GIAC Systems and Network Auditor Questions and Answers
GSNA GIAC Systems and Network Auditor Questions and Answers
Questions 4
John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based network. John is working as a root user on the Linux operating system. He wants to break a dat a.txt file, 200MB in size, into two files in which the size of the first file named data.txt.aa should be 150MB and that of the second file named data.txt.ab should be 50MB. To accomplish his task and to further delete the data.txt file, he enters the following command: split --verbose -b 150m data.txt data.txt. ; rm -vf data.txt Which of the following commands can John use to join the splitted files into a new data.txt file?
The cat data.txt.* command will display both the splitted files, and the > command will redirect the output into a new data.txt file.
Questions 5
Mike works as a Network Engineer for XYZ CORP. The company has a multi-platform network. Recently, the company faced lots of blended threat issues that lead to several drastic attacks. Mike has been assigned a project to manage the resources and services of the company through both Intranet and Internet to protect the company from these attacks. Mike needs a system that provides auto-discovering and network topology building features to allow him to keep an intuitive view of the IT infrastructure. What will Mike use to meet the requirement of the project?
David system is a network management system that allows a user to manage the resources and services through both Intranet and Internet. It provides auto-discovering and network topology building features to facilitate in keeping an intuitive view of the IT infrastructure. The resources, real-time monitoring, and accessibility of historical data facilitate reaction to failures. Configured interfaces for monitored devices permit a user to focus on the most important aspects of their work. Answer: B is incorrect. dopplerVUe is a network management tool that facilitates network discovery, mapping, alerts and alarm management, and bandwidth management system. It enables monitoring of Ping, SNMP, syslog, and WMI performance metrics. It can also be used to monitor IPv6 devices, as well as services such as DNS, http, and email. Answer: A is incorrect. eBox is an open source distribution and web development framework. This framework is used to manage server application configuration. It is based on Ubuntu Linux. It is projected to manage services in a computer network. The modular design of eBox allows a user to pick and choose the services. Answer: D is incorrect. EM7 is a network monitoring system that is used to measure IT infrastructure health and performance. It is an NMS integrated system. It is designed to help in optimizing the performance and availability of the networks, systems, and applications. It facilitates trouble-ticketing, event management, reporting, IP management, DNS, and monitoring.
Questions 6
Which of the following statements about the /etc/profile file are true?
Options:
A.
It allows a system administrator to create a default home directory for all new users on a computer.
B.
A user can change the settings of the /etc/profile file, but he cannot delete the file. It can only be deleted by the root user.
C.
It can change the default umask value.
D.
It is used to configure and control system-wide default variables.
The /etc/profile file is used to configure and control system-wide default variables. It performs many operations, some of which are as follows: Exporting variables Setting the umask value Sending mail messages to indicate that new mail has arrived Exporting variables Setting the umask value Sending mail messages to indicate that new mail has arrived Only the root user can configure and change the /etc/profile file for all users on the system. Answer: A is incorrect. The /etc/skel file allows a system administrator to create a default home directory for all new users on a computer or network and thus to make certain that all users begin with the same settings. When a new account is created with a home directory, the entire contents of /etc/skel are copied into the new home directory location. The home directory and its entire contents are then set to the new account's UID and GID, making the new user owner of the initial files. The system administrator can create files in /etc/skel that will provide a nice default environment for users. For example, he might create a /etc/skel/.profile that sets the PATH environment variable for new users. Answer: B is incorrect. Only the root user can change the settings of the /etc/profile file.
Questions 7
Peter works as a Web Developer for XYZ CORP. He is developing a Web site for the company. In one of the Web pages, Peter wants to ensure that certain information is consistent and visible while the other information changes. Which of the following will he use to accomplish this?
Peter will use frames in the Web page. Frames are extensions of the HTML 3.2 standard introduced by Netscape. Elements such as navigation links and title graphic, can be placed in static individual frames. The tag defines the contents that will appear in each frame. It is used within the
Questions 8
Which of the following methods is used to get a cookie from a client? Note: Here, request is a reference of type HttpServletRequest, and response is a reference of type HttpServletResponse.
Options:
A.
Cookie [] cookies = request.getCookies();
B.
Cookie [] cookies = request.getCookie(String str)
C.
Cookie [] cookies = response.getCookie(String str)
The getCookies() method of the HttpServletRequest interface is used to get the cookies from a client. This method returns an array of cookies. Answer: B, C are incorrect. The getCookie(String str) method does not exist. Answer: D is incorrect. The getCookies() method is present in the HttpServletRequest interface and not in the HttpServletResponse interface.
Questions 9
John works as a Network Auditor for XYZ CORP. The company has a Windows-based network. John wants to conduct risk analysis for the company. Which of the following can be the purpose of this analysis? (Choose three)
Options:
A.
To ensure absolute safety during the audit
B.
To analyze exposure to risk in order to support better decision-making and proper management of those risks
C.
To try to quantify the possible impact or loss of a threat
D.
To assist the auditor in identifying the risks and threats
There are many purposes of conducting risk analysis, which are as follows: To try to quantify the possible impact or loss of a threat To analyze exposure to risk in order to support better decision-making and proper management of those risks To support risk-based audit decisions To assist the auditor in determining the audit objectives To assist the auditor in identifying the risks and threats Answer: A is incorrect. The analysis of risk does not ensure absolute safety. The main purpose of using a risk-based audit strategy is to ensure that the audit adds value with meaningful information.
Questions 10
Which of the following key combinations in the vi editor is used to copy the current line?
The yy key combination in the vi editor is used to copy the current line. The vi editor is an interactive, cryptic, and screen-based text editor used to create and edit a file. It operates in either Input mode or Command mode. In Input mode, the vi editor accepts a keystroke as text and displays it on the screen, whereas in Command mode, it interprets keystrokes as commands. As the vi editor is case sensitive, it interprets the same character or characters as different commands, depending upon whether the user enters a lowercase or uppercase character. When a user starts a new session with vi, he must put the editor in Input mode by pressing the "I" key. If he is not able to see the entered text on the vi editor's screen, it means that he has not put the editor in Insert mode. The user must change the editor to Input mode before entering any text so that he can see the text he has entered. Answer: D is incorrect. It deletes next char on the right. Answer: A is incorrect. It deletes the current line and one line above. Answer: C is incorrect. It deletes from the cursor till the end of the line.
