Practice Set 6

Question 1 of 65
1. Question
Identify the wrong answer in terms of Range:
802.11a – 150 ft
802.11b – 150 ft
802.11n – 150 ft
802.16 (WiMax) – 30 miles

 802.16

 802.11n

 802.11b

 802.11a
Correct

2. Question
Ivan, the black hat hacker, plugged in a rogue switch to an unused port in the LAN with a
priority lower than any other switch in the network so that he could make it a root bridge
that will later allow him to sniff all the traffic in the target‘s network. What attack did Ivan
perform?

 ARP spoofing.

 STP attack.

 VLAN hopping.

 DNS poisoning.
Correct

https://howdoesinternetwork.com/2012/stp-attack
An STP attack involves an attacker spoofing the root bridge in the topology. The attacker
broadcasts out an STP configuration/topology change BPDU in an attempt to force an
STP recalculation. The BPDU sent out announces that the attacker‘s system has a lower
bridge priority. The attacker can then see a variety of frames forwarded from other
switches to it. STP recalculation may also cause a denial-of-service (DoS) condition on
Practice Set 6
the network by causing an interruption of 30 to 45 seconds each time the root bridge
changes.

Incorrect answers:
ARP spoofing attack https://en.wikipedia.org/wiki/ARP_spoofing
ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an
attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local
area network. Generally, the aim is to associate the attacker‘s MAC address with the IP
address of another host, such as the default gateway, causing any traffic meant for that
IP address to be sent to the attacker instead.
DNS poisoning attack https://en.wikipedia.org/wiki/DNS_spoofing
DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security
hacking in which corrupt Domain Name System data is introduced into the DNS
resolver‘s cache, causing the name server to return an incorrect result record, e.g. an IP
address. This results in traffic being diverted to the attacker‘s computer (or any other
computer).
VLAN hopping https://en.wikipedia.org/wiki/VLAN_hopping
VLAN hopping is a computer security exploit, a method of attacking networked
resources on a virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks
is for an attacking host on a VLAN to gain access to traffic on other VLANs that would
normally not be accessible. There are two primary methods of VLAN hopping: switch
spoofing and double tagging. Both attack vectors can be mitigated with proper switch
port configuration.

Spanning Tree Protocol attack ?

Spanning Tree Protocol (STP) attacks exploit vulnerabilities in the protocol to create
network loops or bring down the network
3. Question
Black-hat hacker Ivan attacked the SCADA system of the industrial water facility. During
the exploration process, he discovered that outdated equipment was being used, the
human-machine interface (HMI) was directly connected to the Internet and did not have
any security tools or authentication mechanism. This allowed Ivan to control the system
and influence all processes (including water pressure and temperature). What category
does this vulnerability belong to?

 Memory Corruption.
Practice Set 6

 Code Injection.

 Lack of Authorization/Authentication and Insecure Defaults.

 Credential Management.
Correct

https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/the-state-
of-scada-hmi-vulnerabilities
Most SCADA / ICS equipment has a dedicated system for managing and monitoring
industrial systems. Most people in the industry call this a human-machine interface or
HMI. This system is essential for managing industrial systems, but it can also be an
important vector for attackers. If an attacker could endanger the HMI, the attacker owns
your industrial network. These systems have been compromised in at least two ways:
protocol attacks and HMI attacks.
The major areas where SCADA software vulnerabilities occur as you can see in the
graphic below are, respectively:
– Memory corruption.
– Credential management.
– Lack of authentication/authorization and insecure defaults.
– Code injection.
– A big chunk of other areas.

Memory corruption
The vulnerabilities in this category are code security issues that include out-of-bounds
read/write vulnerabilities and heap- and stack-based buffer overflow.
Credential management
Includes all vulnerabilities from not protecting credentials enough and storing passwords
in a recoverable format to the use of hard-coded passwords.
Lack of authentication/authorization and insecure defaults
The vulnerabilities in this category include transmission of confidential information in
cleartext, insecure defaults, missing encryption, and insecure ActiveX controls used for
scripting.
NOTE: The situation in the question relates to this vulnerability because the problem is
not just in a simple password or in its insecure storage, but in the complete absence of
the authentication mechanism itself.
Code injection
Practice Set 6
The vulnerabilities in this category include common code injections such as SQL, OS,
command, and some domain-specific injections.

4. Question
Whois services allow you to get a massive amount of valuable information at the stage
of reconnaissance. Depending on the target‘s location, they receive data from one of the
five largest regional Internet registries (RIR). Which of the following RIRs should the
Whois service contact if you want to get information about an IP address registered in
France?

 LACNIC

 RIPE NCC

 APNIC

 ARIN
Correct

https://en.wikipedia.org/wiki/Regional_Internet_registry
A regional Internet registry (RIR) is an organization that manages the allocation and
registration of Internet number resources within a region of the world. Internet number
resources include IP addresses and autonomous system (AS) numbers.
The regional Internet registry system evolved over time, eventually dividing the
responsibility for management to a registry for each of five regions of the world. The
regional Internet registries are informally liaised through the unincorporated Number
Resource Organization (NRO), which is a coordinating body to act on matters of global
importance.

· American Registry for Internet Numbers (ARIN)

· RIPE Network Coordination Centre (RIPE NCC)
· Asia-Pacific Network Information Centre (APNIC)
Practice Set 6
· Latin American and Caribbean Network Information Centre (LACNIC)
· African Network Information Centre (AFRINIC)
NOTE: There are also national
RIRs https://en.wikipedia.org/wiki/National_Internet_registry
· The Japan Network Information Center (JPNIC)
· The Korea Internet & Security Agency (KISA/KRNIC)
· China Internet Network Information Center (CNNIC)
· Asosiasi Penyelenggara Jasa Internet Indonesia (APJII)
· Taiwan Network Information Center (TWNIC)
· Vietnam Internet Network Information Center (VNNIC)
· Indian Registry for Internet Names and Numbers (IRINN)

5. Question
Have you spent a lot of time and money on creating photo materials for your business?
You probably don‘t want anyone else to use them. But you don‘t need to hire a cool
hacker to solve this problem. There is a reasonably simple method using search engines
to search for photographs, profile pictures, and memes.
What method are we talking about?

