Questions

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

1. A target machine (with a MAC of 12:34:56:AB:CD:EF) is connected to a switch port. An attacker (with a MAC of 78:91:00:ED:BC:A1) is attached to a separate port on the same switch with a packet capture running. There is no spanning of ports or port security in place. Two packets leave the target machine. Message 1 has a destination MAC of E1:22:BA:87:AC:12. Message 2 has a destination MAC of FF: FF: FF: FF: FF:FF. Which of the following statements is true regarding the messages being sent?

A. The attacker will see message 1.

B. The attacker will see message 2.

C. The attacker will see both messages.

D. The attacker will see neither message

2. You have successfully tapped into a network subnet of your target organization. You begin an attack by learning all significant MAC addresses on the subnet. After some time, you decide to intercept messages between two hosts. You begin by sending broadcast messages to Host A showing your MAC address as belonging to Host B. Simultaneously, you send messages to Host B showing your MAC address as belonging to Host A. What is being accomplished here?

A. ARP poisoning to allow you to see all messages from both sides without interrupting their communications process

B. ARP poisoning to allow you to see messages from Host A to Host B, and vice versa

C. ARP poisoning to allow you to see messages from Host A destined to any address

D. ARP poisoning to allow you to see messages from Host B destined to any address

E. Failed ARP poisoning—you will not be able to see any traffic

3. Sniffing network traffic can sometimes be a function of an investigation run by a law enforcement agency (LEA). Within the confines of the lawful intercept, what provides most of the processing of the information and is usually provided by a third party?

A. IAP

B. Collection function

C. Wiretap

D. Mediation device

4. An attacker has successfully tapped into a network segment and has configured port spanning for his connection, which allows him to see all traffic passing through the switch. Which of the following protocols protects any sensitive data from being seen by this attacker?

A. FTP

B. IMAP

C. Telnet

D. POP

E. SMTP

F. SSH

5. You have a large packet capture file in Wireshark to review. You wish to filter traffic to show all packets with an IP address of 192.168.22.5 that contain the string HR_admin. Which of the following filters would accomplish this task?

A. ip.addr==192.168.22.5 &&tcp contains HR_admin

B. ip.addr 192.168.22.5 && "HR_admin"

C. ip.addr 192.168.22.5 &&tcp string ==HR_admin

D. ip.addr==192.168.22.5 + tcp contains tide

6. Which of the following is a tool used for MAC spoofing?

A. PromiScan

B. NetWitness

C. CACE

D. SMAC

7. You are attempting to sniff traffic on a switch. Which of the following are good methods to ensure you are successful? (Choose all that apply.)

A. Reboot the switch immediately after connecting.

B. Implement port security.

C. Configure a span port.

D. Use MAC flooding.

8. Which of the following are modes Snort can operate in? (Choose all that apply.)

A. Sniffer

B. Spoofing

C. Packet Logger

D. Network IDS

9. Examine the following Snort rule:

Which of the following are true regarding the rule? (Choose all that apply.)

A. This rule will alert on packets coming from the designated home network.

B. This rule will alert on packets coming from outside the designated home address.

C. This rule will alert on packets designated for any port, from port 23, containing the “admin” string.

D. This rule will alert on packets designated on port 23, from any port, containing the “admin” string.

10. You wish to begin sniffing, and you have a Windows 7 laptop. You download and install Wireshark, but quickly discover your NIC needs to be in “promiscuous mode.” What allows you to put your NIC into promiscuous mode?

A. Installing lmpcap

B. Installing npcap

C. Installing winPcap

D. Installing libPcap

E. Manipulating the NIC properties through Control Panel, Network and Internet, Change Adapter Settings.

11. You are attempting to deliver a payload to a target inside the organization; however, it is behind an IDS. You are concerned about successfully accomplishing your task without alerting the IDS monitoring team. Which of the following methods are possible options? (Choose all that apply.)

