explanation: Answer options A, C, and D are correct. AWStats is a free powerful tool, which is used to generate Web, streaming, mail server statistics graphically. It works as a CGI or from command line. AWStats shows all possible information contained in a log. It can analyze log files from almost all server tools such as Apache log files, WebStar, IIS (W3C log format) and various other Web, proxy, wap, streaming servers, mail servers

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

and some ftp servers. AWStats can work with all Web hosting providers, which allow Perl, CGI and log access. Answer option B is incorrect. AWStats works as a CGI or from command line. Reference: EC-Council Certified Security Analyst Course Manual, Contents: "Log Analysis" 7. Q: You work as a Network Administrator for NetTech Inc. Employees in remote locations connect to the company's network using Remote Access Service (RAS). Which of the following will you use to pass or block packets from specific IP addresses and ports? a. b. c. d. Firewall Bridge Gateway Antivirus software

Explanation: Answer option A is correct. A firewall is a tool to provide security to a network. It is used to protect an internal network or intranet against unauthorized access from the Internet or other outside networks. It restricts inbound and outbound access and can analyze all traffic between an internal network and the Internet. Users can configure a firewall to pass or block packets from specific IP addresses and ports. An administrator can configure the following settings for a firewall: Q: Which of the following statements about packet filtering is true? a. b. c. d. It allows or restricts the flow of specific types of packets to provide security. It is used to send confidential data on the public network. It allows or restricts the flow of encrypted packets to provide security. It is used to store information about confidential data.

Explanation: Answer option A is correct. Packet filtering is a method that allows or restricts the flow of specific types of packets to provide security. It analyzes the incoming and outgoing packets and lets them pass or stops them at a network interface based on the source and destination addresses, ports, or protocols. Q: Which of the following areas of a network contains DNS servers and Web servers for Internet users?

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

e. f. g. h.

VLAN VPN MMZ DMZ

Explanation: Answer option D is correct. The DMZ is an IP network segment that contains resources available to Internet users such as Web servers, FTP servers, e-mail servers, and DNS servers. DMZ provides a large enterprise network or corporate network the ability to use the Internet while still maintaining its security.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

6. 7. Q: Which of the following types of computers is used for attracting potential intruders? a. b. c. d. Files pot Honeypot Bastion host Data pot

Explanation: Answer option B is correct. A honeypot is a computer that is used to attract potential intruders or attackers. It is for this reason that a honey pot has low security permissions. A honeypot is used to gain information about the intruders and their attack strategies.

8. Q: Which of the following two cryptography methods are used by the NTFS Encrypting File System (EFS) to encrypt data stored on a disk on a file-by-file basis? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. Public key Twofish RSA Digital certificates

Explanation: Answer options A and D are correct. EFS uses public key cryptography and digital certificates to encrypt data stored on a disk on a fileby-file basis. Q: Which of the following tools is based on Linux and used to carry out the Penetration Testing? e. Ettercap f. JPlag

g. Vedit h. BackTrack (now KALI) Explanation: Answer option D is correct.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

46. 46. Q: You want to create a binary log file using tcpdump. Which of the following commands will you use? a. b. c. d. tcpdump -w tcpdump -B tcpdump -d tcpdump -dd

Explanation: Answer option A is correct. The term tcpdump refers to a common packet sniffer that runs under the command line

54. Q: Which of the following protocols is used by Internet Relay Chat (IRC) for its proper working? a. b. c. d. TCP ICMP SMTP IMAP

Explanation: Answer option A is correct.