 Google dorking

 Google advanced search

 Reverse image search

 Metasearch engines
Correct

https://en.wikipedia.org/wiki/Reverse_image_search
Practice Set 6

Reverse image search is a content-based image retrieval (CBIR) query technique that
involves providing the CBIR system with a sample image that it will then base its search
upon; in terms of information retrieval, the sample image is what formulates a search
query. In particular, reverse image search is characterized by a lack of search terms.
This effectively removes the need for a user to guess at keywords or terms that may or
may not return a correct result. Reverse image search also allows users to discover
content that is related to a specific sample image, popularity of an image, and discover
manipulated versions and derivative works.
Incorrect answers:
Google advanced search https://www.google.com/advanced_search
Google Advanced Search is a more detailed method of finding information on Google. It
uses a variety of Google search operators that consists of special characters and
commands – also known as “advanced operators” – that goes beyond a normal Google
search.
Metasearch engines https://en.wikipedia.org/wiki/Metasearch_engine
A metasearch engine (or search aggregator) is an online information retrieval tool that
uses the data of a web search engine to produce its own results. Metasearch engines
take input from a user and immediately query search engines for results. Sufficient data
is gathered, ranked, and presented to the users.
Google dorking https://en.wikipedia.org/wiki/Google_hacking
Google hacking, also named Google dorking, is a hacker technique that uses Google
Search and other Google applications to find security holes in the configuration and
computer code that websites are using. Google dorking could also be used for OSINT.

6. Question
Practice Set 6
In which of the following attacks is the line above injected?

 IDOR

 SQLi

 XXS

 XXE
Correct

https://portswigger.net/web-security/xxe
XML external entity injection (also known as XXE) is a web security vulnerability that
allows an attacker to interfere with an application ‘s processing of XML data. It often
allows an attacker to view files on the application server filesystem and interact with any
back-end or external systems that the application can access.
In some situations, an attacker can escalate an XXE attack to compromise the
underlying server or other back-end infrastructure by leveraging the XXE vulnerability to
perform server-side request forgery (SSRF) attacks.
Incorrect answers:
SQLi https://en.wikipedia.org/wiki/SQL_injection
SQL injection is a code injection technique used to attack data-driven applications, in
which malicious SQL statements are inserted into an entry field for execution (e.g. to
dump the database contents to the attacker). SQL injection must exploit a security
vulnerability in an application ‘s software, for example, when user input is either
incorrectly filtered for string literal escape characters embedded in SQL statements or
user input is not strongly typed and unexpectedly executed. SQL injection is mostly
known as an attack vector for websites but can be used to attack any type of SQL
database.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause
repudiation issues such as voiding transactions or changing balances, allow the
complete disclosure of all data on the system, destroy the data or make it otherwise
unavailable, and become administrators of the database server.
XXS https://en.wikipedia.org/wiki/Cross-site_scripting
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some
web applications. XSS attacks enable attackers to inject client-side scripts into web
pages viewed by other users. A cross-site scripting vulnerability may be used by
attackers to bypass access controls such as the same-origin policy. XSS effects vary in
range from petty nuisance to significant security risk, depending on the sensitivity of the
data handled by the vulnerable site and the nature of any security mitigation
implemented by the site ‘s owner network.
IDOR https://portswigger.net/web-security/access-control/idor
Insecure direct object references (IDOR) are a type of access control vulnerability that
arises when an application uses user-supplied input to access objects directly. However,
it is just one example of many access control implementation mistakes that can lead to
access controls being circumvented. IDOR vulnerabilities are most associated with
horizontal privilege escalation, but they can also arise in relation to vertical privilege
escalation.
Practice Set 6

7. Question
Alex received an order to conduct a pentest and scan a specific server. When receiving
the technical task, he noticed the point: “The attacker must scan every port on the server
several times using a set of spoofed source IP addresses.“ Which of the following Nmap
flags will allow Alex to fulfill this requirement?

 -f
Practice Set 6

 -S

 -A

 -D
Correct

https://linux.die.net/man/1/nmap
-D decoy1[,decoy2][,ME][,…] (Cloak a scan with decoys).
Nmap -D 192.168.3.23,192.168.3.31 192.168.3.21(target machine)
Causes a decoy scan to be performed, which makes it appear to the remote host that
the host(s) you specify as decoys are scanning the target network too. Thus their IDS
might report 5-10 port scans from unique IP addresses, but they won‘t know which IP
was scanning them and which were innocent decoys. While this can be defeated
through router path tracing, response-dropping, and other active mechanisms, it is
generally an effective technique for hiding your IP address. Separate each decoy host
with commas, and you can optionally use ME. as one of the decoys to represent the
position for your real IP address. If you put ME in the sixth position or later, some
common port scan detectors (such as Solar Designer‘s. excellent Scanlogd). are unlikely
to show your IP address at all. If you don‘t use ME, Nmap will put you in a random
position. You can also use RND. to generate a random, non-reserved IP address, or
RND:number to generate number addresses.
Incorrect answers:
-f (fragment packets); –mtu (using the specified MTU).
The -f option causes the requested scan (including ping scans) to use tiny fragmented IP
packets. The idea is to split up the TCP header over several packets to make it harder
for packet filters, intrusion detection systems, and other annoyances to detect what you
are doing. Be careful with this! Some programs have trouble handling these tiny packets.
The old-school sniffer named Sniffit segmentation faulted immediately upon receiving
the first fragment. Specify this option once, and Nmap splits the packets into eight bytes
or less after the IP header. So a 20-byte TCP header would be split into three packets.
Two with eight bytes of the TCP header, and one with the final four. Of course each
fragment also has an IP header. Specify -f again to use 16 bytes per fragment (reducing
the number of fragments).
-S IP_Address (Spoof source address).
In some circumstances, Nmap may not be able to determine your source address
(Nmap will tell you if this is the case). In this situation, use -S with the IP address of the
interface you wish to send packets through.
-A (Aggressive scan options).
This option enables additional advanced and aggressive options. I haven‘t decided
exactly which it stands for yet. Presently this enables OS detection (-O), version
scanning (-sV), script scanning (-sC) and traceroute (–traceroute).. More features may
be added in the future. The point is to enable a comprehensive set of scan options
without people having to remember a large set of flags. However, because script
scanning with the default set is considered intrusive, you should not use -A against
target networks without permission. This option only enables features, and not timing
options (such as -T4) or verbosity options (-v) that you might want as well.
https://www.youtube.com/watch?v=2PN4hhdnJOs
Practice Set 6

