1. Which of the following is considered an administrative control?
Please select 2 correct answers
An administrative control usually consists of policies or directives that give the organization a general format to comply with. For example, a security policy may state that the only means to log in to a workstation is through a common access card. An administrative control is also known as a soft control.
2. On a class C network, how many networks can network administrators plan for if they are using the subnet mask /27?
Using a /27, network administrators can successfully plan for 8 different networks. The octet value of a /27 is 32. If you count the bits in the Class C range (/25 is 128, /26 is 64, and /27 is 32), the total will be 224. Subtract 224 from 256 (the entire Class C octet value), which results in a value of 32. If you divide 256 by 32, you will receive 8, which is the number of subnets you can use, and 32 is the number of available addresses you can use per network.
3. What is the default port number for Telnet?
Telnet uses a default port number of 23 for connection and communication.
4. Convert the ASCII text Wiley into hexadecimal format.
When converting to binary, remember that we use only 0 to 9 and A to E in terms of a hexadecimal value. Anything outside of that range is invalid.
5. Which algorithm does not provide integrity or confidentiality?
Digital Signature Authority, or DSA, is an algorithm that is used to provide digital signatures on files and email to provide nonrepudiation and authenticity. It does not provide confidentiality or integrity.
6. Which of the following acronyms represent the institution that governs North America IP space?
The American Registry for Internet Numbers (ARIN) is the organization that tracks and records all matters that deal with Internet matters for North America and surrounding territories. It tracks IPv4, IPv6, and autonomous system numbers as well.
7. At what layer of the OSI model does ARP reside?
Address Resolution Protocol, or ARP, is utilized at the Network layer because querying computers for their IP address is directly related to the Network layer in the OSI model.
8. An 8-foot-tall fence with razor wire stranded on top is considered what type of measure?
A fence standing 8 feet tall with razor wire is considered a preventative measure because the goal is to prevent the adversary from entering the premises. It is not considered a deterrent because deterrents do not keep a persistent adversary out
9. Which of the following standards reference the definition and implementation of wireless security such as WPA2?
The IEEE 802.11i standard does not define a Wi-Fi spectrum; it amends to the 802.11 standards to include and implement Wi-Fi Protected Access II (also known as WPA2).
10. Which permission value in Linux allows for read and execute?
In Linux, the read and execute permission value is 6 because of the number of bits set on the file record. If we wanted to give permission only to read, the value would be set to 1; for only write, the value would be 4; if we wanted to give read, write, and execute permissions, the value would be 7 because it’s the sum of 4, 2, and 1.
11. Which of the following correctly describes the DHCP process?
DHCP follows this simple process: the client discovers a DHCP server, the DHCP server offers an IP address to the client, the client requests that IP address for usage and the server acknowledges the leasing of the offered IP address to the client. The IP address is then removed from the DHCP leasing pool and is no longer reserved.
12. What key sizes in bits are used within AES?
The AES algorithm uses 128-, 192-, and 256-bit keyspace for encryption.
13. Which of the following describes a logic bomb?
A logic bomb is a malware that lies dormant until a certain event is cued, such as date, time, keystrokes, or even opening applications in sequential order.
14. Which of the following applications are mainly used to manage a botnet?
. The majority of botnets are managed by the Internet Relay Chat (IRC) application, which functions as a chat room. Using this capability, the bot or zombie master is able to send commands and control functions to their bots.
15. You are team leader for your financial firm. You set a policy in place that all coworkers must clean off their desk, empty trash, shred sensitive documents, and secure other critical documents in their respective containers at the end of the day. What is the common name for such a policy?
This policy is called the clean desk policy. It is widely used in industries where it’s important to keep confidential and sensitive information secured by cleaning up before the workday ends. It prevents coworkers, cleaning crews, and other bystanders from pilfering and mishandling critical information.
16. You work for an organization that has its own internal network. This internal network has been extended to geographically separated company locations as well. Regardless of location, you still have access to your internal network; however, you are blocked from using the Internet because of security concerns. What type of network conditions are you experiencing?
An intranet provides access to the organization’s internal network and network applications.
17. At what layer does a circuit-level gateway operate within the OSI model?
A circuit-level gateway operates at the Session layer because that is the OSI layer that sets up, establishes, and terminates sessions.
18. Which backup method copies only those files with the bit set for archived?
With an incremental backup, only files with the archive bit set are backed up. Only the files that have been changed since the last backup are chosen to be archived.
19. What is another term for masquerading?
Impersonation is a term that is associated with masquerading. It is not considered identity theft because it doesn’t involve personally identifiable information (PII) such as Social Security numbers and birthdates. The attacker merely uses a means of communication such as a phone call to fool the victim into believing that they are who they say they are.
20. Malware installed at the kernel is very difficult to detect with products such as antivirus and anti-malware programs. What is the name of this type of malware called?
A rootkit is a malware that embeds itself at the kernel level. It is extremely difficult to discover and remediate because of the inherent security measures that are present at the beginning in the kernel.
21. What is the name given for the device component physically located on the motherboard that stores encryption keys for hard drives, preventing an adversary from removing the hard drive and using it on another computer?