Q: Adam works as a Network Administrator. He discovers that the wireless AP transmits 128 bytes of plaintext, and the station responds by encrypting the plaintext. It then transmits the resulting ciphertext using the same key and cipher that are used by WEP to encrypt subsequent network traffic. Which of the following types of authentication mechanism is used here? a. Single key authentication b. Open system authentication c. Pre-shared key authentication d. Shared key authentication Explanation: Answer option D is correct.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

57. Q: Adam works as a professional Ethical Hacker. A project has been assigned to him to test the security of www.adam-forgenet.com. He starts a port scan, which gives the following result: Scan directed at open port:ClientServer192.168.1.90:4079 -----FIN/URG/PSH---->192.168.1.120:23adam-forgenet.com192.168.1.90:4079 <----NO RESPONSE-----192.168.1.120:23 Scan directed at the closed port:ClientServer192.168.1.90:4079 -----FIN/URG/PSH---->192.168.1.120:23192.168.1.90:4079<-----RST/ACK----------192.168.1.120:23 Which of the following types of scans is Adam implementing? a. XMAS scan b. SYN scan c. RPC scan d. IDLE scan Explanation: Answer option A is correct.

59. Q: Adam works as a sales manager for Umbrella Inc. He wants to download software from the Internet. As the software comes from a site in his untrusted zone, Adam wants to ensure that the downloaded software has not been Trojaned. Which of the following options would indicate the best course of action for Adam? a. Compare the file's virus signature with the one published on the distribution. b. Compare the file size of the software with the one given on the Website. c. Compare the version of the software with the one published on the distribution media. d. Compare the file's MD5 signature with the one published on the distribution media. Explanation: Answer option D is correct. The MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given pre-specified target message digest. Q: Which of the following tools is described in the statement given below? "It has a database containing signatures to be able to detect hundreds of vulnerabilities in UNIX,

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Windows, and commonly used web CGI scripts. Moreover, the database detects DDoS zombies and Trojans as well." a. Nmap b. Nessus c. SARA d. Anti-x Explanation: Answer option B is correct. Nessus is proprietary comprehensive vulnerability scanning software. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on tested systems. It is capable of checking various types of vulnerabilities, some of which are as follows:

63. Q: Which of the following attacks can be overcome by applying cryptography? a. Buffer overflow b. Sniffing c. Web ripping d. DoS Explanation: Answer option B is correct.

where the hostlist.txt file contains the list of IP addresses and request.txt is the output file. Which of the following tasks do you want to perform by running this script? a. b. c. d. You want to perform banner grabbing to the hosts given in the IP address list. You want to perform port scanning to the hosts given in the IP address list. You want to put nmap in the listen mode to the hosts given in the IP address list. You want to transfer the hostlist.txt file to the hosts given in the IP address list.

Explanation: Answer option A is correct. Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. Firewall testing Port scanning and service identification Creating a Backdoor Checking file integrity

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer options A, B, and C are correct. NetCat can be used to perform various tasks, such as firewall testing, port scanning and service identification, creating a backdoor, etc. Q: Adam works as a Security Administrator for Umbrella Inc. While monitoring his IDS, Adam discovers that there are a large number of ICMP Echo Reply packets being received on the external gateway interface. On further inspection, he notices that the ICMP Echo Reply packets are coming from the Internet without any request from the internal host. Which of the following is the most likely cause of this issue? a. A smurf attack has occurred on the company's network. b. A land attack has occurred on the company's network. c. A DoS attack has occurred on the company's network. d. A fraggle attack has occurred on the company's network. Explanation: Answer option A is correct.

What are common signs that a system has been compromised or hacked? (Choose three.) A. Server hard drives become fragmented B. Partitions are encrypted C. Consistency in usage baselines D. Patterns in time gaps in system and/or event logs E. New user accounts created F. Increased amount of failed logon events answer: b, c and f which of the following is the BEST option when dealing with risk? a. ignore the risk b. mitigate the risk c. deny the risk d. exploit the risk

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

answer: B 72. Q: Adam works as a professional Penetration tester. A project has been assigned to him to employ penetration testing on the network of Umbrella Inc. He is running the test from home and had downloaded every security scanner from the Internet. Despite knowing the IP range of all of the systems and the exact network configuration, Adam is unable to get any useful results. Which of the following is the most like cause of this problem? Each correct answer represents a complete solution. Choose all that apply. a. Security scanners are not designed to do testing through a firewall. b. Security scanners cannot perform vulnerability linkage. c. Security scanners are only as smart as their database and cannot find unpublished vulnerabilities. d. Security scanners are as smart as their database and can find unpublished vulnerabilities. Explanation: Answer options A, B, and C are correct. Your manager has asked you to develop something that will show improvement of the state of security of your network over time. What must you develop? a. reports b. metrics c. standards d. testing policy answer B