8. Question
Which of the following algorithms is a symmetric key block cipher with a block size of
128 bits representing a 32-round SP-network operating on a block of four 32-bit words?

 CAST-128

 Serpent

 RC4

 SHA-256
Correct

https://en.wikipedia.org/wiki/Serpent_(cipher)
Serpent is a symmetric key block cipher that was a finalist in the Advanced
Encryption Standard (AES) contest, where it was ranked second to Rijndael.
Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen.
Like other AES submissions, Serpent has a block size of 128 bits and supports a
key size of 128, 192 or 256 bits. The cipher is a 32-round substitution permutation
network operating on a block of four 32-bit words. Each round applies one of eight
4-bit to 4-bit S-boxes 32 times in parallel. Serpent was designed so that all
operations can be executed in parallel, using 32-bit slices. This maximizes
parallelism, but also allows use of the extensive cryptanalysis work performed on
DES.
Incorrect answers:
CAST-128 https://en.wikipedia.org/wiki/CAST-128
CAST-128 is a 12- or 16-round Feistel network with a 64-bit block size and a key size of
between 40 and 128 bits
RC4 https://en.wikipedia.org/wiki/RC4
RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4, see
below) is a stream cipher.
SHA-256 https://en.wikipedia.org/wiki/SHA-2
SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by
the United States National Security Agency (NSA) and first published in 2001.
The SHA-2 family consists of six hash functions with digests (hash values) that are 224,
256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-
512/256.
Serpent has a block size of 128 bits and can have a key size of 128, 192, or 256 bits, much
like AES. The algorithm is also a substitution-permutation network (like AES). It uses 32
rounds working with a block of four 32-bit words.

9. Question
Which of the following is an example of a scareware social engineering attack?

 A banner appears to a user stating, “Your order has been delayed. Click
here to find out your new delivery date.“
Practice Set 6

 A pop-up appears to a user stating, “You have won money! Click here to
claim your prize!“

 A pop-up appears to a user stating, “Your computer may have been

infected with spyware. Click here to install an anti-spyware tool to resolve
this issue.“

 A banner appears to a user stating, “Your password has expired. Click here
to update your password.“
Correct

https://en.wikipedia.org/wiki/Scareware
It‘s a very simple question, but nevertheless, you may meet a similar one on the exam,
so you just have to be ready for it.
Scareware refers to scam tactics and fake software applications that cybercriminals use
to incite feelings of panic and fear. They do this to get users to make irrational split-
second decisions and to trick them into:
– Buying worthless software;
– Downloading different types of malicious software;
– Visiting websites that auto-download and install malicious software onto their devices.
Scareware scammers use social engineering tactics and language that create a sense of
urgency in their targets to compel their targets to act. They frequently rely on pop-ups
that are designed to look like antivirus alerts. In some cases, the messages can take
over part (or all) of the target’s screen.
In general, scareware messages are associated with fake antivirus software and tech
support scams. They falsely notify people that their devices (such as their computer,
tablet, mobile phone) are infected with various types of malware.

10. Question
You need to increase the security of keys used for encryption and authentication. For
these purposes, you decide to use a technique to enter an initial key to an algorithm that
generates an enhanced key resistant to brute-force attacks. Which of the following
techniques will you use?

 Key reinstallation

 PKI

 KDF

 Key stretching
Incorrect

https://en.wikipedia.org/wiki/Key_stretching
Key stretching techniques are used to make a possibly weak key, typically a password
or passphrase, more secure against a brute-force attack by increasing the resources
(time and possibly space) it takes to test each possible key. Passwords or passphrases
created by humans are often short or predictable enough to allow password cracking,
and key stretching is intended to make such attacks more difficult by complicating a
basic step of trying a single password candidate. Key stretching also improves security
Practice Set 6
in some real-world applications where the key length has been constrained, by
mimicking a longer key length from the perspective of a brute-force attacker.
There are several ways to perform key stretching. One way is to apply a cryptographic
hash function or a block cipher repeatedly in a loop. For example, in applications where
the key is used for a cipher, the key schedule in the cipher may be modified so that it
takes a specific length of time to perform. Another way is to use cryptographic hash
functions that have large memory requirements – these can be effective in frustrating
attacks by memory-bound adversaries.
Key stretching algorithms depend on an algorithm that receives an input key and then
expends considerable effort to generate a stretched cipher (called an enhanced key
[citation needed]) mimicking randomness and longer key length. The algorithm must
have no known shortcut, so the most efficient way to relate the input and cipher is to
repeat the key stretching algorithm itself. This compels brute-force attackers to expend
the same effort for each attempt. If this added effort compares to a brute-force key
search of all keys with a certain key length, then the input key may be described as
stretched by that same length.
Key stretching leaves an attacker with two options:
– Attempt possible combinations of the enhanced key, but this is infeasible if the
enhanced key is sufficiently long and unpredictable (??i.e.? The algorithm mimics
randomness well enough that the attacker must trial the entire stretched key space).
– Attempt possible combinations of the weaker initial key, potentially commencing with a
dictionary attack if the initial key is a password or passphrase, but the attacker‘s added
effort for each trial could render the attack uneconomic should the costlier computation
and memory consumption outweigh the expected profit.
If the attacker uses the same class of hardware as the user, each guess will take the
similar amount of time to process as it took the user (for example, one second). Even if
the attacker has much greater computing resources than the user, the key stretching will
still slow the attacker down while not seriously affecting the usability of the system for
any legitimate user. This is because the user ‘s computer only has to compute the
stretching function once upon the user entering their password, whereas the attacker
must compute it for every guess in the attack.
This process does not alter the original key-space entropy. The key stretching algorithm
is deterministic, allowing a weak input to always generate the same enhanced key, but
therefore limiting the enhanced key to no more possible combinations than the input key
space. Consequently, this attack remains vulnerable if unprotected against certain time-
memory trade-offs such as developing rainbow tables to target multiple instances of the
enhanced key space in parallel (effectively a shortcut to repeating the algorithm). For
this reason, key stretching is often combined with salting.

