Topic 2: Exam Pool B
Which command can be used to show the current TCP/IP connections?
A.
Netsh
B.
Netstat
C.
Net use connection
D.
Net use
Netsh
Taylor, a security professional, uses a tool to monitor her company's website, analyze the
website's traffic, and track the geographical location of the users visiting the company's
website. Which of the following tools did Taylor employ in the above scenario?
A.
WebSite Watcher
B.
web-Stat
C.
Webroot
D.
WAFW00F
web-Stat
Explanation: Increase your web site’s performance and grow! Add Web-Stat to your site
(it’s free!) and watch individuals act together with your pages in real time.
Learn how individuals realize your web site. Get details concerning every visitor’s path
through your web site and track pages that flip browsers into consumers.
One-click install. observe locations, in operation systems, browsers and screen sizes and
obtain alerts for new guests and conversions
Which of the following are well known password-cracking programs?
A.
L0phtcrack
B.
NetCat
C.
Jack the Ripper
D.
Netbus
E.
John the Ripper
L0phtcrack
John the Ripper
Andrew is an Ethical Hacker who was assigned the task of discovering all the active
devices hidden by a restrictive firewall in the IPv4 range in a given target network. Which of the following host discovery techniques must he use to perform the given task?
A.
UDP scan
B.
TCP Maimon scan
C.
arp ping scan
D.
ACK flag probe scan
arp ping scan
Explanation:
One of the most common Nmap usage scenarios is scanning an Ethernet LAN. Most LANs,
especially those that use the private address range granted by RFC 1918, do not always
use the overwhelming majority of IP addresses. When Nmap attempts to send a raw IP
packet, such as an ICMP echo request, the OS must determine a destination hardware
(ARP) address, such as the target IP, so that the Ethernet frame can be properly
addressed. .. This is required to issue a series of ARP requests. This is best illustrated by
an example where a ping scan is attempted against an Area Ethernet host. The –send-ip
option tells Nmap to send IP-level packets (rather than raw Ethernet), even on area
networks. The Wireshark output of the three ARP requests and their timing have been
pasted into the session.
Raw IP ping scan example for offline targetsThis example took quite a couple of seconds to
finish because the (Linux) OS sent three ARP requests at 1 second intervals before
abandoning the host. Waiting for a few seconds is excessive, as long as the ARP response
usually arrives within a few milliseconds. Reducing this timeout period is not a priority for
OS vendors, as the overwhelming majority of packets are sent to the host that actually
exists. Nmap, on the other hand, needs to send packets to 16 million IP s given a target
like 10.0.0.0/8. Many targets are pinged in parallel, but waiting 2 seconds each is very
delayed.
There is another problem with raw IP ping scans on the LAN. If the destination host turns
out to be unresponsive, as in the previous example, the source host usually adds an
incomplete entry for that destination IP to the kernel ARP table. ARP tablespaces are finite
and some operating systems become unresponsive when full. If Nmap is used in rawIP
mode (–send-ip), Nmap may have to wait a few minutes for the ARP cache entry to expire
before continuing host discovery.
ARP scans solve both problems by giving Nmap the highest priority. Nmap issues raw ARP
requests and handles retransmissions and timeout periods in its sole discretion. The
system ARP cache is bypassed. The example shows the difference. This ARP scan takes
just over a tenth of the time it takes for an equivalent IP.
In example b, neither the -PR option nor the -send-eth option has any effect. This is often
because ARP has a default scan type on the Area Ethernet network when scanning
Ethernet hosts that Nmap discovers. This includes traditional wired Ethernet as 802.11
wireless networks. As mentioned above, ARP scanning is not only more efficient, but also
more accurate. Hosts frequently block IP-based ping packets, but usually cannot block
ARP requests or responses and communicate over the network.Nmap uses ARP instead of
all targets on equivalent targets, even if different ping types (such as -PE and -PS) are
specified. LAN.. If you do not need to attempt an ARP scan at all, specify –send-ip as
shown in Example a “Raw IP Ping Scan for Offline Targets”.
If you give Nmap control to send raw Ethernet frames, Nmap can also adjust the source
MAC address. If you have the only PowerBook in your security conference room and a
large ARP scan is initiated from an Apple-registered MAC address, your head may turn to
you. Use the –spoof-mac option to spoof the MAC address as described in the MAC
Address Spoofing section.
Password cracking programs reverse the hashing process to recover passwords.
(True/False.)
A.
True
B.
False
False
You are a penetration tester working to test the user awareness of the employees of the
client xyz. You harvested two employees' emails from some public sources and are
creating a client-side backdoor to send it to the employees via email. Which stage of the
cyber kill chain are you at?
A.
Reconnaissance
B.