7. Q: John works as a C programmer. He develops the following C program:

#include <stdlib.h>#include <stdio.h>#include <string.h> int buffer(char *str) { char buffer1[10]; strcpy(buffer1, str); return 1;} int main(int argc, char *argv[]) { buffer (argv[1]); printf("Executed\n"); return 1;}

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

His program is vulnerable to a __________ attack. a. b. c. d. Buffer overflow Denial-of-Service SQL injection Cross site scripting

Explanation: Answer option A is correct. This program takes a user-supplied string and copies it into 'buffer1', which can hold up to 10 bytes of data. If a user sends more than 10 bytes, it would result in a buffer overflow.

Buffer Overflow
Buffer overflow is a condition in which an application receives more data than it is configured to accept. It helps an attacker not only to execute a malicious code on the target system but also to install backdoors on the target system for further attacks Q: Which of the following is a term that refers to unsolicited e-mails sent to a large number of e-mail users? a. Buffer overflow b. Biometrics c. Hotfix d. Spam Explanation: Answer option D is correct. Spam is a term that refers to the unsolicited e-mails sent to a large number of e-mail users. Q: Which of the following languages are vulnerable to a buffer overflow attack? Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. C C++ Java Action script

Explanation: Answer options A and B are correct. C and C++ are the languages that are vulnerable to a buffer overflow attack

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

1. Q: Which of the following algorithms can be used to check the integrity of a file? Each correct answer represents a complete solution. Choose two. a. b. c. d. md5 sha rsa blowfish

Explanation: Answer options A and B are correct. Any hashing algorithm can be used to know whether any changes have occurred in a file or not. In this process, the hashing algorithm calculates the hash value of the file specified and a sender sends hash value also with the file. Now, a receiver recalculates the hash value of the file and matches whether both the hashes are the same or not. Since md5 and sha are hashing algorithms, these can be used to check the integrity of a file.

Functions of SSL
Secure Sockets Layer (SSL) is used to secure Web communications between clients and Web servers. The SSL protocol provides communications privacy, authentication, and message integrity. This protocol enables clients and servers to communicate in a manner that prevents eavesdropping and tampering. Internet Protocol Security (IPSec) is a standard-based protocol that provides the highest level of VPN security. IPSec can encrypt virtually everything above the networking layer. It is used for VPN connections that use the L2TP protocol. It secures both data and password. IPSec cannot be used with Point-to-Point Tunneling Protocol (PPTP). Which property ensures that a hash function will not produce the same hashed value for two different messages? A. Entropy B. Key length C. Bit strength D. Collision resistance answer: D

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

5. Q: You work as a Network Administrator for Tech Perfect Inc. The company has a Linux-based network. You have configured a VPN server for remote users to connect to the company's network. Which of the following encryption types will Linux use? a. b. c. d. RC2 MSCHAP CHAP 3DES

Explanation: Answer option D is correct. For VPN connections, Linux uses 3DES encryption. 8. Q: Andrew works as a Software Developer for Mansoft Inc. The company's network has a Web server that hosts the company's Web site. Andrew wants to enhance the security of the Web site by implementing Secure Sockets Layer (SSL). Which of the following types of encryption does SSL use? Each correct answer represents a complete solution. Choose two. a. b. c. d. Secret IPSec Asymmetric Symmetric

Explanation: Answer options C and D are correct. SSL uses asymmetric and symmetric encryptions to accomplish the task.Secure Sockets Layer (SSL) is a protocol used to transmit private documents via the Internet. SSL uses a combination of public key and symmetric encryption to provide communication privacy, authentication, and message integrity. Q: Which of the following encryption algorithms are based on stream ciphers? Each correct answer represents a complete solution. Choose all that apply. a. Blowfish b. FISH c. Twofish d. RC4

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer options B and D are correct. FISH and RC4 encryption algorithms are based on stream ciphers. Q: Which of the following cryptographic algorithms is a hashing algorithm that is vulnerable to collision and rainbow attacks?

a. b. c. d.