Incorrect answers:
KDF https://en.wikipedia.org/wiki/Key_derivation_function
Key derivation function (KDF) is a cryptographic hash function that derives one or more
secret keys from a secret value such as the main key, a password, or a passphrase
using a pseudorandom function. KDFs can be used to stretch keys into longer keys or to
obtain keys of a required format, such as converting a group element that is the result of
a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed
cryptographic hash functions are popular examples of pseudorandom functions used for
key derivation.
PKI https://en.wikipedia.org/wiki/Public_key_infrastructure
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and
procedures needed to create, manage, distribute, use, store and revoke digital
certificates and manage public-key encryption. The purpose of a PKI is to facilitate the
Practice Set 6
secure electronic transfer of information for a range of network activities such as e-
commerce, internet banking and confidential email. It is required for activities where
simple passwords are an inadequate authentication method and more rigorous proof is
required to confirm the identity of the parties involved in the communication and to
validate the information being transferred.
In cryptography, a PKI is an arrangement that binds public keys with respective identities
of entities (like people and organizations). The binding is established through a process
of registration and issuance of certificates at and by a certificate authority (CA).
Depending on the assurance level of the binding, this may be carried out by an
automated process or under human supervision. When done over a network, this
requires using a secure certificate enrollment or certificate management protocol such
as CMP.
Key reinstallation https://en.wikipedia.org/wiki/KRACK
KRACK (“Key Reinstallation Attack“) is a replay attack (a type of exploitable flaw) on the
Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in
2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of
Leuven. Vanhoef‘s research group published details of the attack in October 2017. By
repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an
attacker can gradually match encrypted packets seen before and learn the full keychain
used to encrypt the traffic.
The weakness is exhibited in the Wi-Fi standard itself, and not due to errors in the
implementation of a sound standard by individual products or implementations.
Therefore, any correct implementation of WPA2 is likely to be vulnerable. The
vulnerability affects all major software platforms, including Microsoft Windows, macOS,
iOS, Android, Linux, OpenBSD and others.
The security protocol protecting many Wi-Fi devices can essentially be bypassed,
potentially allowing an attacker to intercept sent and received data.

11. Question
The attacker performs the attack using micro:bit and Btlejack, gradually executed
different commands in the console. After executing this attack, he was able to read and
export sensitive information shared between connected devices. Which of the following
commands did the attacker use to hijack the connections?

 btlejack -s

 btlejack -f 0x9c68fd30 -t -m 0x1fffffffff

 btlejack -d /dev/ttyACM0 -d /dev/ttyACM2 -s

 btlejack -c any
Correct

https://github.com/virtualabs/btlejack
This question looks a bit strange and abstract. Nevertheless, you will meet a question on
a similar topic on the exam.
To answer, you just need to look at the example of Btlejacking Using BtleJack presented
in EC-Council‘s courseware.
Btlejacking is performed using the following steps.
1. Select target devices using the following command:
btlejack -d /dev/ttyACMO -d /dev/ttyACM2 -s
Practice Set 6
2. With the Btlejack tool, take a position within a radius of 5 m from the target devices.
3. Capture already established (live) as well as new Bluetooth low energy (BLE)
connections using the following commands.
– Sniffing an existing connection:
btlejack -s
– Sniffing for new connections:
btlejack -c any
4. Once the connection is captured, perform a jamming operation using the following
command:
btlejack -f 0x129f3244 -j
5. Start hijacking the connection using the following command:
btlejack -f 0x9c68fd30 -t -m 0xlfffffffff
6. The captured data can be converted into the pcap format using the following
command:
btlejack -f 0xac56bc12 -x nordic -o capture.nordic.pcap
https://www.youtube.com/watch?v=7hLBfdAGkZI

Why this tool?

Btlejack is a security tool that provides all options to sniff, jam, and hijack Bluetooth Low
Energy (BLE) devices. It can be used during security assessments to test the security of
devices that use Bluetooth as a communication protocol.

How it works

Btlejack relies on the BBC Micro:Bit hardware with custom firmware. Upon the first use or
after firmware updates, the tool will have to (re)program the Micro:Bit device. When the
custom firmware is placed, the scanning and testing can be done easily with just a few
commands.

Usage and audience

Btlejack is commonly used for Bluetooth security testing, connection hijacking,

or security assessment. Target users for this tool are pentesters and security professionals.

12. Question
Rajesh wants to make the Internet a little safer and uses his skills to scan the networks
of various organizations and find vulnerabilities even without the owners‘ permission. He
informs the company owner about the problems encountered, but if the company ignores
him and does not fix the vulnerabilities, Rajesh publishes them publicly and forces the
company to respond. What type of hacker is best suited for Rajesh?

