Assessment Test
1. In which type of attack are passwords never cracked?
A. Cryptography attacks
B. Brute-force attacks
C. Replay attacks
D. John the Ripper attacks
2. If the password is 7 characters or less, then the second half of the LM hash is always: A. 0xAAD3B435B51404EE
B. 0xAAD3B435B51404AA
C. 0xAAD3B435B51404BB
D. 0xAAD3B435B51404CC
3. What defensive measures will you take to protect your network from password brute-force attacks? (Choose all that apply.)
A. Never leave a default password.
B. Never use a password that can be found in a dictionary.
C. Never use a password related to the hostname, domain name, or anything else that can be found with Whois.
D. Never use a password related to your hobbies, pets, relatives, or date of birth. E. Use a word that has more than 21 characters from a dictionary as the password.
4. Which of the following is the act intended to prevent spam emails?
A. 1990 Computer Misuse Act
B. Spam Prevention Act
C. US-Spam 1030 Act
D. CANSPAM Act
5. ________________ is a Cisco IOS mechanism that examines packets on Layers 4 to 7. A. Network-Based Application Recognition (NBAR)
B. Denial-of-Service Filter (DOSF)
C. Rule Filter Application Protocol (RFAP)
D. Signature-Based Access List (SBAL)
6. What filter in Ethereal will you use to view Hotmail messages?
A. (http contains “e‑mail”) && (http contains “hotmail”)
B. (http contains “hotmail”) && (http contains “Reply-To”)
C. (http = “login.passport.com”) && (http contains “SMTP”)
D. (http = “login.passport.com”) && (http contains “POP3”)
7. Who are the primary victims of SMURF attacks on the Internet?
A. IRC servers
B. IDS devices
C. Mail servers
D. SPAM filters
8. What type of attacks target DNS servers directly?
A. DNS forward lookup attacks
B. DNS cache poisoning attacks
C. DNS reverse connection attacks
D. DNS reflector and amplification attack
9. TCP/IP session hijacking is carried out in which OSI layer?
A. Transport layer
B. Datalink layer
C. Network layer
D. Physical layer
10. What is the term used in serving different types of web pages based on the user’s IP address?
A. Mirroring website
B. Website filtering
C. IP access blockade
D. Website cloaking
11. True or False: Data is sent over the network as cleartext (unencrypted) when Basic Authen tication is configured on web servers.
A. True
B. False
12. What is the countermeasure against XSS scripting?
A. Create an IP access list and restrict connections based on port number. B. Replace < and > characters with < and > using server scripts.
C. Disable JavaScript in Internet Explorer and Firefox browsers.
D. Connect to the server using HTTPS protocol instead of HTTP.
13. How would you prevent a user from connecting to the corporate network via their home computer and attempting to use a VPN to gain access to the corporate LAN?
A. Enforce Machine Authentication and disable VPN access to all your employee accounts from any machine other than corporate-issued PCs.
B. Allow VPN access but replace the standard authentication with biometric authentication. C. Replace the VPN access with dial-up modem access to the company’s network. D. Enable 25-character complex password policy for employees to access the VPN network.
14. How would you compromise a system that relies on cookie-based security? A. Inject the cookie ID into the web URL and connect back to the server. B. Brute-force the encryption used by the cookie and replay it back to the server.
C. Intercept the communication between the client and the server and change the cookie to make the server believe that there is a user with higher privileges.
15. Windows is dangerously insecure when unpacked from the box; which of the following must you do before you use it? (Choose all that apply.)
A. Make sure a new installation of Windows is patched by installing the latest service packs.
B. Install the latest security patches for applications such as Adobe Acrobat, Macromedia Flash, Java, and WinZip.
C. Install a personal firewall and lock down unused ports from connecting to your computer.
D. Install the latest signatures for antivirus software.
F. You can start using your computer since the vendor, such as Dell, Hewlett-Packard, and IBM, already has installed the latest service packs.