A. Flood the network with fake attacks.

B. Encrypt the traffic between you and the host.

C. Session hijacking.

D. Session splicing.

12. A pen test member has gained access to an open switch port. He configures his NIC for promiscuous mode and sets up a sniffer, plugging his laptop directly into the switch port. He watches traffic as it arrives at the system, looking for specific information to possibly use later. What type of sniffing is being practiced?

A. Active

B. Promiscuous

C. Blind

D. Passive

E. Session

13. Tcpdump is a popular packet capture sniffer. Examine the following segment of a tcpdump capture (note the capture only shows one side of the communication):

What can you gather from this capture? (Choose all that apply.)

A. The FTP connection is from 192.168.1.12 to the local host.

B. The FTP connection is from the local host to 192.168.5.12.

C. The FTP connection was unsuccessful.

D. The FTP authentication credentials are clearly visible.

14. What does this line from the Snort configuration file indicate?

A. The configuration variable is not in proper syntax.

B. It instructs the Snort engine to write rule violations in this location.

C. It instructs the Snort engine to compare packets to the rule set named “rules.”

D. It defines the location of the Snort rules.

15. As part of a security monitoring team, Joe is reacting to an incursion into the network. The attacker successfully exploited a vulnerability on an internal machine, and Joe is examining how the attacker succeeded. He reviews the IDS logs but sees no alerts for the time period; however, there is definitive proof of the attack. Which IDS shortcoming does this refer to?

A. False acceptance rate

B. False negative

C. Session splicing

D. False positive

16. Examine the Snort output shown here:

Which of the following is true regarding the packet capture?

A. The capture indicates a NOP sled attack.

B. The capture shows step 2 of a TCP handshake.

C. The packet source is 213.132.44.56.

D. The packet capture shows an SSH session attempt.

17. Your IDS sits on the network perimeter and has been analyzing traffic for a couple of weeks. On arrival one morning, you find the IDS has alerted on a spike in network traffic late the previous evening. Which type of IDS are you using?

A. Stateful

B. Snort

C. Passive

D. Signature based

E. Anomaly based

18. You are performing an ACK scan against a target subnet. You previously verified connectivity to several hosts within the subnet, but want to verify all live hosts on the subnet. Your scan, however, is not receiving any replies. Which type of firewall is most likely in use at your location?

A. Packet filtering

B. IPS

C. Stateful

D. Active

19. You are separated from your target subnet by a firewall. The firewall is correctly configured and only allows requests through to ports opened by the administrator. In firewalking the device, you find that port 80 is open. Which technique could you employ to send data and commands to or from the target system?

A. Encrypt the data to hide it from the firewall.

B. Use session splicing.

C. Use MAC flooding.

D. Use HTTP tunneling.

20. Which of the following tools are useful in identifying potential honeypots on a subnet? (Choose all that apply.)

A. Wireshark

B. Ettercap

C. Nessus

D. Send-Safe HH

E. Nmap

21. Examine the Wireshark filter shown here:

Which of the following correctly describes the capture filter?

A. The results will display all traffic from 192.168.1.1 destined for port 80.

B. The results will display all HTTP traffic to 192.168.1.1.

C. The results will display all Http traffic from 192.168.1.1.

D. No results will display due to invalid syntax.

22. You need to put the NIC into listening mode on your Linux box, capture packets, and write the results to a log file named my.log. How do you accomplish this with tcpdump?

A. tcpdump -i eth0 -w my.log

B. tcpdump -l eth0 -c my.log.

C. tcpdump /i eth0 /w my.log

D. tcpdump /l eth0 /c my.log

23. Which of the following tools can assist with IDS evasion? (Choose all that apply.)

A. Whisker

B. Fragroute

C. Capsa

D. Wireshark

E. ADMmutate

F. Inundator

24. Which command puts Snort into packet logger mode?

A. ./snort -dev -l ./log

B. ./snort –v

C. ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf

D. None of the above

25. Examine the following hex dump of a packet capture:

What does this packet capture show?

A. An ARP spoofing attempt

B. A Unicode IDS evasion attempt

C. An FTP session authentication

D. A ping sweep

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Questions

Create new playlist

Sign In

Sign Up

Table of Contents for
Questions