Questions 11
You work as an Exchange Administrator for XYZ CORP. The network design of the company is given below:
Employees are required to use Microsoft Outlook Web Access to access their emails remotely. You are required to accomplish the following goals: Ensure fault tolerance amongst the servers. Ensure the highest level of security and encryption for the Outlook Web Access clients. What will you do to accomplish these goals?
Options:
A.
Install one front-end Exchange 2000 server and continue to run Microsoft Outlook Web Access on the existing server. Place the new server on the perimeter network. Configure unique URLs for each server. Configure Certificate Services. Create a rule on the firewall to direct port 443 to the servers.
B.
Install two front-end Exchange 2000 servers. Place the new servers on the internal network and configure load balancing between them. Configure Certificate Services. Create a rule on the firewall to redirect port 443 to the servers.
C.
Install two front-end Exchange 2000 servers. Place the new servers on the perimeter network and configure load balancing between them. Configure Certificate Services. Create a rule on the firewall to redirect port 443 to the servers.
D.
Install two Exchange 2000 servers. Place the new servers on the perimeter network. Configure unique URLs for each server. Configure Certificate Services. Create a rule on the firewall to direct port 443 to the servers.
To ensure fault tolerance among the servers and to get the highest possible level of security and encryption for OWA clients, you must install two front-end Exchange 2000 servers. Place the new servers on the perimeter network and configure load balancing between them. To enhance security, you should also configure Certificate Services and create a rule on the firewall to redirect port 443 to the servers. The most secure firewall configuration is placing a firewall on either side of the front-end servers. This isolates the front-end servers in a perimeter network, commonly referred to as a demilitarized zone (DMZ). It is always better to configure more than one front-end server to get fault tolerance.
Questions 12
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network. You want to see the list of the filesystems mounted automatically at startup by the mount -a command in the /etc/rc startup file. Which of the following Unix configuration files can you use to accomplish the task?
In Unix, the /etc/fstab file is used by system administrators to list the filesystems that are mounted automatically at startup by the mount –a command (in /etc/rc or its equivalent startup file). Answer: C is incorrect. In Unix, the /etc/mtab file contains a list of the currently mounted file systems. This is set up by the boot scripts and updated by the mount command. Answer: A is incorrect. In Unix, the /etc/named.conf file is used for domain name servers. Answer: B is incorrect. In Unix, the /etc/groups file contains passwords to let a user join a group.
Questions 13
John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He wants to perform a stealth scan to discover open ports and applications running on the We-are-secure server. For this purpose, he wants to initiate scanning with the IP address of any third party. Which of the following scanning techniques will John use to accomplish his task?
The IDLE scan is initiated with the IP address of a third party. Hence, it becomes a stealth scan. Since the IDLE scan uses the IP address of a third party, it becomes quite impossible to detect the hacker. Answer: B is incorrect. The RPC (Remote Procedure Call) scan is used to find the RPC applications. After getting the RPC application port with the help of another port scanner, RPC port scanner sends a null RPC packet to all the RPC service ports, which are open into the target system. Answer: A is incorrect. In UDP port scanning, a UDP packet is sent to each port of the target system. If the remote port is closed, the server replies that the remote port is unreachable. If the remote Port is open, no such error is generated. Many firewalls block the TCP port scanning, at that time the UDP port scanning may be useful. Certain IDS and firewalls can detect UDP port scanning easily. Answer: D is incorrect. TCP SYN scanning is also known as half-open scanning because in this a full TCP connection is never opened. The steps of TCP SYN scanning are as follows:
1. The attacker sends SYN packet to the target port.
2. If the port is open, the attacker receives SYN/ACK message.
3. Now the attacker breaks the connection by sending an RST packet.
4. If the RST packet is received, it indicates that the port is closed. This type of scanning is hard to trace because the attacker never establishes a full 3-way handshake connection and most sites do not create a log of incomplete TCP connections.
Questions 14
You are concerned about war driving bringing hackers attention to your wireless network. What is the most basic step you can take to mitigate this risk?
By not broadcasting your SSID some simple war driving tools won't detect your network. However you should be aware that there are tools that will still detect networks that are not broadcasting their SSID across your network. Answer: D is incorrect. While MAC filtering may help prevent a hacker from accessing your network, it won't keep him or her from finding your network.
Questions 15
Victor wants to use Wireless Zero Configuration (WZC) to establish a wireless network connection using his computer running on Windows XP operating system. Which of the following are the most likely threats to his computer? (Choose two)
Options:
A.
Information of probing for networks can be viewed using a wireless analyzer and may be used to gain access.
B.
Attacker can use the Ping Flood DoS attack if WZC is used.
C.
Attacker by creating a fake wireless network with high power antenna cause Victor's computer to associate with his network to gain access.
D.
It will not allow the configuration of encryption and MAC filtering. Sending information is not secure on wireless network.
Wireless Zero Configuration (WZC), also known as Wireless Auto Configuration, or WLAN AutoConfig is a wireless connection management utility included with Microsoft Windows XP and later operating systems as a service that dynamically selects a wireless network to connect to based on a user's preferences and various default settings. This can be used instead of, or in the absence of, a wireless network utility from the manufacturer of a computer's wireless networking device. The drivers for the wireless adapter query the NDIS Object IDs and pass the available network names to the service. WZC also introduce some security threats, which are as follows: WZC will probe for networks that are already connected. This information can be viewed by anyone using a wireless analyzer and can be used to set up fake access points to connect. WZC attempts to connect to the wireless network with the strongest signal. Attacker can create fake wireless networks with high- power antennas and cause computers to associate with his access point. Answer: D is incorrect. WZC does not interfere in the configuration of encryption and MAC filtering. Answer: B is incorrect. In a ping flood attack, an attacker sends a large number of ICMP packets to the target computer using the ping command, i.e., ping -f target_IP_address. When the target computer receives these packets in large quantities, it does not respond and hangs.