16. Which of these is a patch management and security utility?
A. MBSA
B. BSSA
C. ASNB
D. PMUS
17. How do you secure a GET method in web page posts?
A. Encrypt the data before you send using the GET method.
B. Never include sensitive information in a script.
C. Use HTTPS SSLv3 to send the data instead of plain HTTPS.
D. Replace GET with the POST method when sending data.
18. What are two types of buffer overflow?
A. Stack-based buffer overflow
B. Active buffer overflow
C. Dynamic buffer overflow
D. Heap-based buffer overflow
19. How does a polymorphic shellcode work?
A. It reverses the working instructions into opposite order by masking the IDS signatures.
B. It converts the shellcode into Unicode, uses a loader to convert back to machine code, and then executes the shellcode.
C. It encrypts the shellcode by XORing values over the shellcode, using loader code to decrypt the shellcode, and then executing the decrypted shellcode.
D. It compresses the shellcode into normal instructions, uncompresses the shellcode using loader code, and then executes the shellcode.
20. Where are passwords kept in Linux?
A. /etc/shadow
B. /etc/passwd
C. /bin/password
D. /bin/shadow
21. What of the following is an IDS defeating technique?
A. IP routing or packet dropping
B. IP fragmentation or session splicing
C. IDS spoofing or session assembly
D. IP splicing or packet reassembly
22. True or False: A digital signature is simply a message that is encrypted with the public key instead of the private key.
A. True
B. False
23. Every company needs which of the following documents?
A. Information Security Policy (ISP)
B. Information Audit Policy (IAP)
C. Penetration Testing Policy (PTP)
D. User Compliance Policy (UCP)
24. What does the hacking tool Netcat do?
A. Netcat is a flexible packet sniffer/logger that detects attacks. Netcat is a library packet capture (libpcap)-based packet sniffer/logger that can be used as a lightweight network intrusion detection system.
B. Netcat is a powerful tool for network monitoring and data acquisition. This program allows you to dump the traffic on a network. It can be used to print out the headers of packets on a network interface that matches a given expression.
C. Netcat is called the TCP/IP Swiss army knife. It is a simple Unix utility that reads and writes data across network connections using the TCP or UDP protocol.
D. Netcat is a security assessment tool based on SATAN (Security Administrator’s Inte grated Network Tool).
25. Which tool is a file and directory integrity checker that aids system administrators and users in monitoring a designated set of files for any changes?
A. Hping2
B. DSniff
C. Cybercop Scanner
D. Tripwire
26. Which of the following Nmap commands launches a stealth SYN scan against each machine in a class C address space where target.example.com resides and tries to deter mine what operating system is running on each host that is up and running?
A. nmap -v target.example.com
B. nmap -sS -O target.example.com/24
C. nmap -sX -p 22,53,110,143,4564 198.116.*.1-127
D. nmap -XS -O target.example.com
27. Snort is a Linux-based intrusion detection system. Which command enables Snort to use network intrusion detection (NIDS) mode assuming snort.conf is the name of your rules file and the IP address is 192.168.1.0 with Subnet Mask:255.255.255.0?
A. ./snort -c snort.conf 192.168.1.0/24
B. ./snort 192.168.1.0/24 -x snort.conf
C. ./snort -dev -l ./log -a 192.168.1.0/8 -c snort.conf
D. ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
28. Buffer overflow vulnerabilities are due to applications that do not perform bound checks in the code. Which of the following C/C++ functions do not perform bound checks?
A. gets()
B. memcpy()
C. strcpr()
D. scanf()
E. strcat()
29. How do you prevent SMB hijacking in Windows operating systems?
A. Install WINS Server and configure secure authentication.
B. Disable NetBIOS over TCP/IP in Windows NT and 2000.
C. The only effective way to block SMB hijacking is to use SMB signing. D. Configure 128-bit SMB credentials key-pair in TCP/IP properties.
30. Which type of hacker represents the highest risk to your network?
A. Disgruntled employees
B. Black-hat hackers
C. Gray-hat hackers
D. Script kiddies
31. Which of the following command-line switches would you use for OS detection in Nmap? A. -X
B. -D
C. -O
D. -P
32. LM authentication is not as strong as Windows NT authentication so you may want to dis able its use, because an attacker eavesdropping on network traffic will attack the weaker protocol. A successful attack can compromise the user’s password. How do you disable LM authentication in Windows XP?
