Deck 5: Networks and Services

A) ethereal
B) promiscap
C) winpcap
D) libpcap

A) 2 Billion
B) 3.4 Million
C) 4.3 Billion
D) 16.7 Million

A) Smurfing
B) Spoofing
C) Man in the Middle
D) Session hijacking

A) macof
B) dsniff
C) sniffof
D) sniffit

A) L0phtcrack does not do this, he needs to use 0phtcrack
B) He is sniffing on a segment that is using only IP Security Traffic in ESP mode
C) He is sniffing on a fiber optic network
D) His network interface is in promiscuous mode

A) TCPFlow
B) TShark
C) Mergecap
D) Text2pcap

A) 501-851
B) 500-850
C) 350-500
D) 501-801

A) tcp.flags == 0x12
B) tcp.flags = = 0x29
C) proto.flags == UPF
D) tcp.flags == 29

A) The first bit of the first byte is not set, which indicates this frame is multicast
B) The first bit if the fist byte is set, which indicates this frame is multicast
C) The second bit of the first byte is set, which means this is a virtual machine interface
D) The second bit of the first byte is set, meaning the MAC address has been assigned locally

A) FTP
B) POP3
C) MAPI
D) IMAP

A) This can also be done using a modified smbclient tool that does not hash an entered password, it will just directly send the hash that Janet captured
B) Janet can also use a tool such as smbrelay to become an SMB proxy and capture credentials that
Way
C) The traffic that Janet sniffed did not include a challenge, if it did the technique is still not impossible just involves more steps
D) Because Microsoft uses techniques such as SMB Signing, Kerberos Timestamps, and Challenges that are used to create unique MAC (Message Authentication Code)s. The Pass-the-hash technique is mostly a proof of concept that works in theory but not in practice.

A) ARP Poisoning
B) MAC Flooding
C) MAC Spoofing
D) SMAC Fueling

A) host 192.168.1.1 and not (port 80 or port 25)
B) host 192.168.1.1 and not port 80 and not port 25
C) ip.addr 192.168.1.1 && ! tcp.port == 80 && ! tcp.port == 25
D) ip.addr 192.168.1.1 & ! tcp.port = 80 & ! tcp.port = 25

A) Replay attack
B) Injection attack
C) Spoof Attack
D) WAP Attack

A) Rogue WAP
B) Drive-by
C) WEP Attack
D) Denial of Service

A) TCP error checking effectively speeds up the network. Since there will be fewer retransmissions the speed will surpass the speed of the wired network.
B) The resulting speed will be about 6Mbps. Since the Ethernet in the hotel is 10Mbps, accounting for several users at the same time, a throttle speed makes sense.
C) Error checking is part of the TCP protocol already. Network speed measures bits, the overhead that gets delivered are bits too.
D) Her boss is correct, and the whole project should just get scraped. Let someone else deal with these difficult customers.

A) Train users in the new policy
B) Implement signal jamming technology
C) Survey the area using a tool such as WiSpy, create a baseline and investigate the rest.
D) Disable wireless protocols at the firewall
E) Set penalties for those who create WAPs without approval

A) 600Mbps
B) 54Mbps
C) 108Mbps
D) 11Mbps

A) Secure Set Identifier Determination
B) Secure Service Identification Detection
C) A security vulnerability
D) A password

A) WEP
B) A Layer 2 Firewall
C) MAC address filtering
D) Proper placement of the antennas

A) Yagi
B) Reflector
C) Onmidirectional
D) King / Hanneman

A) Setup a sniffer to capture SSIDs in the area?
B) Try to connect using default SSIDs
C) It is impossible to connect to a wireless network without knowing the SSID
D) Since SSIDs are encrypted, she needs to use a cracking tool

A) Ministumbler
B) Netstumbler
C) Kismet
D) Kismac

A) TCP / IP
B) OSA / AES
C) WPA / FSK
D) OSA / PSK

A) WEPCrack
B) coWPAtty
C) WPACrack
D) Airfart

A) Airsnort
B) LIDZ
C) WIDS
D) WIPS

A) Warxing
B) Bored
C) Flexible
D) Diligent

A) Denial of service attacks are always a threat but they are hard to prevent. A proper incident response plan must also be established
B) Associating with a WAP only secures the hosts. The users operating the hosts are a whole separate
Issue.
C) WEP provides similar functionality to a network switch. Sniffing is then improbable so that is one threat that is no longer an issue. Key distribution is the most important challenge at this point.
D) Interference with other items within the 2.4Ghz band might cause issues. It is important to select a channel within the range that is less populated.

