Q381. Bob has been hired to perform a penetration test on ABC.com. He begins by looking at IP address ranges owned by the company and details of domain name registration. He then goes to News Groups and financial web sites to see if they are leaking any sensitive information of have any technical details online. 

Within the context of penetration testing methodology, what phase is Bob involved with? 

A. Passive information gathering 

B. Active information gathering 

C. Attack phase 

D. Vulnerability Mapping 

Answer: A

Explanation: He is gathering information and as long as he doesn’t make contact with any of the targets systems he is considered gathering this information in a passive mode. 


Q382. John has scanned the web server with NMAP. However, he could not gather enough information to help him identify the operating system running on the remote host accurately. 

What would you suggest to John to help identify the OS that is being used on the remote web server? 

A. Connect to the web server with a browser and look at the web page. 

B. Connect to the web server with an FTP client. 

C. Telnet to port 8080 on the web server and look at the default page code. 

D. Telnet to an open port and grab the banner. 

Answer: D

Explanation: Most people don’t care about changing the banners presented by applications listening to open ports and therefore you should get fairly accurate information when grabbing banners from open ports with, for example, a telnet application. 


Q383. Ethereal works best on ____________. 

A. Switched networks 

B. Linux platforms 

C. Networks using hubs 

D. Windows platforms 

E. LAN's 

Answer: C

Explanation: Ethereal is used for sniffing traffic. It will return the best results when used on an unswitched (i.e. hub. network. 


Q384. Pandora is used to attack __________ network operating systems. 

A. Windows 

B. UNIX 

C. Linux 

D. Netware 

E. MAC OS 

Answer: D

Explanation: While there are not lots of tools available to attack Netware, Pandora is one that can be used. 


Q385. Why attackers use proxy servers? 

A. To ensure the exploits used in the attacks always flip reverse vectors 

B. Faster bandwidth performance and increase in attack speed 

C. Interrupt the remote victim's network traffic and reroute the packets to attackers machine 

D. To hide the source IP address so that an attacker can hack without any legal corollary 

Answer: D


Q386. A file integrity program such as Tripwire protects against Trojan horse attacks by: 

A. Automatically deleting Trojan horse programs 

B. Rejecting packets generated by Trojan horse programs 

C. Using programming hooks to inform the kernel of Trojan horse behavior 

D. Helping you catch unexpected changes to a system utility file that might indicate it had been replaced by a Trojan horse 

Answer: D

Explanation: Tripwire generates a database of the most common files and directories on your system. Once it is generated, you can then check the current state of your system against the original database and get a report of all the files that have been modified, deleted or added. This comes in handy if you allow other people access to your machine and even if you don't, if someone else does get access, you'll know if they tried to modify files such as /bin/login etc. 


Q387. To see how some of the hosts on your network react, Winston sends out SYN packets to an IP range. A number of IPs respond with a SYN/ACK response. Before the connection is established he sends RST packets to those hosts to stop the session. Winston has done this to see how his intrusion detection system will log the traffic. What type of scan is Winston attempting here? 

A. Winston is attempting to find live hosts on your company's network by using an XMAS scan. 

B. He is utilizing a SYN scan to find live hosts that are listening on your network. 

C. This type of scan he is using is called a NULL scan. 

D. He is using a half-open scan to find live hosts on your network. 

Answer: D


Q388. John is using a special tool on his Linux platform that has a signature database and is therefore able to detect hundred of vulnerabilities in UNIX, Windows, and commonly-used web CGI scripts. Additionally, the database detects DDoS zombies and Trojans. What would be the name of this multifunctional tool? 

A. nmap 

B. hping 

C. nessus 

D. make 

Answer: C

Explanation: Nessus is the world's most popular vulnerability scanner, estimated to be used by over 75,000 organizations world-wide. Nmap is mostly used for scanning, not for detecting vulnerabilities. Hping is a free packet generator and analyzer for the TCP/IP protocol and make is used to automatically build large applications on the *nix plattform. 


Q389. Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch. 

In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to physical ports. What happens when the CAM table becomes full? 

A. Switch then acts as hub by broadcasting packets to all machines on the network 

B. The CAM overflow table will cause the switch to crash causing Denial of Service 

C. The switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF 

D. Every packet is dropped and the switch sends out SNMP alerts to the IDS port 

Answer: A


Q390. Lori has just been tasked by her supervisor conduct vulnerability scan on the corporate network. She has been instructed to perform a very thorough test of the network to ensure that there are no security holes on any of the machines. Lori’s company does not own any commercial scanning products, so she decides to download a free one off the Internet. Lori has never done a vulnerability scan before, so she is unsure of some of the settings available in the software she downloaded. One of the option is to choose which ports that can be scanned. Lori wants to do exactly what her boos has told her, but she does not know ports should be scanned. 

If Lori is supposed to scan all known TCP ports, how many ports should she select in the software? 

A. 65536 

B. 1024 

C. 1025 

D. Lori should not scan TCP ports, only UDP ports 

Answer: A

Explanation: In both TCP and UDP, each packet header will specify a source port and a destination port, each of which is a 16-bit unsigned integer (i.e. ranging from 0 to 65535).