Command and control
C.
Weaponization
D.
Exploitation
Weaponization
Explanation: Weaponization
The adversary analyzes the data collected in the previous stage to identify the
vulnerabilities and techniques that can exploit and gain unauthorized access to the
target organization. Based on the vulnerabilities identified during analysis, the
adversary
selects or creates a tailored deliverable malicious payload (remote-access malware
weapon) using an exploit and a backdoor to send it to the victim. An adversary may
target specific network devices, operating systems, endpoint devices, or even
individuals within the organization to carry out their attack. For example, the
adversary
may send a phishing email to an employee of the target organization, which may
include a malicious attachment such as a virus or worm that, when downloaded,
installs a backdoor on the system that allows remote access to the adversary. The
following are the activities of the adversary: o Identifying appropriate malware
payload based on the analysis o Creating a new malware payload or selecting,
reusing, modifying the available malware payloads based on the identified
vulnerability
o Creating a phishing email campaign o Leveraging exploit kits and botnets
https://en.wikipedia.org/wiki/Kill_chain
The Cyber Kill Chain consists of 7 steps: Reconnaissance, weaponization, delivery,
exploitation, installation, command and control, and finally, actions on objectives. Below
you can find detailed information on each.
1. Reconnaissance: In this step, the attacker/intruder chooses their target. Then they
conduct in-depth research on this target to identify its vulnerabilities that can be exploited.
2. Weaponization: In this step, the intruder creates a malware weapon like a virus, worm,
or such to exploit the target's vulnerabilities. Depending on the target and the purpose of
the attacker, this malware can exploit new, undetected vulnerabilities (also known as the
zero-day exploits) or focus on a combination of different vulnerabilities.
3. Delivery: This step involves transmitting the weapon to the target. The intruder/attacker
can employ different USB drives, e-mail attachments, and websites for this purpose.
4. Exploitation: In this step, the malware starts the action. The program code of the
malware is triggered to exploit the target’s vulnerability/vulnerabilities.
5. Installation: In this step, the malware installs an access point for the intruder/attacker.
This access point is also known as the backdoor.
6. Command and Control: The malware gives the intruder/attacker access to the
network/system.
7. Actions on Objective: Once the attacker/intruder gains persistent access, they finally
take action to fulfill their purposes, such as encryption for ransom, data exfiltration, or even
data destruction.
The network administrator at Spears Technology, Inc has configured the default gateway
Cisco router's access-list as below:
You are hired to conduct security testing on their network.
You successfully brute-force the SNMP community string using a SNMP crack tool.
The access-list configured at the router prevents you from establishing a successful
connection.
You want to retrieve the Cisco configuration from the router. How would you proceed?
A.
Use the Cisco's TFTP default password to connect and download the configuration file
B.
Run a network sniffer and capture the returned traffic with the configuration file from the
router
C.
Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the
router masking your IP address
D.
Send a customized SNMP set request with a spoofed source IP address in the range -
192.168.1.0
Run a network sniffer and capture the returned traffic with the configuration file from the
router
Send a customized SNMP set request with a spoofed source IP address in the range -
192.168.1.0
Sam, a professional hacker. targeted an organization with intention of compromising AWS
IAM credentials. He attempted to lure one of the employees of the organization by initiating
fake calls while posing as a legitimate employee. Moreover, he sent phishing emails to
steal the AWS 1AM credentials and further compromise the employee's account. What is
the technique used by Sam to compromise the AWS IAM credentials?
A.
Social engineering
B.
insider threat
C.
Password reuse
D.
Reverse engineering
Social engineering
Explanation:
Just like any other service that accepts usernames and passwords for logging in, AWS
users are vulnerable to social engineering attacks from attackers. fake emails, calls, or any
other method of social engineering, may find yourself with an AWS users’ credentials within
the hands of an attacker.
If a user only uses API keys for accessing AWS, general phishing techniques could still use
to gain access to other accounts or their pc itself, where the attacker may then pull the API
keys for aforementioned AWS user.
With basic opensource intelligence (OSINT), it’s usually simple to collect a list of workers of
an organization that use AWS on a regular basis. This list will then be targeted with spear
phishing to do and gather credentials. an easy technique may include an email that says
your bill has spiked 500th within the past 24 hours, “click here for additional information”,
and when they click the link, they’re forwarded to a malicious copy of the AWS login page
designed to steal their credentials.
An example of such an email will be seen within the screenshot below. it’s exactly like an
email that AWS would send to you if you were to exceed the free tier limits, except for a
few little changes. If you clicked on any of the highlighted regions within the screenshot,
you’d not be taken to the official AWS web site and you’d instead be forwarded to a pretend
login page setup to steal your credentials.