Questions 16
You work as an IT Technician for XYZ CORP. You have to take security measures for the wireless network of the company. You want to prevent other computers from accessing the company's wireless network. On the basis of the hardware address, which of the following will you use as the best possible method to accomplish the task?
MAC filtering is a security access control technique that allows specific network devices to access, or prevents them from accessing, the network. MAC filtering can also be used on a wireless network to prevent certain network devices from accessing the wireless network. MAC addresses are allocated only to hardware devices, not to persons.
Questions 17
Which of the following tools is used for port scanning?
The nmap utility, also commonly known as port scanner, is used to view the open ports on a Linux computer. It is used by administrators to determine which services are available for external users. This utility helps administrators in deciding whether to disable the services that are not being used in order to minimize any security risk. Answer: B is incorrect. NSLOOKUP is a tool for diagnosing and troubleshooting Domain Name System (DNS) problems. It performs its function by sending queries to the DNS server and obtaining detailed responses at the command prompt. This information can be useful for diagnosing and resolving name resolution issues, verifying whether or not the resource records are added or updated correctly in a zone, and debugging other server-related problems. This tool is installed along with the TCP/IP protocol through the Control Panel.
Answer: C is incorrect. NETSH is a command line tool to configure TCP/IP settings such as the IP address, Subnet Mask, Default Gateway, DNS, WINS addresses, etc. Answer: A is incorrect. L0phtcrack is a tool which identifies and remediate security vulnerabilities that result from the use of weak or easily guessed passwords. It recovers Windows and Unix account passwords to access user and administrator accounts.
Questions 18
You work as a Database Administrator for XYZ CORP. The company has a multi-platform network. The company requires fast processing of the data in the database of the company so that answers to queries can be generated quickly. To provide fast processing, you have a conceptual idea of representing the dimensions of data available to a user in the data cube format. Which of the following systems can you use to implement your idea?
A multidimensional database management system (MDDBMS) implies the ability to rapidly process the data in the database so that answers to the queries can be generated quickly. A number of vendors provide products that use multidimensional databases. The approach behind this system is to manage that how data should be stored in the database, and depending upon that storage, how user interface should vary. Conceptually, an MDDBMS uses the idea of a data cube to represent the dimensions of data available to a user. For example, "sales" could be viewed in the dimensions of product model, geography, time, or some additional dimension. In this case, "sales" is known as the measure attribute of the data cube and the other dimensions are seen as feature attributes. Additionally, a database creator can define hierarchies and levels within a dimension (for example, state and city levels within a regional hierarchy). Answer: C is incorrect. A federated database system is a type of meta-database management system (DBMS) that transparently integrates multiple autonomous database systems into a single federated database. The constituent databases are interconnected via a computer network, and may be geographically decentralized. Since the constituent database systems remain autonomous, a federated database system is a contrastable alternative to the (sometimes daunting) task of merging together several disparate databases. A federated database (or virtual database) is the fully-integrated, logical composite of all constituent databases in a federated database system. Answer: A is incorrect. SYSDBA is a system privilege that allows a user to perform basic database administrative tasks, such as creating a database, altering a database, starting up and shutting down an Oracle instance, performing time-based recovery etc. The SYSDBA contains all system privileges with the ADMIN OPTION. It also contains the SYSOPER system privilege. Granting the SYSDBA system privilege to a user automatically adds him to the password file that is used to authenticate administrative users. Therefore, a user possessing the SYSDBA system privilege can connect to a database by using the password file authentication method. Answer: D is incorrect. A hierarchical database is a database management system that implements the hierarchical data model. A hierarchical database system organizes data in a family tree structure such that each record has only one owner and the hierarchy is in a parent and child data segment. This implies that the record can have repeated information in a child segment. The best-known hierarchical DBMS is IMS.
Questions 19
Which of the following wireless security standards supported by Windows Vista provides the highest level of security?
WPA2 is an updated version of WPA. This standard is also known as IEEE 802.11i. WPA2 offers enhanced protection to wireless networks than WPA and WEP standards. It is also available as WPA2-PSK and WPA2-EAP for home and enterprise environment respectively. Answer: B is incorrect. than WEP (Wired Equivalent Protection). Windows Vista supports both WPA-PSK and WPA-EAP. Each of these is described as follows: WPA-PSK: PSK stands for Preshared key. This standard is meant for home environment. WPA-PSK requires a user to enter an 8- character to 63-character passphrase into a wireless client. The WPA converts the passphrase into a 256-bit key. WPA-EAP: EAP stands for Extensible Authentication Protocol. This standard relies on a back-end server that runs Remote Authentication Dial-In User Service for user authentication. Note: Windows Vista supports a user to use a smart card to connect to a WPA-EAP protected network.
Questions 20
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network. You want to check the status of the printer and set its state. Which of the following Unix commands can you use to accomplish the task?
In Unix, the lpc command is used to check the status of the printer and set its state. Answer: A is incorrect. In Unix, the banner command is used to print a large banner on the printer. Answer: D is incorrect. In Unix, the lpr command is used to submit a job to the printer.
Answer: B is incorrect. In Unix, the lpq command is used to show the contents of a spool directory for a given printer.
Questions 21
John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based network. John is working as a root user on the Linux operating system. He has recently backed up his entire Linux hard drive into the my_backup.tgz file. The size of the my_backup.tgz file is 800MB. Now, he wants to break this file into two files in which the size of the first file named my_backup.tgz.aa should be 600MB and that of the second file named my_backup.tgz.ab should be 200MB. Which of the following commands will John use to accomplish his task?