The Trusted Platform Module (TPM) is a chip that is soldered onto the motherboard with pre-programmed cryptographic keys. It allows the hard drive that is bonded to the motherboard to be accessible. If the hard drive is removed, it will not be accessible by any other means.
22. Which of the following password cracking methods is the fastest?
A dictionary attack is the fastest method because the adversary has a file loaded with the most commonly used passwords. Because this file is finite, this type of attack does not always work. For a guaranteed way of cracking an account, the adversary may resort to the brute force method, but this can take much longer than other methods, and in most cases, it’s not even feasible.
23. In Linux, what designator is used to uniquely identify a user account?
The user identifier, or UID, is the designator that uniquely identifies each user on the workstation.
24. Using Nmap, which switch command enables a UDP connections’ scan of a host?
Using Nmap, the -sU switch command allows the administrator to scan for UDP connections on a target workstation. If you receive an ICMP message of “port unreachable,” it means that the port is closed.
25. Which of the following best indicates a top-level parent domain?
A top-level parent is usually represented as .org, .com, .net, .gov, and .edu. Countries also have their own parent domains, such as .ru for Russia and .kr for South Korea.
26. Which of the following is a benefit when a security administrator is using Telnet?
When Telnet is being used, traffic is sent in the clear, which is not beneficial because information can be compromised. This is, however, beneficial to the security administrator because they can see exactly what methods and activities the adversary is using in Telnet. When SSH came on board, it removed the capability of eavesdropping on the connections the adversary was using, and thus the security administrator lost situational awareness because the traffic was encrypted.
27. You are a security administrator working at a movie production company. One of your daily duties is to check the IDS logs when you are alerted. You notice that you received a lot of incomplete three-way handshakes and your memory performance has been dropping significantly on your web server and customers are complaining of really slow connections. What could be the actual issue?
All through a DoS or DDoS is the actual result of the attack, the reason is that the adversary is conducting an SYN flood attack.
28. What message type and code is the message “Network Unknown”?
“Network Unknown” falls under the ICMP Type 3 (Destination Unreachable), Code 6 category.
29. Which of the following frequency modes is designed to not create interference or be jammed by the adversary?
Frequency-hopping spread spectrum is a process in which the receiver frequently hops around the frequency spectrum to avoid jamming, creating interference, and eavesdropping. The client needs to be on the same timing source as the broadcaster or the client will not be able to match the intervals in which the frequency changes.
30. As a security administrator, you are checking the different IP connections that are trying to contact your servers within a DMZ. You noticed months ago that your servers received very similar attacks and probes from an IP registered in Iran. This time, you notice similar tactics with IPs coming from Brazil, Greece, Sudan, and South Africa. What do you think is going on?
The chance of the adversary conducting similar probing techniques on your servers from different locations is an indication that the adversary is using a web proxy service. The adversary is trying to mask their actual IP address in order to escape possible prosecution and other legal actions.
Which of the following provides free information about a website that includes phone numbers, administrator’s email, and even the domain registration authority?
Whois.net is a free service that you can use to capture critical information for part of your footprinting when targeting a victim.
32. What is significant about RFC 18?
. RFC 18 covers non-routable IP addresses which are the private IP addresses. Private IP addresses are 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, and 192.168.0.0–192.168.255.255.
33. Which of the following types is an ICMP echo request?
Type 8 is the formal ICMP echo request. There is no code associated with it. Type 8 Code 0 =, which is the ICMP echo reply.
34. An HIDS for the most part uses which method for detection?
A. In most cases, a host-based intrusion detection system (HIDS) uses a signature-based detection method to protect the host. Most HIDS, such as Tripwire and CyberSafe, download the newest rules to the client to provide protection; however, the HIDS falls sort when defending against zero-day attacks because of no known countermeasure as of yet.
35. Which of the following verifies a user’s authenticity when the user is requesting a certificate?
In a PKI environment, the registration authority (RA) is the subject that validates a user and then vouches for their authenticity to the certificate authority, which then releases a certificate.
36. A hacker is using different methods of cracking an encryption algorithm, such as side channel attacks, frequency analysis, and also bit flipping. What is the hacker doing?
The method of cracking or breaking an encryption algorithm to discover either the key and/or the backdoor is called cryptanalysis.
37. Which of the following is the correct XOR output?
Whenever we XOR a bit, if the two inputs are the same such as 1 and 1 or 0 and 0, then the XOR return value, or output, will always equal 0. If the two input values are different, such as 1 and 0 or 0 and 1, the return value will always be 1.
38. To sniff, what mode must your network adapter be configured to in order to pull frames off an Ethernet or wireless network?
In promiscuous mode, the network adapter does not alter any of the frames that it receives. It simply just copies the frames for analysis using a protocol analyzer such as Wireshark.
39. Which authentication protocol is used in WPA2?
The Cipher Block Chaining Message Authentication Code Protocol is an algorithm that uses a 128-bit key, which is based on the AES algorithm.
40. You are an administrator overseeing IT security operations for a local bank. As you review logs from the prior day, you notice a very high rate of UDP packets targeting your web server that are coming from your clients all at the same time. What could be the culprit?