These emails will get even more specific by playing a touch bit additional OSINT before
causing them out. If an attacker was ready to discover your AWS account ID on-line
somewhere, they could use methods we at rhino have free previously to enumerate what
users and roles exist in your account with none logs contact on your side. they could use
this list to more refine their target list, further as their emails to reference services they will
know that you often use.
For reference, the journal post for using AWS account IDs for role enumeration will be
found here and the journal post for using AWS account IDs for user enumeration will be
found here.
During engagements at rhino, we find that phishing is one in all the fastest ways for us to
achieve access to an AWS environment.
How can you determine if an LM hash you extracted contains a password that is less than
8 characters long?
A.
There is no way to tell because a hash cannot be reversed
B.
The right most portion of the hash is always the same
C.
The hash always starts with AB923D
D.
The left most portion of the hash is always the same
E.
A portion of the hash will be all 0's
The right most portion of the hash is always the same
in the Common Vulnerability Scoring System (CVSS) v3.1 severity ratings, what range
does medium vulnerability fall in?
A.
3.0-6.9
B.
40-6.0
C.
4.0-6.9
D.
3.9-6.9
4.0-6.9
Robin, an attacker, is attempting to bypass the firewalls of an organization through the DNS
tunneling method in order to exfiltrate data. He is using the NSTX tool for bypassing the
firewalls. On which of the following ports should Robin run the NSTX tool?
A.
Port 53
B.
Port 23
C.
Port 50
D.
Port 80
Port 53
Explanation:
DNS uses Ports 53 which is almost always open on systems, firewalls, and clients to
transmit DNS queries. instead of the more familiar Transmission Control Protocol (TCP)
these queries use User Datagram Protocol (UDP) due to its low-latency, bandwidth and
resource usage compared TCP-equivalent queries. UDP has no error or flow-control
capabilities, nor does it have any integrity checking to make sure the info arrived intact.How
is internet use (browsing, apps, chat etc) so reliable then? If the UDP DNS query fails (it’s a
best-effort protocol after all) within the first instance, most systems will retry variety of times
and only after multiple failures, potentially switch to TCP before trying again; TCP is
additionally used if the DNS query exceeds the restrictions of the UDP datagram size –
typically 512 bytes for DNS but can depend upon system settings.Figure 1 below illustrates
the essential process of how DNS operates: the client sends a question string (for example,
mail.google[.]com during this case) with a particular type – typically A for a number
address. I’ve skipped the part whereby intermediate DNS systems may need to establish
where ‘.com’ exists, before checking out where ‘google[.]com’ are often found, and so on.
Many worms and scanners are created to seek out and exploit systems running telnet.
Given these facts, it’s really no surprise that telnet is usually seen on the highest Ten
Target Ports list. Several of the vulnerabilities of telnet are fixed. They require only an
upgrade to the foremost current version of the telnet Daemon or OS upgrade. As is usually
the case, this upgrade has not been performed on variety of devices. this might flow from to
the very fact that a lot of systems administrators and users don’t fully understand the risks
involved using telnet. Unfortunately, the sole solution for a few of telnets vulnerabilities is to
completely discontinue its use. the well-liked method of mitigating all of telnets
vulnerabilities is replacing it with alternate protocols like ssh. Ssh is capable of providing
many of an equivalent functions as telnet and a number of other additional services typical
handled by other protocols like FTP and Xwindows. Ssh does still have several drawbacks
to beat before it can completely replace telnet. it’s typically only supported on newer
equipment. It requires processor and memory resources to perform the info encryption and
decryption. It also requires greater bandwidth than telnet thanks to the encryption of the info . This paper was written to assist clarify how dangerous the utilization of telnet are
often and to supply solutions to alleviate the main known threats so as to enhance the
general security of the web
Once a reputation is resolved to an IP caching also helps: the resolved name-to-IP is
usually cached on the local system (and possibly on intermediate DNS servers) for a period
of your time . Subsequent queries for an equivalent name from an equivalent client then
don’t leave the local system until said cache expires. Of course, once the IP address of the
remote service is understood , applications can use that information to enable other TCPbased
protocols, like HTTP, to try to to their actual work, for instance ensuring internet cat
GIFs are often reliably shared together with your colleagues.So, beat all, a couple of dozen
extra UDP DNS queries from an organization’s network would be fairly inconspicuous and
will leave a malicious payload to beacon bent an adversary; commands could even be
received to the requesting application for processing with little difficulty.
You need a tool that can do network intrusion prevention and intrusion detection, function
as a network sniffer, and record network activity, what tool would you most likely select?
A.
Nmap
B.
Cain & Abel
C.
Nessus
D.
Snort
Snort
Page 13 out of 48 Pages |
Previous |