A) CSS
B) XSS
C) Buffer Overflow
D) Code Injection

A) THC-Hydra
B) John the ripper
C) Brutus
D) Nikto

A) A set of specifications for creating web based applications
B) A way to create enhanced special effects for movies
C) A language used in the logic layer of a web application
D) A set of standards that goern the design of databases for web applications

A) http://www.example.dom/msadc/..%5c../..%5c../..%5c/..Á_../..Á_../..Á_../winnt/system32/cmd.exe
B)
Http://www.example.dom?search.pl?lname=doe%27%3bupdate%20usertable%20set%passwd%3d%27% P0wn3d--%00
C) http://www.example.dom?search.pl?lname=%3Cscript%3E%alert("P0wn3d")3C%2Fscript%3E
D) http://www.example.dom/scripts/..%2f..%2f../winnt/system32/cmd.exe?c+dir

A) Whisker
B) Burpsuite
C) N-Stealth
D) HTTrack
E) Nikto F. Kismet

A) Visitors enjoy it when one page of content is broken up into 5 pages. They get to click often and we get to show more advertisements. It is the best way to avoid making enimies
B) Never decorate text with the color blue or green as visitors will think these are links and spend all day trying to click them, they will get angry and DoS us.
C) Most application vulnerabilities stem from a lack of sanitizing input. They will be his fault, but no pressure.
D) Section 508 details all security best practices. It will get him up to speed

A) He can turn on SSL support in his browser, that way the encrypted requests will be hidden from the
IDS
B) He can send his requests from random spoofed IPs so the server wouldn't think they are all coming from the same source
C) He can create a persistant cookie that tells the web server to ignore failed logins
D) If there is a hidden form field that stores the "retries" count, he can modify the source code to avoid the threshold

A) Parameter manipulation
B) Cookie triangulation
C) Cookie hijacking
D) Cookie stealing

A) IUSR_[computer name]
B) Administrator
C) The user that installed IIS
D) The permission you have when launching the attack

A) The attack should work as stated.
B) There is a NAT firewall preventing this activity
C) Dylan cannot spoof his address over HTTP
D) The server will send all replies back to the spoofed IP.

A) User input is not sanitized
B) The email address is not valid
C) The Databse server on the backend of the site is down
D) The ISP is traffic shaping again and made a mistake

A) 127.45.83.218
B) 127.45.82.219
C) 127.44.83.219
D) 127.44.83.218

A) .htaccess file
B) robots.txt file
C) set permissions on the directories to deny spiders read access
D) Require a login page

A) She needs to understand that these pop ups are pat of using the internet and that it is impolaite to block them because the sites she is visiting for free depend on them for revenue.
B) SP2 upgrade with the windows firewall enabled
C) She needs to use Linux instead
D) She needs to modify the hosts file daily to point all addresses that generate the pop-ups to 0.0.0.0 to keep them from resolving.

A) XSS
B) directory traversal
C) showcode.asp
D) Nimda

A) ACK Scan to port 80
B) Snort alerts noticing strange events
C) Sequence numbers are random, indicating custom packets
D) TTL of 44 is too low, this is a firewalk scan

A) Allow web requests to be routed
B) Accept only packet that are destined for port 53 and port 80
C) Append the FORWARD table with a jump (-j) rule that send this traffic to the IDS
D) Nothing, since -p is the option for port number and that is not how these commands were written

A) IDS Wakeup
B) TCP Slice
C) Win Dump
D) WinpCap

A) An alert is generated when a packet originates from anywhere and destined for any IP and port 111
B) An alert is generated when a packet orginates from port 111 and destined for any IP and port
C) An alert is generated when the string 00 01 6 A5 is seen in the payload
D) An alert is generated when the command mountd access is seen in a packet that is destined for port
111

A) Firewall footprinting
B) Firewalking
C) Firewall enumeration
D) Bounce scanning

A) Application proxy is in use
B) A stateful inspection firewall
C) A load balancer or cluster
D) A honeypot is returning deliberately confusing results

A) GFI Guard
B) NMap
C) Genius
D) Snort

A) Created a "Honeypot"
B) Setup a network "Tar Pit"
C) Configured a "Black Hole Trap"
D) Created a "Honey Token"

A) url snarf
B) mget
C) wget
D) black spider

A) Fragroute
B) tcpfrag
C) rcpdump
D) fragtraf

A) NIDS will not respond to scans by default, detection is not possible
B) Set the IP address of the tap to be the same as the gateway
C) Have two NICS, and make sure the tap is not bound to the IP stack
D) Use a receive only cable on the tap

A) Kismet
B) Strataguard
C) Snortsam
D) Tripwire

A) Use Arpwall to block ARP spoofing attacks
B) VLANs
C) Static ARP configurations
D) Detection of large amounts of ARP traffic

A) Alert tcp any any -> any any 21 (content:"user root"; msg:"FTP Login attempt";)
B) Alert ftp -> any port 21 (content:"user login";)
C) -A INPUT -j LOG -dport 21 -p TCP
D) Tcp.port == 21 && host eq any

A) Implement an IDS to block this flag combination
B) Use port sentry to detect and block port scans
C) Use an IPS to react to the scan by blocking traffic from that source address
D) xmas scans are an outdated technique that won't work anyway. He shouldn't worry about it

A) nc -l -u -p 8080 > /home/tiger/foo.txt
B) nc -l -u -p 8080 < /home/tiger/foo.txt
C) nc -l 8080 -u -p < /home/tiger/foo.txt
D) nc -l 1080 -u -p < /home/tiger/foo.txt

A) Pattern Matching
B) A flux capacitor
C) Real Time Anomaly Detection
D) Statistical Based Analyzer

A) 00-00-00-00-00-00
B) FF-FF-FF-FF-FF-FFF
C) 01-00-0C-CC-CC-CC
D) 01-46-02-7B-45-AD

A) USER, NICK
B) PING, USER
C) USER, JOIN
D) QUERY, JOIN