According to the scenario, John wants to break the my_backup.tgz file into two files in which the size of the first file named my_backup.tgz.aa should be 600MB and that of the second file named my_backup.tgz.ab should be 200MB. Hence, he will use the the split --verbose -b 600 my_backup.tgz my_backup.tgz. command, which will automatically break the first file into 600MB named my_backup.tgz.aa, and the rest of the data (200MB) will be assigned to the second file named my_backup.tgz.ab. The reason behind the names is that the split command provides suffixes as 'aa', 'ab', 'ac', ..., 'az', 'ba', 'bb', etc. in the broken file names by default. Hence, both conditions, the file names as well as the file sizes, match with this command. Note: If the size of the tar file my_backup.tgz is 1300MB, the command split --verbose -b 600 my_backup.tgz my_backup.tgz. breaks the my_backup.tgz file into three files, i.e., my_backup.tgz.aa of size 600MB, my_backup.tgz.ab of size 600MB, and my_backup.tgz.ac of size 100MB.
Questions 22
Which of the following are the countermeasures against WEP cracking?
A user can use some countermeasures to prevent WEP cracking. Although WEP is least secure, it should not be used. However, a user can use the following methods to mitigate WEP cracking: Use a non-obvious key. Use the longest key supported by hardware. Change keys often. Use WEP in combination with other security features, such as rapid WEP key rotation and dynamic keying using 802.1x. Consider WEP a deterrent, not a guarantee. Answer: D is incorrect. SSID stands for Service Set Identifier. It is used to identify a wireless network. SSIDs are case sensitive text strings and have a maximum length of 32 characters. All wireless devices on a wireless network must have the same SSID in order to communicate with each other. The SSID on computers and the devices in WLAN can be set manually and automatically. Configuring the same SSID as that of the other Wireless Access Points (WAPs) of other networks will create a conflict. A network administrator often uses a public SSID that is set on the access point. The access point broadcasts SSID to all wireless devices within its range. Some newer wireless access points have the ability to disable the automatic SSID broadcast feature in order to improve network security.
Questions 23
You work as the Network Technician for XYZ CORP. The company has a Linux-based network. You are working on the Red Hat operating system. You want to view only the last 4 lines of a file named /var/log/cron. Which of the following commands should you use to accomplish the task?
The tail -n 4 /var/log/cron command will show the last four lines of the file /var/log/cron.
Questions 24
Web mining allows a user to look for patterns in data through content mining, structure mining, and usage mining. What is the function of structure mining?
Options:
A.
To examine data collected by search engines
B.
To examine data collected by Web spiders
C.
To examine data related to the structure of a particular Web site
D.
To examine data related to a particular user's browser
Structure mining is used to examine data related to the structure of a particular Web site. Answer: D is incorrect. Usage mining is used to examine data related to a particular user's browser as well as data gathered by forms the user may have submitted during Web transactions.
Questions 25
What is the purpose of Cellpadding attribute of
tag?
Options:
A.
Cellpadding is used to set the width of cell border and its content.
B.
Cellpadding is used to set the width of a table.
C.
Cellpadding is used to set the space between the cell border and its content.
D.
Cellpadding is used to set the space between two cells in a table.
Cellpadding attribute is used to set the space, in pixels , between the cell border and its content. If you have not set the value of Cellpadding attribute for a table, the browser takes the default value as 1.
Questions 26
You have been assigned a project to develop a Web site for a construction company. You have to develop a Web site and want to get more control over the appearance and presentation of your Web pages. You also want to increase the ability to precisely specify the location and appearance of the elements on a page and create special effects. You plan to use Cascading style sheets (CSS). You want to apply the same style consistently throughout your Web site. Which type of style sheet will you use?
To apply the same style consistently throughout your Web site you should use external style sheet. Cascading style sheets (CSS) are used so that the Web site authors can exercise greater control on the appearance and presentation of their Web pages. And also because they increase the ability to precisely point to the location and look of elements on a Web page and help in creating special effects. Cascading Style Sheets have codes, which are interpreteA, Dpplied by the browser on to the Web pages and their elements. There are three types of cascading style sheets. External Style Sheets Embedded Style Sheets Inline Style Sheets External Style Sheets are used whenever consistency in style is required throughout a Web site. A typical external style sheet uses a .css file extension, which can be edited using a text editor such as a Notepad. Embedded Style Sheets are used for defining styles for an active page.
Inline Style Sheets are used for defining individual elements of a page. Reference: TechNet, Contents: Microsoft Knowledgebase, February 2000 issue PSS ID Number: Q179628
Questions 27
In the DNS Zone transfer enumeration, an attacker attempts to retrieve a copy of the entire zone file for a domain from a DNS server. The information provided by the DNS zone can help an attacker gather user names, passwords, and other valuable information. To attempt a zone transfer, an attacker must be connected to a DNS server that is the authoritative server for that zone. Besides this, an attacker can launch a Denial of Service attack against the zone's DNS servers by flooding them with a lot of requests. Which of the following tools can an attacker use to perform a DNS zone transfer?
An attacker can use Host, Dig, and NSLookup to perform a DNS zone transfer. Answer: A is incorrect. DSniff is a sniffer that can be used to record network traffic. Dsniff is a set of tools that are used for sniffing passwords, e-mail, and HTTP traffic. Some of the tools of Dsniff include dsniff, arpredirect, macof, tcpkill, tcpnice, filesnarf, and mailsnarf. Dsniff is highly effective for sniffing both switched and shared networks. It uses the arpredirect and macof tools for switching across switched networks. It can also be used to capture authentication information for FTP, telnet, SMTP, HTTP, POP, NNTP, IMAP, etc.
Questions 28
Which of the following commands can be used to find out where commands are located?
The which and type commands can be used to find out where commands are located.
Questions 29
John works as a Security Professional. He is assigned a project to test the security of www.we-are-secure.com. John wants to get the information of all network connections and listening ports in the numerical form. Which of the following commands will he use?