 Cybercriminal

 Black hat

 Gray hat

 White hat
Practice Set 6
Correct

https://www.kaspersky.com/resource-center/definitions/hacker-hat-types
Grey hat hackers are a blend of both black hat and white hat activities. Often, grey hat
hackers will look for vulnerabilities in a system without the owner’s permission or
knowledge. If issues are found, they will report them to the owner, sometimes requesting
a small fee to fix the problem. If the owner does not respond or comply, periodically, the
hackers will post the newly found exploit online for the world to see.
These types of hackers are not inherently malicious with their intentions; they’re just
looking to get something out of their discoveries for themselves. Usually, grey hat
hackers will not exploit the found vulnerabilities. However, this type of hacking is still
considered illegal because the hacker did not receive permission from the owner before
attacking the system.

13. Question
Which of the following standards is most applicable for a major credit card company?

 Sarbanes-Oxley Act

 PCI-DSS

 HIPAA

 FISMA
Correct

https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
The Payment Card Industry Data Security Standard (PCI DSS) is an information security
standard for organizations that handle branded credit cards from the major card
schemes.
The PCI Standard is mandated by the card brands but administered by the Payment
Card Industry Security Standards Council. The standard was created to increase
controls around cardholder data to reduce credit card fraud.
Validation of compliance is performed annually or quarterly better source needed] by a
method suited to the volume of transactions handled:
Self-Assessment Questionnaire (SAQ) — smaller volumes;
External Qualified Security Assessor (QSA) — moderate volumes; involves an
Attestation on Compliance (AOC);
Firm-specific Internal Security Assessor (ISA) — larger volumes; involves issuing a
Report on Compliance (ROC).
Incorrect answers:
FISMA https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_
2002
The Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541,
et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government
Act of 2002 (Pub.L. 107–347 (text) (pdf), 116 Stat. 2899). The act recognized the
importance of information security to the economic and national security interests of the
United States. The act requires each federal agency to develop, document, and
implement an agency-wide program to provide information security for the information
and information systems that support the operations and assets of the agency, including
those provided or managed by another agency, contractor, or other source.
Practice Set 6
FISMA has brought attention within the federal government to cybersecurity and
explicitly emphasized a “risk-based policy for cost-effective security.“ FISMA requires
agency program officials, chief information officers, and inspectors general (IGs) to
conduct annual reviews of the agency‘s information security program and report the
results to Office of Management and Budget (OMB). OMB uses this data to assist in its
oversight responsibilities and to prepare this annual report to Congress on agency
compliance with the act. In FY 2008, federal agencies spent $6.2 billion securing the
government‘s total information technology investment of approximately $68 billion or
about 9.2 percent of the total information technology portfolio.
Sarbanes-Oxley Act https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act
The Sarbanes–Oxley Act of 2002 is a United States federal law that mandates certain
practices in financial record keeping and reporting for corporations.
The act, (Pub.L. 107–204 (text) (pdf), 116 Stat. 745, enacted July 30, 2002), also known
as the “Public Company Accounting Reform and Investor Protection Act“ (in the Senate)
and “Corporate and Auditing Accountability, Responsibility, and Transparency Act“ (in
the House) and more commonly called Sarbanes–Oxley or SOX, contains eleven
sections that place requirements on all U.S. public company boards of directors and
management and public accounting firms. A number of provisions of the Act also apply
to privately held companies, such as the willful destruction of evidence to impede a
federal investigation.
The law was enacted as a reaction to a number of major corporate and accounting
scandals, including Enron and WorldCom. The sections of the bill cover responsibilities
of a public corporation‘s board of directors, add criminal penalties for certain misconduct,
and require the Securities and Exchange Commission to create regulations to define
how public corporations are to comply with the law.
HIPAA https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Ac
t
The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the
Kennedy–Kassebaum Act) is a United States federal statute enacted by the 104th
United States Congress and signed into law by President Bill Clinton on August 21,
1996. It modernized the flow of healthcare information, stipulates how personally
identifiable information maintained by the healthcare and healthcare insurance industries
should be protected from fraud and theft, and addressed some limitations on healthcare
insurance coverage. It generally prohibits healthcare providers and healthcare
businesses, called covered entities, from disclosing private information to anyone other
than a patient and the patient‘s authorized representatives. It does not restrict patients
from receiving information about themselves, prohibit them from voluntarily sharing their
private health information however they choose, or – if they disclose private medical
information to family members, friends, or other private individuals – legally require those
non-covered people to maintain confidentiality.

14. Question
Identify Google advanced search operator which helps an attacker gather information
about websites that are similar to a specified target URL?

 [inurl:]

 [link:]

 [site:]
Practice Set 6
 [related:]
Incorrect

https://ktflash.gitbooks.io/ceh_v9/content/
222_footprinting_using_advanced_google_hacking_tec.html
[related:] Lists web pages that are similar to a specified web page.
Incorrect answers:
[link:] Lists web pages that have links to the specified web page.
[site:] Restricts the results to those websites in the given domain.
[inurl:] Restricts the results to documents containing the search keyword in the URL.

Google Advance Search Operators (重

要)
 Google supports several advanced operators that help
in modifying the search:
o [cache:] Displays the web pages stored in the Google cache
o [link:] Lists web pages that have links to the specified web
page
o [related:] Lists web pages that are similar to a specified web
page
o [info:] Presents some information that Google has about a
particular web page
o [site:] Restricts the results to those websites in the given
domain
o [allintitile:] Restricts the results to those websites with all of
the search keywords in the title
o [intitle:] Restricts the results to documents containing the
search keyword in the title
o [allinurl:] Restricts the results to those with all of the search
keywords in the URL
o [inurl:] Restricts the results to documents containing the
search keyword in the URL

Google Hacking Databases

 Google Hacking Database
(GHDB): http://www.hackersforcharity.org
 Google Dorks: http://www.exploit-db.com
Practice Set 6

Information Gathering Using Google

Advanced Search
 Use Google Advanced Search option to find sites that may link
back to the target company's website.
 This may extract information such as partners, vendors, clients,
and other affiliations for target website.
 With Google Advanced Search option, you can search web more
precisely and accuratel

15. Question
Which of the following types of attack does the use of Wi-Fi Pineapple belong to run an
access point with a legitimate-looking SSID for a nearby business?