MD5 RC5 AES RSA

Explanation: Answer option A is correct.

Q: Which of the following cryptographic algorithms is easiest to crack? a. AES b. DES c. SHA-1 d. RC5 Explanation: Answer option B is correct.

Each correct answer represents a complete solution. Choose all that apply. a. b. c. d. RC4 MD5 SHA AES

Explanation: Answer options B and C are correct. MD5 and SHA are hashing algorithms. Q: Which of the following protocols provides a framework for the negotiation and management of security associations between peers and traverses the UDP/500 port? a. ISAKMP b. IKE c. ESP

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

d. AH Explanation: Answer option A is correct. Q: Which of the following statements is true of digital signature?

a. b. c. d.

Digital signature verifies the identity of the person who applies it to a document. Digital signature is required for an e-mail message to get through a firewall. Digital signature compresses the message to which it is applied. Digital signature decrypts the contents of documents.

Explanation: Answer option A is correct. Digital signature is a personal authentication method based on encryption and authorization codes. It is used for signing electronic documents. Digital signature not only validates the sender's identity, but also ensures that the document's content has not been altered.

20. Q: Mark is implementing security on his e-commerce site. He wants to ensure that a customer sending a message is really the one he claims to be. Which of the following techniques will he use to ensure this? a. b. c. d. Digital signature Authentication Packet filtering Firewall

Explanation: Answer option A is correct.

Q: In which of the following cryptographic attacking techniques does an attacker obtain encrypted messages that have been encrypted using the same encryption algorithm? a. b. c. d. Known plaintext attack Ciphertext only attack Chosen plaintext attack Chosen ciphertext attack

Explanation: Answer option B is correct.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

In a ciphertext only attack, the attacker obtains encrypted messages that have been encrypted using the same encryption algorithm.

Known plaintext attack: In a known plaintext attack, the attacker should have both the plaintext and ciphertext of one or more messages. These two items are used to extract the cryptographic key and recover the encrypted text. Ciphertext only attack: In this attack, the attacker obtains encrypted messages that have been encrypted using the same encryption algorithm. For example, the original version of WEP used RC4, and if sniffed long enough, the repetitions would allow a hacker to extract the WEP key. Such types of attacks do not require the attacker to have the plaintext because the statistical analysis of the sniffed log is enough. Chosen plaintext attack: In a chosen plaintext attack, the attacker somehow picks up the information to be encrypted and takes a copy of it with the encrypted data. This is used to find patterns in the cryptographic output that might uncover vulnerability or reveal a cryptographic key. Chosen ciphertext attack: In this type of attack, the attacker can choose the ciphertext to be decrypted and can then analyze the plaintext output of the event. The early versions of RSA used in SSL were actually vulnerable to this attack. 2. Q: How is Gray box testing different from black hat testing? a. In the white box testing, the tester has no knowledge of the target. He has been given only the name of the company. b. In the black box testing, the test has complete knowledge of the internal company network. c. In the gray box testing, the tester has to try to gain access into a system using commercially available tools only. d. In the gray box testing, the attacker performs attacks with a normal user account to see if he can escalate privileges.

