Q691 - You are a Penetration Tester and are assigned to scan a server. You need to use a scanning technique wherein the TCP Header is split into many packets so that it becomes difficult to detect what the packets are meant for. Which of the below scanning technique will you use?

1. ACK flag scanning
2. TCP Scanning
3. IP Fragment Scanning
4. Inverse TCP flag scanning

Q692 - You've just discovered a server that is currently active within the same network with the machine you recently compromised. You ping it but it did not respond. What could be the case?

1. TCP/IP doesn't support ICMP
2. ARP is disabled on the target server
3. ICMP could be disabled on the target server
4. You need to run the ping command with root privileges

Q693 - How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy?

1. Defeating the scanner from detecting any code change at the kernel
2. Replacing patch system calls with its own version that hides the rootkit (attacker's) actions
3. Performing common services for the application process and replacing real applications with fake ones
4. Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence/options

Q694 - An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up. What is the most likely cause?

1. The network devices are not all synchronized.
2. Proper chain of custody was not observed while collecting the logs.
3. The attacker altered or erased events from the logs.
4. vThe security breach was a false positive.

Q695 - John the Ripper is a technical assessment tool used to test the weakness of which of the following?

1. Usernames
2. File permissions
3. Firewall rulesets
4. Passwords

Q696 - You are using NMAP to resolve domain names into IP addresses for a ping sweep later. Which of the following commands looks for IP addresses?

1. >host -t a hackeddomain.com
2. >host -t soa hackeddomain.com
3. >host -t ns hackeddomain.com
4. >host -t AXFR hackeddomain.com

Q697 - A penetration tester is hired to do a risk assessment of a company's DMZ. The rules of engagement states that the penetration test be done from an external IP address with no prior knowledge of the internal IT systems. What kind of test is being performed?

1. white box
2. grey box
3. red box
4. black box

Q698 - Which of the following is a strong post designed to stop a car?

1. Gate
2. Fence
3. Bollard
4. Reinforced rebar

Q699 - Which of the following describes a component of Public Key Infrastructure (PKI) where a copy of a private key is stored to provide third-party access and to facilitate recovery operations?

1. Key registry
2. Recovery agent
3. Directory
4. Key escrow

Q700 - A hacker named Jack is trying to compromise a bank's computer system. He needs to know the operating system of that computer to launch further attacks. What process would help him?

1. Banner Grabbing
2. IDLE/IPID Scanning
3. SSDP Scanning
4. UDP Scanning

Q701 - Which of the following network attacks takes advantage of weaknesses in the fragment reassembly functionality of the TCP/IP protocol stack?

1. Teardrop
2. SYN flood
3. Smurf attack
4. Ping of death

Q702 - What are the three types of compliance that the Open Source Security Testing Methodology Manual (OSSTMM) recognizes?

1. Legal, performance, audit
2. Audit, standards based, regulatory
3. Contractual, regulatory, industry
4. Legislative, contractual, standards based

Q703 - In which of the following cryptography attack methods, the attacker makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions?

1. Chosen-plaintext attack
2. Ciphertext-only attack
3. Adaptive chosen-plaintext attack
4. Known-plaintext attack

Q704 - Which of the following DoS tools is used to attack target web applications by starvation of available sessions on the web server? The tool keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily large content-length header value.

1. My Doom
2. Astacheldraht
3. R-U-Dead-Yet? (RUDY)
4. LOIC

Q705 - You are trying to break into a highly classified top-secret mainframe computer with highest security system in place at Merclyn Barley Bank located in Los Angeles. You know that conventional hacking doesn't work in this case, because organizations such as banks are generally tight and secure when it comes to protecting their systems. In other words, you are trying to penetrate an otherwise impenetrable system. How would you proceed?

1. Look for "zero-day" exploits at various underground hacker websites in Russia and China and buy the necessary exploits from these hackers and target the bank's network
2. Try to hang around the local pubs or restaurants near the bank, get talking to a poorly-paid or disgruntled employee, and offer them money if they'll abuse their access privileges by providing you with sensitive information
3. Launch DDOS attacks against Merclyn Barley Bank's routers and firewall systems using 100, 000 or more "zombies" and "bots"
4. Try to conduct Man-in-the-Middle (MiTM) attack and divert the network traffic going to the Merclyn Barley Bank's Webserver to that of your machine using DNS Cache Poisoning techniques

Q706 - What is the algorithm used by LM for Windows2000 SAM?