 Evil-twin attack

 MAC spoofing attack

 Wardriving attack

 Phishing attack
Correct

https://terranovasecurity.com/wi-fi-pineapple-cyber-security-threat/
A Wi-Fi Pineapple is a wireless auditing platform from Hak5 that allows network security
administrators to conduct penetration tests. Pen tests are a type of ethical hacking in
which white hat hackers seek out security vulnerabilities that a black hat attacker could
exploit. The labels white hat and black hat are derived from old-time Western movies in
which the good guys wore white hats and the bad guys wore black hats.
A Wi-Fi Pineapple can also be used as a rogue access point (AP) to conduct man-in-the-
middle (MitM) attacks. A MiTM attack is one in which the attacker secretly intercepts and
relays messages between two parties that believe they are communicating directly with
each other. The inexpensive price and friendly user interface (UI) enable attackers with
little technical knowledge to eavesdrop on computing devices using public Wi-Fi
networks in order to collect sensitive personal information, including passwords.
Uses of Wi-Fi Pineapple
The Pineapple was originally invented by engineers at Hak5 to perform pen tests and
help network administrators audit network security. The AP, which some people think
resembles a spider instead of a pineapple, enables network engineers to hack their own
network in order to identify vulnerabilities and put mechanisms in place to strengthen the
network against potential attackers.
When a Pineapple is used for pen testing, it is referred to as a honeypot. When a
Pineapple is used as a rogue AP to conduct MitM security exploits, it is referred to as an
evil twin or pineapple sandwich.

16. Question
Practice Set 6
The date and time of the remote host can theoretically be used against some systems to
use weak time-based random number generators in other services. Which option in
Zenmap will allow you to make ICMP Timestamp ping?

 -PU

 -PY

 -PP

 -PN
Correct

https://nmap.org/book/host-discovery-techniques.html
Don’t ping
– nmap -PN [target]
UDP ping
– Nmap -PU [target]
ICMP Timestamp ping nmap
– nmap -PP [target]

SCTP Init Ping

– nmap -PY [target]
What is Sctp init scan?
SCTP INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed
quickly, scanning thousands of ports per second on a fast network not hampered by
restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy
since it never completes SCTP associations.
This discovery method attempts to locate hosts using the Stream Control
Transmission Protocol (SCTP). SCTP is typically used on systems for IP
based
telephony.
The default port for -PY is 80. Others can be specified by using the
following syntax: nmap -PY22,25,80,443,etc.
Usage syntax: nmap -PY[port1,port1,etc] [target]
NOTE: https://nmap.org/zenmap/
Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux,
Windows, Mac OS X, BSD, etc.) free and open-source application that aims to make
Nmap easy for beginners to use while providing advanced features for experienced
Nmap users. Frequently used scans can be saved as profiles to make them easy to run
repeatedly. A command creator allows the interactive creation of Nmap command lines.
Scan results can be saved and viewed later. Saved scan results can be compared with
one another to see how they differ. The results of recent scans are stored in a
searchable database.
Practice Set 6
17. Question
Alexa, a college student, decided to go to a cafe. While waiting for her order, she
decided to connect to a public Wi-Fi network without additional security tools such as a
VPN. How can she verify that nobody is not performing an ARP spoofing attack on her
laptop?

 She can‘t identify such an attack and must use a VPN to protect her traffic.

 She should scan the network using Nmap to check the MAC addresses of all
the hosts and look for duplicates.

 She should check her ARP table and see if there is one IP address with
two different MAC addresses.

 She should use netstat to check for any suspicious connections with another
IP address within the LAN.
Correct

https://www.comparitech.com/blog/information-security/arp-poisoning-spoofing-detect-
prevent/
ARP poisoning can be detected in several different ways. You can use Windows’
Command Prompt, an open-source packet analyzer such as Wireshark, or proprietary
options such as XArp.
You can check the ARP attack in Command Prompt. First, open Command Prompt as
an administrator. In the command line, enter:
arp -a
If the table contains two different IP addresses that share the same MAC address, then
you are probably undergoing an ARP poisoning attack.
You can read about other ways of detecting ARP spoofing here:
Wireshark: https://media.neliti.com/media/publications/263063-arp-spoofing-detection-
via-wireshark-and-9a79ced5.pdf
XArp: http://www.xarp.net/#support

18. Question
The attacker disabled the security controls of NetNTLMv1 by modifying the values of
LMCompatibilityLevel, NTLMMinClientSec, and RestrictSendingNTLMTraffic. His next
step was to extract all the non-network logon tokens from all the active processes to
masquerade as a legitimate user to launch further attacks. Which of the following attacks
was performed by the attacker?