A. Download and install the LMSHUT.EXE tool from Microsoft’s website’ B. Disable LM authentication in the Registry.
C. Stop the LM service in Windows XP.
D. Disable the LSASS service in Windows XP.
33. You have captured some packets in Ethereal. You want to view only packets sent from 10.0.0.22. What filter will you apply?
A. ip.equals 10.0.0.22
B. ip = 10.0.0.22
C. ip.address = 10.0.0.22
D. ip.src == 10.0.0.22
34. What does FIN in a TCP flag define?
A. Used to abort a TCP connection abruptly
B. Used to close a TCP connection
C. Used to acknowledge receipt of a previous packet or transmission
D. Used to indicate the beginning of a TCP connection
35. What does ICMP (type 11, code 0) denote?
A. Time Exceeded
B. Source Quench
C. Destination Unreachable
D. Unknown Type
Answers to Assessment Test
1. C. Replay attacks involve capturing passwords, most likely encrypted, and playing them back to fake authentication.
2. A. An LM hash splits a password into two sections. If the password is 7 characters or less, then the blank portion of the password will always be a hex value of AAD3B435B51404EE. 0x preceding the value indicates it is in Hex.
3. A,B,C,D. A dictionary word can always be broken using brute force.
4. D. The CANSPAM Act is an acronym for Controlling the Assault of Non-Solicited Por-nography and Marketing Act; the act attempts to prevent unsolicited spam.
5. A. Network-Based Application Recognition is a Cisco IOS mechanism for controlling traffic through network ingress points.
6. B. A way of locating Hotmail messages in Ethereal is to use a filter of email and Reply-to to find actual email messages.
7. A. In a Smurf attack a large amount of ICMP echo request (ping) traffic is send to an IP broadcast address, with a spoofed source IP address of the intended victim. IRC servers are commonly used to perpetuate this attack so they are considered primary victims.
8. D. The DNS reflector and amplification type attacks DNS servers directly. By adding amplification to the attack, many hosts send the attack and results in a denial-of-service to the DNS servers.
9. A. TCP operates at the Transport layer, or Layer 4 of the OSI model, and consequently a TCP/IP session hijack occurs at the Transport layer.
10. D. Website cloaking is serving different web pages based on the source IP address of the user.
11. A. Basic Authentication uses cleartext passwords.
12. B. A protection against cross-site scripting is to secure the server scripts.
13. A. Machine Authentication would require the host system to have a domain account that would only be valid for corporate PCs.
14. C. Privilege escalation can be done through capturing and modifying cookies.
15. A,B,C,D. Installing service packs, personal firewall software, and antivirus signatures should all be done prior to using a new computer on the network.
16. A. Microsoft Baseline Security Analyzer is a patch management utility built into Windows for analyzing security.
17. D. POST should be used instead of GET for web page posts.
18. A,D. Stack- and heap-based are the two types of buffer overflow attacks.
19. C. Polymorphic shellcode changes by using the XOR process to encrypt and decrypt the shellcode.
20. A. Passwords are stored in the /shadow file in Linux.
21. B. IP fragmentation or session splicing is a way of defeating an IDS.
22. A. A message is encrypted with a user’s private key so that only the user’s public key can decrypt the signature and the user’s identity can be verified.
23. A. Every company should have an Information Security Policy.
24. C. Netcat is a multiuse Unix utility for reading and writing across network connections.
25. D. Tripwire is a file and directory integrity checker.
26. B. nmap -sS creates a stealth scan and the -O switch performs operating system detection.
27. A. snort -c snort.conf indicates snort.conf is the config file containing snort rules.
28. E. strcat() does not perform bounds checking and creates a buffer overflow vulnerability.
29. C. SMB signing prevents SMB hijacking.
30. A. Disgruntled employees are the biggest threat to a network.
31. C. -O performs OS detection in Nmap.
32. B. LM authentication can be disabled in the Windows Registry.
33. D. ip.src== is the syntax to filter on a source IP address.
34. B. The FIN flag is used to close a TCP/IP connection.
35. A. ICMP Time Exceeded is type 11, code 0.