Q361. John is using a special tool on his Linux platform that has a database containing signatures to be able to detect hundreds of vulnerabilities in UNIX, Windows, and commonly used web CGI/ASPX scripts. Moreover, the database detects DDoS zombies and Trojans as well. What would be the name of this tool? 

A. hping2 

B. nessus 

C. nmap 

D. make 

Answer: B


Q362. What are the four steps is used by nmap scanning? 

A. DNS Lookup 

B. ICMP Message 

C. Ping 

D. Reverse DNS lookup 

E. TCP three way handshake 

F. The Actual nmap scan 

Answer: ACDF

Explanation: Nmap performs four steps during a normal device scan. Some of these steps can be modified or disabled using options on the nmap command line. 


Q363. You have chosen a 22 character word from the dictionary as your password. How long will it take to crack the password by an attacker? 

A. 5 minutes 

B. 23 days 

C. 200 years 

D. 16 million years 

Answer: A

Explanation: A dictionary password cracker simply takes a list of dictionary words, and one at a time encrypts them to see if they encrypt to the one way hash from the system. If the hashes are equal, the password is considered cracked, and the word tried from the dictionary list is the password. As long as you use a word found in or similar to a word found in a dictionary the password is considered to be weak. 


Q364. Once an intruder has gained access to a remote system with a valid username and password, the attacker will attempt to increase his privileges by escalating the used account to one that has increased privileges. such as that of an administrator. What would be the best countermeasure to protect against escalation of priveges? 

A. Give users tokens 

B. Give user the least amount of privileges 

C. Give users two passwords 

D. Give users a strong policy document 

Answer:

Explanation: With less privileges it is harder to increase the privileges. 


Q365. In which of the following should be performed first in any penetration test? 

A. System identification 

B. Intrusion Detection System testing 

C. Passive information gathering 

D. Firewall testing 

Answer: C


Q366. You have successfully run a buffer overflow attack against a default IIS installation running on a Windows 2000 Server. The server allows you to spawn a shell. In order to perform the actions you intend to do, you need elevated permission. You need to know what your current privileges are within the shell. Which of the following options would be your current privileges? 

A. Administrator 

B. IUSR_COMPUTERNAME 

C. LOCAL_SYSTEM 

D. Whatever account IIS was installed with 

Answer: C

Explanation: If you manage to get the system to start a shell for you, that shell will be running as LOCAL_SYSTEM. 


Q367. John has scanned the web server with NMAP. However, he could not gather enough information to help him identify the operating system running on the remote host accurately. 

What would you suggest to John to help identify the OS that is being used on the remote web server? 

A. Connect to the web server with a browser and look at the web page. 

B. Connect to the web server with an FTP client. 

C. Telnet to port 8080 on the web server and look at the default page code. 

D. Telnet to an open port and grab the banner. 

Answer: D

Explanation: Most people don’t care about changing the banners presented by applications listening to open ports and therefore you should get fairly accurate information when grabbing banners from open ports with, for example, a telnet application. 


Q368. Which of the following ICMP message types are used for destinations unreachables? 

A. 0 

B. 3 

C. 11 

D. 13 

E. 17 

Answer: B

Explanation: Type 3 messages are used for unreachable messages. 0 is Echo Reply, 8 is Echo request, 11 is time exceeded, 13 is timestamp and 17 is subnet mask request. Learning these would be advisable for the test. 


Q369. _______ is one of the programs used to wardial. 

A. DialIT 

B. Netstumbler 

C. TooPac 

D. Kismet 

E. ToneLoc 

Answer: E

Explanation: ToneLoc is one of the programs used to wardial. While this is considered an "old school" technique, it is still effective at finding backdoors and out of band network entry points. 


Q370. What does black box testing mean? 

A. You have full knowledge of the environment 

B. You have no knowledge of the environment 

C. You have partial knowledge of the environment 

Answer: B

Explanation: Black box testing is conducted when you have no knowledge of the environment. It is more time consuming and expensive.