 Phishing attack

 Internal monologue attack

 Dictionary attack

 Rainbow table attack

Correct
Practice Set 6
https://github.com/eladshamir/Internal-Monologue
The Internal monologue attack allows NTLMv1 challenge-response hashes to be
obtained from the victim’s system, without injecting code in the memory or interacting
with protected services such as the Local Security Authority Subsystem Service
(LSASS). These hashes can then be cracked or subsequently used in a Pass-The-Hash
(PTH) attack.
This technique allows a tester to obtain credentials from the system without touching the
LSASS process. The attack takes advantage of the NetNTLMv1 challenge-response
protocol. The NetNTLMv1 protocol is insecure due to the way it calculates the challenge-
response allowing an attacker to retrieve the NTLM hash by easily cracking the
response. Furthermore, retrieving the NTLM hash of a user is almost synonymous to
retrieving the plaintext password of a user, since it can be used for a ‘Pass the Hash’
attack technique or can be cracked to obtain the plaintext password.
Although most modern systems are configured by default to avoid using NetNTLMv1,
because the attacked is a local administrator of the system, a NetNTLM Downgrade
attack can be performed to enable this weaker authentication scheme. This will disable
preventive controls for NetNTLMv1. The attacker can then retrieve the non-network
logon tokens from the running processes and impersonate the associated user.
Using the impersonated user privilege, the attacker can invoke a local procedure call to
the NTLM authentication package called MSV1_0 to encrypt a known challenge using
SSPI – secure single sign-on technology in Windows. This will generate a NetNTLMv1
response for that challenge using the impersonated user’s NTLM hash as a key. Now,
due to the weakness in the NetNTLMv1 challenge-response protocol, the tester can
easily extract the NTLM hash by cracking this response and perform a ‘Pass the Hash’
attack.
Incorrect answers:
Dictionary attack https://en.wikipedia.org/wiki/Dictionary_attack
A dictionary attack is a form of brute force attack used for defeating a cipher or
authentication mechanism by trying to determine its decryption key or passphrase by
trying thousands or millions of likely possibilities, such as words in a dictionary or
previously used passwords, often from lists obtained from past security breaches.
Rainbow table attack https://en.wikipedia.org/wiki/Rainbow_table
A rainbow table is a precomputed table for caching the output of cryptographic hash
functions, usually for cracking password hashes. Tables are usually used in recovering a
key derivation function (or credit card numbers, etc.) up to a certain length consisting of
a limited set of characters. It is a practical example of a space–time tradeoff, using less
computer processing time and more storage than a brute-force attack which calculates a
hash on every attempt, but more processing time and less storage than a simple key
derivation function with one entry per hash. Use of a key derivation that employs a salt
makes this attack infeasible.
Phishing attack https://en.wikipedia.org/wiki/Phishing
Phishing is a type of social engineering where an attacker sends a fraudulent (“spoofed“)
message designed to trick a human victim into revealing sensitive information to the
attacker or to deploy malicious software on the victim‘s infrastructure like ransomware.
Phishing attacks have become increasingly sophisticated and often transparently mirror
the site being targeted, allowing the attacker to observe everything while the victim is
navigating the site, and transverse any additional security boundaries with the victim. As
of 2020, phishing is by far the most common attack performed by cyber-criminals, with
the FBI‘s Internet Crime Complaint Centre recording over twice as many incidents of
phishing than any other type of computer crime.
What is NTLMv1 used for?
Practice Set 6
Kerberos, NTLMv1, and NTLMv2 are three authentication protocols. These protocols
aim to enhance security, especially in the Active Directory environment.
Authentication protocols are popular attack vectors. They can help attackers gain
access and elevate privileges.

What is the problem with NTLM v1?

NTLMv1 lacks a client challenge – in case of an attack on NTLMv1, the attacker can
force the client to calculate NTLMv1 Response with a known server challenge. Then,
the attacker can efficiently guess the user's password by checking the NTLMv1
response against a rainbow table.

https://github.com/eladshamir/Internal-Monologue (most important link )

19. Question
This attack exploits a vulnerability that provides additional routing information in the
SOAP header to support asynchronous communication. Also, it further allows the
transmission of web-service requests and response messages using different TCP
connections.
Which of the following attacks matches the description above?

 WS-Address spoofing

 Soap Array Attack

 XML Flooding
 SOAPAction spoofing
Correct

https://www.ws-attacks.org/WS-Addressing_spoofing
The WS-Address standard allows the addition of routing information to the SOAP
Header, allowing asynchronous communication.
WS-Address spoofing – Generic
The generic definition describes the following scenario: An attacker send a SOAP
message, containing WS-Address information, to a web service server. The element
doesn‘t contain the address of the attacker but instead the web service client who the
attacker has chosen to receive the message. This results in unwanted traffic/SOAP
messages for the receiving web service client. Depending on the amount of traffic DOS
scenarios are possible. However other attack scenarios are possible too.
WS-Address spoofing – BPEL Rollback
This subtype requires the existence of some sort of BPEL engine. Lets assume that an
attacker sends SOAP messages to a web service resulting in the creation of new BPEL
process instances. The SOAP message contains a element with an invalid callback
endpoint. After the SOAP message gets processed by the BPEL engine, it tries to call
the endpoint defined in . This action results in some form of error response such as
refused connections or SOAP faults. In return, this error response will be processed by
the BPEL engine.
In case a BPEL engine gets flooded with many SOAP messages as described above, a
Practice Set 6
high workload for the BPEL engine will result. In the worst case a DOS is the result.
This kind of flooding attack is a lot more devastating than regular flooding attacks, since
one message results in the call of multiple actions/web service calls that are called by
the BPEL engine. The attack only becomes visible once all stages of the BPEL engine
are run through.
Incorrect answers:
SOAPAction spoofing https://www.ws-attacks.org/SOAPAction_Spoofing
Each web service request contains some sort of operation that is later executed by the
application logic. This operation can be found in the first child element of the SOAP
Body. However, if HTTP is used to transport the SOAP message the SOAP standard
allows the use of an additional HTTP header element called SOAPAction. This header
element contains the name of the executed operation. It is supposed to inform the
receiving web service of what operation is contained in the SOAP Body, without having
to do any XML parsing.
This “optimisation“ can be used by an attacker to mount an attack, since certain web
service frameworks determine the operation to be executed solely on the information
contained in the SOAPAction attribut.
XML Flooding https://www.ws-attacks.org/XML_Flooding
XML Flooding (also known XML Flood) aims at exhausting the resources of a web
service by sending a large number of legitimate SOAP Messages. This attack can be
compared to the classical denial of service attack on web servers by flooding them with
a large amount of valid HTTP requests until the server is unable to respond.
Soap Array Attack https://www.ws-attacks.org/Soap_Array_Attack
SOAP messages are flexible in many ways, even Arrays are supported. If you are new
to SOAP arrays check the documentation by the W3C .
However this feature that can be exploited by an attacker to cause a denial of service
attack to limit the web service availability.
Before an SOAP array is used, its size has to be defined, just like with many other
programming languages. By default, SOAP doesn‘t limit the number of elements within
an array. This property can be exploited by an attacker to execute a DOS attack limiting
the availability of the web service. Let‘s assume an attacker declares an array with
1,000,000,000 String elements. Before the message is processed any further by the
parser, the web service will reserve space for 1,000,000,000 String Elements in the
RAM. In most cases that will lead to memory exhaustion of the attacked system.
What is the use of WS addressing?
WS-Addressing provides a uniform addressing method for SOAP messages
traveling over synchronous and/or asynchronous transports. Additionally, it provides
addressing features to help web service developers build applications around a
variety of messaging patterns beyond the typical exchange of requests and
responses.
Practice Set 6