In a Fraggle attack. the adversary forges the source address, which is the webserver. The adversary will then ping the broadcast address, which causes all of the clients in that subnet to respond back to the webserver. This, in turn, causes a DDoS, but it is not the culprit. The actual attack was caused by the adversary through packet crafting and forging the source IP address of the webserver.
41. Which is the last step in the TCP three-way handshake?
The final event in establishing the TCP three-way handshake is ACK.
42. A token is what type of authentication factor?
A token is a Type 1 authentication factor, which is “something you have.”
43. Operating as a black hat, you decide to stand up a web server that mimics a very popular social media website. You are also a disgruntled employee who decides to build and execute a script that updates the host file on your fellow coworkers computers. It poisoned their DNS cache. Your coworkers start their morning routine by going to this popular social media website, providing their personal credentials when prompted. Unfortunately for them, they are hitting your website, and you are storing their credentials for later use. What type of attack did you conduct?
Pharming is an attack in which you direct users to a website that looks legitimate. The goal is to trick the users into entering their credentials so that you can use them at a later date. One tool that is designed to do this is Metasploit’s Social Engineering framework.
44. Which of the following is the flag byte for a TCP header used to enable an XMAS scan?0010100111001011111010000010110045.Which of the following describes a “soft” control?
A. If you reuse a protocol analyzer and craft a packet for an XMAS scan using URG, PSH, and FIN, you will see in the TCP header the binary format of 00101001 being set.
45. Which of the following describes a “soft” control?
Soft controls usually consist of policies, procedures, guidelines, or regulations that put in or recommend control measures for effective governance.
46. What capability does a backdoor provide to the adversary?
When a backdoor is installed, it allows the adversary to conduct remote call procedures such as a reverse terminal session or remote desktop procedures. The adversary can then conduct arbitrary operations as if they are logged in locally.
47. Which of the following describes the collection of human psychical attributes for use in performing electronic authentication?
Biometrics is the method of collecting and using human characteristics such as fingerprints, facial recognition, and speech pattern in order to provide authentication for system access.
48. Which of the following is the only symmetric cryptography stream cipher?
RC4 is a stream symmetric cryptography stream. It is the only stream cipher in the symmetric category. RC5 and RC6 are block cipher encryption algorithms.
49. Which of the following compares two hash values in order to provide nonrepudiation?
Digital Signature Authority, or DSA, uses symmetric encryption to provide nonrepudiation. The recipient would use their key to decrypt the hash. Then the recipient would hash the value and compare it to the sender’s hash. If the hash values match, the recipient knows that the message is authentic and came from the sender.
50. As a black hat, you identify a WAP at the mall that you are going to exploit. You discover that the WAP is using WEP. Which method will you utilize in order to exploit the WAP?
The inherent flaw in WEP is the IV because it is only 24 bits long and transmitted in cleartext. Using a tool called Aircrack, you can successfully exploit the vulnerability in WEP’s poor IV design; you can crack WEP within 2 minutes.
51. As a white hat who just completed the footprinting phase of your attack, you move on by operating an assortment of tools to gather intelligence on your target. You were able to determine what services are being offered on ports. You were able to see what accounts are available and to identify different sharing services as well. What phase were you operating within?
Enumeration is the act of actively engaging the target system and gathering information.
52. Using Nmap, what is the correct command to scan a target subnet of 192.168.0.0/24 using a ping sweep and identifying the operating system?
. Using nmap, the switch -sP is a ping sweep command and -O is the command to fingerprint the operating system.
53. Which of the following services is registered for port 110?
POP3 is reserved for port 110. POP3 is a client/server protocol used to push email to clients.
54. Which of the following is natively installed on Unix systems to conduct DNS queries?
Dig is the command used to query information about a server using its domain name.
55. Which of the following sites is effective in obtaining DNS query information?
For DNS queries, geektools.com is a sufficient resource to gain intelligence about your intended target. Whois (www.whois.net) is another popular site for DNS queries.
56. Which of the following can you use to conduct banner grabbing?
Telnet is an application you can use to conduct banner grabbing. If Telnet is operational on the target system, even though port 23 may be closed, it is possible to learn what type of server is being used to host by using port 80 if you are probing a web server.
57. As a pentester, what content might you include in addition to your general findings?
Giving the owner a list of vulnerabilities is the correct answer because patched systems, disabled accounts, and revoked certificates are objects that are already accounted for.
58. What is the IEEE port base authentication?
IEEE 802.1x is the protocol for port-base network access that requires authentication.
59. Which of the following attacks sends fragmented UDP packets to a Windows system using port 53 or other UDP ports that may cause the system to crash?
Bonk uses UDP crafted packets to conduct a DoS on a Windows system. The UDP packets are oversized and when reconstructed can cause a crash on the target server.
60. Which of the following is an application that does not need a host or human interaction to disrupt and corrupt data?
A worm is an application that does not need a host of other resources from the computer to carry out its payload. It is a self-contained application, and it only needs to be introduced to the computer once to exploit the vulnerabilities found.