According to the scenario, John will use the netstat -an command to accomplish the task. The netstat -an command is used to get the information of all network connections and listening ports in the numerical form. The netstat command displays protocol-related statistics and the state of current TCP/IP connections. It is used to get information about the open connections on a computer, incoming and outgoing data, as well as the ports of remote computers to which the computer is connected. The netstat command gets all this networking information by reading the kernel routing tables in the memory. Answer: A is incorrect. The netstat -e command displays the Ethernet information. Answer: B is incorrect. The netstat -r command displays the routing table information. Answer: C is incorrect. The netstat -s command displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP.
Questions 30
Which of the following tools is used to make fake authentication certificates?
WinSSLMiM is an HTTPS Man in the Middle attacking tool. It includes FakeCert, a tool used to make fake certificates. It can be used to exploit the Certificate Chain vulnerability in Internet Explorer. The tool works under Windows 9x/2000. For example, Generate fake certificate: fc -s www.we-are-secure.com -f fakeCert.crt Launch WinSSLMiM: wsm -f fakeCert.crt Answer: D is incorrect. Brutus is a password cracking tool that performs both dictionary and brute force attacks in which passwords are randomly generated from given characters. Brute forcing can be performed on the following authentications: HTTP (Basic Authentication) HTTP (HTML Form/CGI) POP3 (Post Office Protocol v3) FTP (File Transfer Protocol) SMB (Server Message Block) Telnet Answer: A is incorrect. Obiwan is a Web password cracking tool that is used to perform brute force and hybrid attacks. It is effective against HTTP connections for Web servers that allow unlimited failed login attempts by the user. Obiwan uses wordlists as well as alphanumeric characters as possible passwords. Answer: B is incorrect. Netcat is a freely available networking utility that reads and writes data across network connections by using the TCP/IP protocol. Netcat has the following features: It provides outbound and inbound connections for TCP and UDP ports. It provides special tunneling such as UDP to TCP, with the possibility of specifying all network parameters. It is a good port scanner. It contains advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of transmitted and received data. It is an optional RFC854 telnet code parser and responder.
Questions 31
You work as a Network Administrator for NetTech Inc. Your computer has the Windows 2000 Server operating system. You want to harden the security of the server. Which of the following changes are required to accomplish this? (Choose two)
For security, you will have to rename the Administrator account and disable the Guest account. Renaming the Administrator account will ensure that hackers do not break into the network or computer by guessing the password of the Administrator account. You can also create a fake Administrator account that has no privileges and audit its use to detect attacks. Disabling the Guest account will prevent users who do not have a domain or local user account from illegally accessing the network or computer. By default, the Guest account is disabled on systems running Windows 2000 Server. If the Guest account is enabled, you will have to disable it.
Questions 32
Which of the following statements about a session are true? (Choose two)
Options:
A.
The creation time can be obtained using the getSessionCreationTime() method of the HttpSession.
B.
The getAttribute() method of the HttpSession interface returns a String.
C.
The time for the setMaxInactiveInterval() method of the HttpSession interface is specified in seconds.
D.
The isNew() method is used to identify if the session is new.
The setMaxInactiveInterval() method sets the maximum time in seconds before a session becomes invalid. The syntax of this method is as follows: public void setMaxInactiveInterval(int interval) Here, interval is specified in seconds. The isNew() method of the HttpSession interface returns true if the client does not yet know about the session, or if the client chooses not to join the session. This method throws an IllegalStateException if called on an invalidated session. Answer: B is incorrect. The getAttribute(String name) method of the HttpSession interface returns the value of the named attribute as an object. It returns a null value if no attribute with the given name is bound to the session. This method throws an IllegalStateException if it is called on an invalidated session. Answer: A is incorrect. The creation time of a session can be obtained using the getCreationTime() method of the HttpSession.
Questions 33
Which of the following allows the use of multiple virtual servers using different DNS names resolved by the same IP address?
HTTP 1.1 allows the use of multiple virtual servers, all using different DNS names resolved by the same IP address. The WWW service supports a concept called virtual server. A virtual server can be used to host multiple domain names on the same physical Web server. Using virtual servers, multiple FTP sites and Web sites can be hosted on a single computer. It means that there is no need to allocate different computers and software packages for each site. Answer: D is incorrect. VPN stands for virtual private network. It allows users to use the Internet as a secure pipeline to their corporate local area networks (LANs). Remote users can dial-in to any local Internet Service Provider (ISP) and initiate a VPN session to connect to their corporate LAN over the Internet. Companies using VPNs significantly reduce long-distance dial-up charges. VPNs also provide remote employees with an inexpensive way of remaining connected to their company's LAN for extended periods.
Answer: B is incorrect. Java is an object oriented programming language developed by Sun Microsystems. It allows the creation of platform independent executables. Java source code files are compiled into a format known as bytecode (files with .class extension). Java supports programming for the Internet in the form of Java applets. Java applets can be executed on a computer having a Java interpreter and a run-time environment known as Java Virtual Machine (JVM). Java Virtual Machines (JVMs) are available for most operating systems, including UNIX, Macintosh OS, and Windows. Answer: C is incorrect. HTML stands for Hypertext Markup Language. It is a set of markup symbols or codes used to create Web pages and define formatting specifications. The markup tells the Web browser how to display the content of the Web page.
Questions 34
In addition to denying and granting access, what other services does a firewall support?
Options:
A.
Network Access Translation (NAT)
B.
Secondary connections
C.
Control Internet access based on keyword restriction
A firewall is a tool to provide security to a network. It is used to protect an internal network or intranet against unauthorized access from the Internet or other outside networks. It restricts inbound and outbound access and can analyze all traffic between an internal network and the Internet. Users can configure a firewall to pass or block packets from specific IP addresses and ports. Firewalls often have network address translation (NAT) functionality. The hosts protected behind a firewall commonly have addresses in the private address range. Firewalls have such functionality to hide the true address of protected hosts. Firewalls are used by administrators to control Internet access based on keyword restriction. Some proxy firewalls can cache data so that clients can access frequently requested data from the local cache instead of using the Internet connection to request it. This is convenient for cutting down on unnecessary bandwidth consumption. Answer: B is incorrect. It is an area where a firewall faces difficulty in securing the network. It is the area where employees make alternate connections to the Internet for their personal use, resulting in useless rendering of the firewall.