Explanation: Answer option D is correct. In the gray box testing, the attacker performs attacks with a normal user account to see if he can escalate privileges. Answer option A is incorrect. White box testing is a security testing method that can be used to validate whether application implementation follows the intended design, to validate implemented security functionality, and to uncover exploitable vulnerabilities. Answer option B is incorrect. Black box testing assumes no prior knowledge of the infrastructure to

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

be tested. The testers must first determine the location and extent of the systems before commencing their analysis. Q: As a security consultant, you have been brought in to run vulnerability assessment on a large entertainment organization. Company management wants to know how long it will take before you can break into and get access to sensitive financial data. How would you respond to them? a. You would try your best, and should be able to get access within 2-3 weeks. b. You politely point out to them that you are running a vulnerability assessment and that does not involve pentesting, which includes getting access to sensitive data. c. You let me know that it is directly dependant on the security posture of the organization, and how well controls have been implemented. d. You let them know that it depends on the contract on whether white-box testing is allowed or black-box testing approach has to be taken. Explanation: Answer option B is correct. Q: What are some of the end goals of a successful pentesting effort? a. Verifying whether in the event of hardware damage, certain data could be restored with a regular backup b. Generally examining the IT infrastructure in terms of its compliance, efficiency, effectiveness, etc c. Identifying vulnerabilities and improving security of technical systems d. Cataloging assets and resources in a system Explanation: Answer option C is correct. For a successful penetration test that meets the client's expectations, the clear definition of goals is absolutely essential. If goals cannot be attained or cannot be achieved efficiently, the tester should notify the client in the preparation phase and recommend alternative procedures such as an IT audit or IT security consulting services. Q: Which of the following statements differentiates a penetration tester from an attacker?

a. b. c. d.

A penetration tester uses various vulnerability assessment tools. A penetration tester does not test the physical security. A penetration tester does not perform a sniffing attack. A penetration tester differs from an attacker by his intent and lack of malice.

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option D is correct. A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures.

7. Q: Which of the following principle steps of risk management includes identification of vulnerabilities, assessment of losses caused by threats materialized, cost-benefit examination of countermeasures, and assessment of attacks? a. Risk assessment b. Vulnerability management c. Assessment, monitoring, and assurance d. Adherence to security standards and policies for development and deployment Explanation: Answer option A is correct. Risk assessment includes identification of vulnerabilities, assessment of losses caused by threats materialized, cost-benefit examination of countermeasures, and assessment of attacks.

9. Q: If you are trying domain name related records for a given organization, which tool would you first use? a. NSLookup b. Nmap c. Neotrace d. Traceroute Explanation: Answer option A is correct. NSLookup is used to query Internet domain name servers. It is used to display DNS records for IP and host names of important servers.

10. Q: What command will you use to grab a password file through Netcat? a. pwdump> file.txt. b. nc -l -p <port number> -e cmd.exe -d c. nc -l -u -p 1111 < /etc/passwd

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

d. nc <ip address><port number><passwd> Explanation: Answer option C is correct. You can use netcat to grab a password file. This command is listening on port 1111 and grabbing the /etc/passwd file. Q: A fast food chain is planning to tighten the security posture of the IT infrastructure. For the initial period, a lower security budget has been approved, and the company is planning to run the tests via tools with an internal team in a concurrent fashion that will replicate the attacks from external intruders. When an increased budget gets approved, the new assessments will take into account other areas such as security architecture and policy. What testing sequence should the company follow? a. b. c. d. Black box testing followed by white box testing Automated testing followed by manual testing Grey box testing all through Manual testing followed by automated testing

Explanation: Answer option B is correct.

Q: Mark, a malicious hacker, hides a hacking tool from a system administrator of his company by using Alternate Data Streams (ADS). Which of the following statements is true in this situation? a. b. c. d. Mark is using the NTFS file system. Mark is using the FAT file system. Alternate Data Streams is a feature of the Linux operating system. Mark's computer runs on the Microsoft Windows 98 operating system. answer: A

13. Q: Mark works as a backup administrator for uCertify Inc. He is responsible for taking backups of important data, and so he is only authorized to access this data for backing it up. However, sometimes users with different roles need to access the same resources. By which of the following can this situation be handled? a. b. c. d. Role-Based Access Control (RBAC) Mandatory Access Control (MAC) Discretionary Access Control (DAC) Access Control List (ACL)