1. MD4
2. DES
3. SHA
4. SSL

Q707 - A Certificate Authority (CA) generates a key pair that will be used for encryption and decryption of email. The integrity of the encrypted email is dependent on the security of which of the following?

1. Public key
2. Private key
3. Modulus length
4. Email server certificate

Q708 - Which command lets a tester enumerate alive systems in a class C network via ICMP using native Windows tools?

1. ping 192.168.2.
2. ping 192.168.2.255
3. for %V in (1 1 255) do PING 192.168.2.%V
4. for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I "Reply"

Q709 - How do employers protect assets with security policies pertaining to employee surveillance activities?

1. Employers promote monitoring activities of employees as long as the employees demonstrate trustworthiness.
2. Employers use informal verbal communication channels to explain employee monitoring activities to employees.
3. Employers use network surveillance to monitor employee email traffic, network access, and to record employee keystrokes.
4. Employers provide employees written statements that clearly discuss the boundaries of monitoring activities and consequences.

Q710 - Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS?

1. SYN scan
2. ACK scan
3. RST scan
4. Connect scan
5. FIN scan

Q711 - > NMAP -sn 192.168.11.200-215
The NMAP command above performs which of the following?

1. A ping scan
2. A trace sweep
3. An operating system detect
4. A port scan

Q712 - If the final set of security controls does not eliminate all risk in a system, what could be done next?

1. Continue to apply controls until there is zero risk.
2. Ignore any remaining risk.
3. If the residual risk is low enough, it can be accepted.
4. Remove current controls since they are not completely effective.

Q713 - (Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.). Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal? What is odd about this attack? Choose the best answer.

1. This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
2. This is back orifice activity as the scan comes from port 31337.
3. The attacker wants to avoid creating a sub-carries connection that is not normally valid.
4. These packets were crafted by a tool, they were not created by a standard IP stack.

Q714 - DNS cache snooping is a process of determining if the specified resource address is present in the DNS cache records. It may be useful during the examination of the network to determine what software update resources are used, thus discovering what software is installed. What command is used to determine if the entry is present in DNS cache?

1. nslookup -fullrecursive update.antivirus.com
2. dnsnooping -rt update.antivirus.com
3. nslookup -norecursive update.antivirus.com
4. dns --snoop update.antivirus.com

Q715 - It has been reported to you that someone has caused an information spillage on their computer. You go to the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What step in incident handling did you just complete?

1. Containment
2. Eradication
3. Recovery
4. Discovery

Q716 - Which of the following tools is used by pen testers and analysts specifically to analyze links between data using link analysis and graphs?

1. Metasploit
2. Wireshark
3. Maltego
4. Cain & Abel

Q717 - You have gained physical access to a Windows 2008 R2 server which has an accessible disc drive. When you attempt to boot the server and log in, you are unable to guess the password. In your toolkit, you have an Ubuntu 9.10 Linux LiveCD. Which Linux-based tool can change any user's password or activate disabled Windows accounts?

1. John the Ripper
2. SET
3. CHNTPW
4. Cain & Abel

Q718 - Bob, your senior colleague, has sent you a mail regarding aa deal with one of the clients. You are requested to accept the offer and you oblige. After 2 days, Bob denies that he had ever sent a mail. What do you want to "know" to prove yourself that it was Bob who had send a mail?

1. Confidentiality
2. Integrity
3. Non-Repudiation
4. Authentication

Q719 - When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing?

1. At least twice a year or after any significant upgrade or modification
2. At least once a year and after any significant upgrade or modification
3. At least once every two years and after any significant upgrade or modification
4. At least once every three years or after any significant upgrade or modification

Q720 - You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best nmap command you will use?

1. nmap -T4 -q 10.10.0.0/24
2. nmap -T4 -F 10.10.0.0/24
3. nmap -T4 -r 10.10.1.0/24
4. nmap -T4 -O 10.10.0.0/24