Questions 35
John visits an online shop that stores the IDs and prices of the items to buy in a cookie. After selecting the items that he wants to buy, the attacker changes the price of the item to 1. Original cookie values: ItemID1=2 ItemPrice1=900 ItemID2=1 ItemPrice2=200 Modified cookie values: ItemID1=2 ItemPrice1=1 ItemID2=1 ItemPrice2=1 Now, he clicks the Buy button, and the prices are sent to the server that calculates the total price. Which of the following hacking techniques is John performing?
John is performing cookie poisoning. In cookie poisoning, an attacker modifies the value of cookies before sending them back to the server. On modifying the cookie values, an attacker can log in to any other user account and can perform identity theft. The following figure explains how cookie poisoning occurs:
C:\Documents and Settings\user-nwz\Desktop\1.JPG
For example: The attacker visits an online shop that stores the IDs and prices of the items to buy in a cookie. After selecting the items that he wants to buy, the attacker changes the price of the item to 1. Original cookie values: ItemID1= 2 ItemPrice1=900 ItemID2=1 ItemPrice2=200 Modified cookie values: ItemID1= 2 ItemPrice1=1 ItemID2=1 ItemPrice2=1 Now, the attacker clicks the Buy button and the prices are sent to the server that calculates the total price. Another use of a Cookie Poisoning attack is to pretend to be another user after changing the username in the cookie values: Original cookie values: LoggedIn= True Username = Mark Modified cookie values: LoggedIn= True Username = Admin Now, after modifying the cookie values, the attacker can do the admin login.
Answer: A is incorrect. A cross site scripting attack is one in which an attacker enters malicious data into a Website. For example, the attacker posts a message that contains malicious code to any newsgroup site. When another user views this message, the browser interprets this code and executes it and, as a result, the attacker is able to take control of the user's system. Cross site scripting attacks require the execution of client-side languages such as JavaScript, Java, VBScript, ActiveX, Flash, etc. within a user's Web environment. With the help of a cross site scripting attack, the attacker can perform cookie stealing, sessions hijacking, etc.
Questions 36
Which of the following are HTML tags, used to create a table?
In Hypertext Markup Language (HTML), a table is created using the
,
, and
tags. The
tag designs the table layout, the
tag is used to create a row, and the
tag is used to create a column. For example, the following code generates a table with two rows and two columns:
Cell 1
Cell 2
Cell 3
Cell 4
Answer: C, E, and D are incorrect. There are no HTML tags such as
, , and .
Questions 37
Which of the following types of attack is described in the statement below? "It is a technique employed to compromise the security of network switches. In this attack, a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table."
MAC flooding is a technique employed to compromise the security of network switches. In a typical MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table. The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation. A malicious user could then use a packet sniffer (such as Wireshark) running in promiscuous mode to capture sensitive data from other computers (such as unencrypted passwords, e-mail and instant messaging conversations), which would not be accessible were the switch operating normally. Answer: B is incorrect. Blind spoofing is a type of IP spoofing attack. This attack occurs when the attacker is on a different subnet as the destination host. Therefore, it is more difficult to obtain correct TCP sequence number and acknowledgement number of the data frames. In blind spoofing attack, an attacker sends several packets to the target computer so that he can easily obtain sequence number of each data frame. If the attacker is successful in compromising the sequence number of the data frames, the data is successfully sent to the target computer. Answer: C is incorrect. Dictionary attack is a type of password guessing attack. This type of attack uses a dictionary of common words to find out the password of a user. It can also use common words in either upper or lower case to find a password. There are many programs available on the Internet to automate and execute dictionary attacks.
Answer: A is incorrect. Man-in-the-middle attacks occur when an attacker successfully inserts an intermediary software or program between two communicating hosts. The intermediary software or program allows attackers to listen to and modify the communication packets passing between the two hosts. The software intercepts the communication packets and then sends the information to the receiving host. The receiving host responds to the software, presuming it to be the legitimate client.
Questions 38
Which of the following statements is true about COLSPAN attribute?
Options:
A.
COLSPAN is used to create columns in a table.
B.
COLSPAN is used to divide one column into many columns.
C.
COLSPAN is used to span one column across many rows.
D.
COLSPAN is used to span one column across many columns.
COLSPAN attribute is used to span one column across many columns. COLSPAN is an attribute of
and
tags that allow a single column in a table to take space that is occupied by several columns. If the specified COLSPAN value is greater than the number of columns in the table, then a new column is created at the end of the row. Reference: MSDN, Contents: COLSPAN
Questions 39
You work as the Network Administrator for XYZ CORP. The company has a Unix-based network. You want to do RARP mapping from hardware mapping addresses to IP addresses. Which of the following Unix configuration files can you use to accomplish the task?
In Unix, the /etc/ethers file is used by system administrators for RARP mapping from hardware mapping addresses to IP addresses.
Answer: A is incorrect. In Unix, the /etc/dhcpd.conf file is the configuration file for the DHCP server daemon. Answer: C is incorrect. In Unix, the /etc/exports file describes exported file systems for NFS services. Answer: B is incorrect. In Unix, the /etc/motd file automatically displays the message of the day after a successful login.
Questions 40
Which of the following statements are true about the Enum tool?
Options:
A.
It uses NULL and User sessions to retrieve user lists, machine lists, LSA policy information, etc.
B.
It is capable of performing brute force and dictionary attacks on individual accounts of Windows NT/2000.
C.
One of the countermeasures against the Enum tool is to disable TCP port 139/445.
D.
It is a console-based Win32 information enumeration utility.
Enum is a console-based Win32 information enumeration utility. It uses null sessions to retrieve user lists, machine lists, share lists, name lists, group and member lists, passwords, and LSA policy information. It is also capable of performing brute force and dictionary attacks on individual accounts. Since the Enum tool works on the NetBIOS NULL sessions, disabling the NetBIOS port can be a good countermeasure against the Enum tool.