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. Role-based access control (RBAC) is an access control model. In this model, a user can access resources according to his role in the organization. For example, a backup administrator is responsible for taking backups of important data. Therefore, he is only authorized to access this data for backing it up. However, sometimes users with different roles need to access the same resources. This situation can also be handled using the RBAC model. Answer option B is incorrect. Mandatory Access Control (MAC) is a model that uses a predefined set of access privileges for an object of the system. Access to an object is restricted on the basis of the sensitivity of the object and granted through authorization. Sensitivity of an object is defined by the label assigned to it. For example, if a user receives a copy of an object that is marked as "secret", he cannot grant permission to other users to see this object unless they have the appropriate permission. Answer option C is incorrect. Discretionary access control (DAC) is an access policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have. Two important concepts in DAC are as follows: 14. Q: You are a malicious hacker and want to run a port scan on a system to investigate open ports and other valuable information. You are using the nmap command for this purpose. As you are concerned that someone running PortSentry could block your scans, you decide to slow the scans so that no one can detect them. Which nmap command will you use to accomplish the task? a. b. c. d. nmap -sS -PT -PI -O -T1 <ip address> nmap -sO -PT -O -C5 <ip address> nmap -sF -P0 -O <ip address> nmap -sF -PT -PI -O <ip address>

Explanation: Answer option A is correct. Q: You work as a security administrator for uCertify Inc. Mark, a manager of the sales department, is currently out of station due to some urgent work. He has asked that you send some very sensitive data to him in a USB Flash drive. You are concerned about the security of the data. For security reasons, you initially think of encrypting these files, but decide against it out of fear that the encryption keys could eventually be broken. Which software application will you use to hide the data in the USB flash drive? a. Snow b. EFS

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

c. File Sniff d. File Sneaker Explanation: Answer option A is correct. Q: You work as a security administrator for uCertify Inc. You discover that there are a large number of ICMP Echo Reply packets being received on the external gateway interface while monitoring your IDS. After more investigations, you notice that the ICMP Echo Reply packets are coming from the Internet without any request from the internal host. Which of the following types of attacks can be the reason of this issue?

e. f. g. h.

Smurf attack Land attack DoS attack Fraggle attack

Explanation: Answer option E is correct.

Q: Which of the following are the effects of a DoS attack? Each correct answer represents a complete solution. Choose all that apply. i. j. k. l. Saturates network resources Helps services to a specific computer Causes failure to access a Web site Results in an increase in the amount of spam

Explanation: Answer options A, C, and D are correct.

Q: You work as a professional ethical hacker. You have been assigned the project of testing the security of www.ucertify.com. You want to perform a stealth scan to discover open ports and applications running on the uCertify server. For this purpose, you want to initiate scanning with the IP address of any third party. Which of the following scanning techniques will you use to accomplish the task? m. IDLE n. RPC o. UDP p. TCP SYN/ACK

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Explanation: Answer option A is correct. The IDLE scan is initiated with the IP address of a third party. Hence, it becomes a stealth scan. Since the IDLE scan uses the IP address of a third party, it becomes quite impossible to detect the hacker. Q: Mark works as a security administrator for uCertify Inc. He wants to perform an active session hijack against Secure Inc. He has found a target that allows a Telnet session. He has also searched an active session because of the high level of traffic on the network. What should be the next step taken by Mark? q. r. s. t. Guess the sequence numbers. Use Brutus to crack the telnet password. Use a sniffer to listen to the network traffic. Use macoff to change the MAC address.

Explanation: Answer option A is correct. Q: Your client has given you the permission to execute exploit code on the corporate network to test if IDS/IPS is able to identify and prevent the attacks. What mechanism can you potentially employ to bypass the security mechanisms of the network? u. Payload v. Metapreter w. Exploit x. Encoder Explanation: Answer option D is correct. An encoder scrambles the payloads to hide the exploit. Most encoders use an algorithm to change parts of the payload. This algorithm includes a decoder so that when the payload reaches to its target, the machine can understand what it really needs to do after it runs the decoder.