Questions 41
You work as the Network Administrator for XYZ CORP. The company has a Linux-based network. You are a root user on the Red Hat operating system. You want to see first five lines of the file /etc/passwd. Which of the following commands should you use to accomplish the task?
The head -n 5 /etc/passwd command will show the first 5 lines of the file /etc/passwd.
Questions 42
You work as a Network Administrator for Tech Perfect Inc. The company has a Windows Active Directory-based single domain single forest network. The functional level of the forest is Windows Server 2003. The company has recently provided laptops to its sales team members. You have configured access points in the network to enable a wireless network. The company's security policy states that all users using laptops must use smart cards for authentication. Which of the following authentication techniques will you use to implement the security policy of the company?
In order to ensure that the laptop users use smart cards for authentication, you will have to configure IEEE 802.1X authentication using the EAP-TLS protocol on the network.
Questions 43
Which of the following statements are true about KisMAC?
Options:
A.
It scans for networks passively on supported cards.
B.
It cracks WEP and WPA keys by Rainbow attack or by dictionary attack.
C.
It is a wireless network discovery tool for Mac OS X.
D.
Data generated by KisMAC can also be saved in pcap format. \
KisMAC is a wireless network discovery tool for Mac OS X. It has a wide range of features, similar to those of Kismet, its Linux/BSD namesake and far exceeding those of NetStumbler, its closest equivalent on Windows. The program is geared toward network security professionals, and is not as novice-friendly as similar applications. KisMAC will scan for networks passively on supported cards - including Apple's AirPort, and AirPort Extreme, and many third-party cards, and actively on any card supported by Mac OS X itself. Cracking of WEP and WPA keys, both by brute force, and exploiting flaws such as weak scheduling and badly generated keys is supported when a card capable of monitor mode is used, and packet reinjection can be done with a supported card. GPS mapping can be performed when an NMEA compatible GPS receiver is attached. Data can also be saved in pcap format and loaded into programs such as Wireshark.
Questions 44
Sam works as a Web Developer for McRobert Inc. He creates a Web site. He wants to include the following table in the Web site:
He writes the following HTML code to create the table:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
Which of the following tags will Sam place at lines 3 and 4 to create the table?
The tag is used to specify each cell of the table. It can be used only within a row in a table. The ROWSPAN attribute of the tag specifies the number of rows that a cell spans over in a table. Since, the first cell of the table spans over three rows, Sam will use . specifies the number of columns that the head row contains. Answer: C is incorrect. Placing the tags given in this option at lines 3 and 4 will create the following table: Answer: A, B are incorrect. There are no attributes such as SPAN and SPANWIDTH for the tag.
Questions 45
TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote operating system (OS fingerprinting), or incorporated into a device fingerprint. Which of the following Nmap switches can be used to perform TCP/IP stack fingerprinting?
The nmap -O -p switch can be used to perform TCP/IP stack fingerprinting. Nmap is a free open-source utility for network exploration and security auditing. It is used to discover computers and services on a computer network, thus creating a "map" of the network. Just like many simple port scanners, Nmap is capable of discovering passive services. In addition, Nmap may be able to determine various details about the remote computers. These include operating system, device type, uptime, software product used to run a service, exact version number of that product, presence of some firewall techniques and, on a local area network, even vendor of the remote network card. Nmap runs on Linux, Microsoft Windows etc. Answer: B is incorrect. The nmap -sU -p switch can be used to perform UDP port scanning. Answer: A is incorrect. The nmap -sS switch is used to perform a TCP half scan. TCP SYN scanning is also known as half-open scanning because in this a full TCP connection is never opened. Answer: D is incorrect. The nmap -sT switch is used to perform a TCP full scan.
Questions 46
Which of the following is the default port for Hypertext Transfer Protocol (HTTP)?
Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol used on the World Wide Web (WWW) to display Hypertext Markup Language (HTML) pages. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. For example, when a client application or browser sends a request to the server using HTTP commands, the server responds with a message containing the protocol version, success or failure code, server information, and body content, depending on the request. HTTP uses TCP port 80 as the default port. Answer: B is incorrect. Port 443 is the default port for Hypertext Transfer Protocol Secure (HTTPS) and Secure Socket Layer (SSL). Answer: A, D are incorrect. By default, FTP server uses TCP port 20 for data transfer and TCP port 21 for session control.
Questions 47
Which of the following statements are true about data aggregation?
Options:
A.
A common aggregation purpose is to get more information about particular groups based on specific variables.
B.
Data aggregation cannot be user-based.
C.
Data aggregation is any process in which information is gathered and expressed in a summary form.
D.
Online analytic processing (OLAP) is a simple type of data aggregation.
Data aggregation is any process in which information is gathered and expressed in a summary form, for purposes such as statistical analysis. A common aggregation purpose is to get more information about particular groups based on specific variables such as age, profession, or income. The information about such groups can then be used for Web site personalization to choose content and advertising likely to appeal to an individual belonging to one or more groups for which data has been collected. For example, a site that sells music CDs might advertise certain CDs based on the age of the user and the data aggregate for their age group. Online analytic processing (OLAP) is a simple type of data aggregation in which the marketer uses an online reporting mechanism to process the information. Answer: B is incorrect. Data aggregation can be user-based. Personal data aggregation services offer the user a single point for collection of their personal information from other Web sites. The customer uses a single master personal identification number (PIN) to give them access to their various accounts (such as those for financial institutions, airlines, book and music clubs, and so on). Performing this type of data aggregation is sometimes referred to as "screen scraping."
Questions 48
Which of the following is a wireless auditing tool that is used to pinpoint the actual physical location of wireless devices in the network?