13. Q: When users access a certain popular news site, they are being redirected to a similar looking site that contains malicious software. You suspect that your router has been attacked. What kind of attack has the hacker launched? a. Route table poisoning b. Black hole attack c. Hit and Run Attacks

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

d. Persistent Attacks Explanation: Answer option A is correct. Routing table poisoning is considered to be an effective and one of the most prominent types of attacks, and consists of unauthorized altering or poisoning routing tables. Wrong entries in the routing table lead to a false destination address and several other defects. Q: As a new pentester, you are developing your arsenal of tools. Name a bootable open source live-CD Linux distribution with a huge variety of Security and Forensics tools that is a must have in your toolkit. e. BackTrack (now Kali) f. Bidiblah

g. VMware h. botnets Explanation: Answer option A is correct. Which protocol and port number is needed to allow log messages through a firewall? a. SMNP - 161 b. SMTP - 25 c. Syslog - 514 d. POP3 -110 answer: C In PGP what is used to encrypt a message before it is sent? a. receiver's private key b. senders private key c. receiver's public key d. sender's public key answer C Which of the following is a preventative control?

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

a. audits b. smart cards c. disaster recovery plan d. digital signatures answer: b The main difference between symmetric and asymmetric encryption is that symmetric encryption... a. uses multiple keys to encrypt and decrypt data b. uses sessions keys generated from each parties private key c. uses the same key to encrypt and decrypt data d. creates a one way hash that cannot be reversed answer: c As the Sec Engineer you have been tasked with creating a secure remote access solution that minimizes the chance for a MiTM attack, what should you use? a. SSL b. IPSec c. TLS d. HTTP over DNS answer: B If after applying all of your security controls you still have not eliminated all risk what now? a. cancel the project (go in a different direction) b. deny to management that there is remaining risk c. accept the risk if it is low enough (to management) d. continue to apply additional controls until all risk is eliminated answer: c

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

Information gathered from social networking websites such as Facebook, Twitter and LinkedIn can be used to launch which of the following types of attacks? (Choose two.) A. Distributed denial of service attack B. MiTM attack C. Teardrop attack D. SQL injection attack E. Phishing attack F. Social engineering attack answer: E and F Which of the following is true about proxy firewalls? A. Proxy firewalls block network packets from passing to and from a protected network. B. Proxy firewalls increase the speed and functionality of a network C. systems establish a connection with a proxy firewall which then creates a new network connection for that device D. Firewall proxy servers decentralize all activity for an application. answer: C Which of the following provides for protection against brute force attacks by using 160-bit hash? a. PGP b. MD5 c. SHA-1 d. RSA answer: C

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

A security administrator has decided to use multiple layers of anti-virus defense, such as end user desktop anti-virus and E-mail gateway. This will mitigate which kind of attack? A. Scanning attack B. Social engineering attack C. ARP spoofing attack D. Forensic attack answer: B Which would be most effective in determining whether additional end user training is needed? a. sql injection b. social engineering c. vulnerability scanning d. application hardening answer: B Which type of access control is used on firewalls and routers? a. mandatory b. rule-based c. discretionary d. role-based answer: B Which type of detection system can monitor, log and alert but will not stop an attack? a. active b. passive c. reative d. detective

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

answer: D How can we defeat rainbow tables? a. salt b. pepper c. cinnamon d. juju beans answer: A How often does the PCI-DSS require an organization to perform an external pentest? a. once a quarter b. once a year c. every two years d. at least once a year and after a major change or update answer: D Which of the following is used to ensure that policies, configurations and procedural modications are made in a controlled and are documented? a. peer review b. compliance c. change management d. vulnerability scanning answer: C What is the name of the international standard for the functionality of IT systems? a. ISO 18011 b. Orange Book c. Common Criteria d. ITSec

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.

answer: C What should an ethical hacker first get before starting a pentest? a. report on findings b. nmap scan c. social engineering d. get a signed document from senior management answer: D

www.trainace.com/security
2012-2013 TrainACE / Advanced Security.