Ekahau is an easy-to-use powerful and comprehensive tool for network site surveys and optimization. It is an auditing tool that can be used to pinpoint the actual physical location of wireless devices in the network. This tool can be used to make a map of the office and then perform the survey of the office. In the process, if one finds an unknown node, ekahau can be used to locate that node. Answer: D is incorrect. AirSnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys. Answer: C is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode. Kismet can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the following tasks: To identify networks by passively collecting packets To detect standard named networks To detect masked networks
To collect the presence of non-beaconing networks via data traffic Answer: A is incorrect. KisMAC is a wireless network discovery tool for Mac OS X. It has a wide range of features, similar to those of Kismet, its Linux/BSD namesake and far exceeding those of NetStumbler, its closest equivalent on Windows. The program is geared toward network security professionals, and is not as novice-friendly as similar applications. KisMAC will scan for networks passively on supported cards - including Apple's AirPort, and AirPort Extreme, and many third-party cards, and actively on any card supported by Mac OS X itself. Cracking of WEP and WPA keys, both by brute force, and exploiting flaws such as weak scheduling and badly generated keys is supported when a card capable of monitor mode is used, and packet reinjection can be done with a supported card. GPS mapping can be performed when an NMEA compatible GPS receiver is attached. Data can also be saved in pcap format and loaded into programs such as Wireshark.
Questions 49
Which of the following tools can be used to perform ICMP tunneling? (Choose two)
Ptunnel and Itunnel are the tools that are used to perform ICMP tunneling. In ICMP tunneling, an attacker establishes a covert connection between two remote computers (a client and proxy), using ICMP echo requests and reply packets. ICMP tunneling works by injecting arbitrary data into an echo packet sent to a remote computer. The remote computer replies in the same manner, injecting an answer into another ICMP packet and sending it back. The client performs all communication using ICMP echo request packets, while the proxy uses echo reply packets. Normally, ICMP tunneling involves sending what appear to be ICMP commands but really they are the Trojan communications. Answer: C is incorrect. WinTunnel is used to perform TCP tunneling. Answer: D is incorrect. Ethereal is a network sniffer.
Questions 50
The employees of CCN Inc. require remote access to the company's proxy servers. In order to provide solid wireless security, the company uses LEAP as the authentication protocol. Which of the following is supported by the LEAP protocol?
LEAP can use only password hash as the authentication technique. Not only LEAP, but EAP-TLS, EAP-TTLS, and PEAP also support dynamic key encryption and mutual authentication. Answer: C is incorrect. LEAP provides only a moderate level of security. Answer: B is incorrect. LEAP uses password hash for server authentication.
Questions 51
Mark works as the Network Administrator for XYZ CORP. The company has a Unix-based network. Mark wants to scan one of the Unix systems to detect security vulnerabilities. To accomplish this, he uses TARA as a system scanner. What can be the reasons that made Mark use TARA?
Options:
A.
It has a very specific function of seeking paths to root.
Tiger Analytical Research Assistant (TARA) is a set of scripts that scans a Unix system for security problems. Following are the pros and cons of using TARA. Pros:
It is open source. It is very modular. It can work on a wide variety of platforms. It is composed mostly of bash scripts; hence, it can run on any Unix platform with little difficulty. Cons: It has a very specific function of seeking paths to root. Answer: A is incorrect. It is a limitation of TARA that reduces its flexibility to be used for different purposes.
Questions 52
Which of the following statements are true about MS-CHAPv2?
Options:
A.
It is a connectionless protocol.
B.
It provides an authenticator-controlled password change mechanism.
C.
It is subject to offline dictionary attacks.
D.
It can be replaced with EAP-TLS as the authentication mechanism for PPTP.
MS-CHAPv2 provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Success packet. MS-CHAPv2 has various features such as: It is enabled by negotiating CHAP Algorithm 0x80 (0x81 for MS-CHAPv2) in LCP option 3, Authentication Protocol. It provides an authenticator-controlled password change mechanism. It provides an authenticator-controlled authentication retry mechanism. It defines failure codes returned in the Failure packet message field. With weak passwords, MS-CHAPv2 is subject to offline dictionary attacks; hence, it can be replaced with EAP-TLS as the authentication mechanism for PPTP.
Questions 53
Mark is an attacker. He wants to discover wireless LANs by listening to beacons or sending probe requests and thereby provide a launch point for further attacks. Which of the following tools can he use to accomplish the task?
War driving is an attack in which the attacker discovers wireless LANs by listening to beacons or sending probe requests, thereby providing a launch point for further attacks. Airmon-ng, DStumbler, KisMAC, MacStumbler, NetStumbler, Wellenreiter, and WiFiFoFum are the tools that can be used to perform a war driving attack. Answer: B is incorrect. Wellenreiter is a tool that is used to perform MAC spoofing attacks.
Questions 54
Which of the following Web attacks is performed by manipulating codes of programming languages such as SQL, Perl, Java present in the Web pages?
A code injection attack exists whenever a scripting or programming language is used in a Web page. All that the attacker needs is an error or opening. That opening usually comes in the form of an input field that is not validated correctly. It is not necessary for the code injection attack to be on the Web page. It can be located in the back end as part of a database query of the Web site. If any part of the server uses Java, JavaScript, C, SQL, or any other code between the Internet and the data, it is vulnerable to the code injection attack.
Answer: C is incorrect. A cross site scripting attack is one in which an attacker enters malicious data into a Website. For example, the attacker posts a message that contains malicious code to any newsgroup site. When another user views this message, the browser interprets this code and executes it and, as a result, the attacker is able to take control of the user's system. Cross site scripting attacks require the execution of client-side languages such as JavaScript, Java, VBScript, ActiveX, Flash, etc. within a user's Web environment. With the help of a cross site scripting attack, the attacker can perform cookie stealing, sessions hijacking, etc. Answer: A is incorrect. A command injection attack is used to inject and execute commands specified by the attacker in the vulnerable application. The application, which executes unwanted system commands, is like a virtual system shell. The attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the application has. The command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker. Answer: D is incorrect. Cross-site request forgery, also known as one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. The attack works by including a link or script in a page that accesses a site to which the user is known to have authenticated.
C:\Documents and Settings\user-nwz\Desktop\1.JPG