20. Question
Your company started working with a cloud service provider, and after a while, they were
disappointed with their service and wanted to move to another CSP.
Which of the following can become a problem when changing to a new CSP?

 Virtualization

 Lock-up

 Lock-in
 Lock-down
Correct

https://jaychapel.medium.com/how-much-should-enterprises-worry-about-vendor-lock-in-
in-public-cloud-5029bf40fffa
The vendor lock-in problem in cloud computing is the situation where customers are
dependent (i.e. locked-in) on a single cloud service provider (CSP) technology
implementation and cannot easily move to a different vendor without substantial costs or
technical incompatibilities.
Types of vendor lock-in risks
The issue with vendor lock-in is the difficulty in moving to another cloud service provider
if something goes awry. You hope that this never has to happen, but it’s a possibility.
There are four primary lock-in risks that you’ll take working with a single cloud provider.
These include:
1. Data transfer risk
2. Application transfer risk
3. Infrastructure transfer risk
4. Human resource knowledge risk
Data transfer risk
It is not easy to move your data from one CSP to another.
A myriad of questions will arise during a data migration process, such as:
1. Who is responsible for extracting the data from the cloud databases and data
Practice Set 6
warehouses?
2. In what format will the data be? Will that format work with the new cloud provider, or
will significant changes need to be made to the data?
3. How can the data be transferred without loss of application functionality?
4. How long will it take and how much will it cost to move all of this data?
While some industry groups have tried to create standards for data interchange,
sometimes it’s difficult for companies to implement them due to their unique business
requirements.
Application transfer risk
If you build an application on one CSP that leverages many of its offerings, the
reconfiguration of this application to run natively on another provider can be an
extremely expensive and difficult process.
For instance, let’s say you’ve developed a business intelligence platform on Microsoft
Azure. You leverage basic cloud services like compute, storage, databases, and
networking. But the app also includes Azure’s machine learning, data lake analytics, and
bot services.
Can you imagine all the changes you’ll have to make to your application if you had to
move this to another CSP?
One reason for this difficulty is a lack of standard interfaces and open APIs. Every CSP
has their own proprietary specifications and standards, which make it very tough to
move from one to another.
Another reason is that technology and customer needs change so rapidly.
You know first hand that your customers and partners continuously demand changes
and improvements to your product. The faster that you add and edit features of your
cloud-native application, the deeper entrenched you get with your CSP, and the tougher
it will be to move to another cloud vendor.
Infrastructure transfer risk
Every major CSP does things a little bit differently.
Virtual machine formats and their associated pricing vary from vendor to vendor, making
it difficult to ensure that you have the appropriate resource usage and cost savings if you
switch providers.
Database offerings and formats may differ as well.
And one cloud provider may have more attractive offerings in certain infrastructure
components, while lacking in other services that you may need.
These differences in the underlying infrastructure result in difficulties moving from one
cloud service provider to another.
Human resource knowledge risk
If you’ve been working with a single CSP, your IT team has likely gained a lot of
institutional knowledge about that provider’s tools and configurations.
If you have to move your applications to another CSP, it will take time for your engineers
to ramp up their knowledge of the new cloud platform. They’ll have to learn about new
infrastructure formats, implementation processes, and more.
Additionally, any newly required certifications will take a long time to earn.
The knowledge risk is a factor that isn’t often thought about but is just as important as
the risks highlighted above.
21. Question
In which of the following cloud service models do you take full responsibility for the
maintenance of the cloud-based resources?

 SaaS
Practice Set 6

 PaaS

 BaaS
 IaaS
Correct

https://www.intel.ru/content/www/ru/ru/cloud-computing/as-a-service.html
IaaS (Infrastructure as a service)
IaaS is on-demand access to cloud-hosted computing infrastructure – servers, storage
capacity, and networking resources – that customers can provision, configure and use in
much the same way as they use on-premises hardware. The difference is that the cloud
service provider hosts manages and maintains the hardware and computing resources
in its own data centers. IaaS customers use the hardware via an internet connection and
pay for that use on a subscription or pay-as-you-go basis.
PaaS (Platform as a service)
PaaS provides a cloud-based platform for developing, running, managing applications.
The cloud services provider hosts, manages and maintains all the hardware and
software included in the platform – servers (for development, testing and deployment),
operating system (OS) software, storage, networking, databases, middleware, runtimes,
frameworks, development tools – as well as related services for security, operating
system and software upgrades, backups and more.
SaaS (Software as a service)
SaaS is cloud-hosted, ready-to-use application software. Users pay a monthly or annual
fee to use a complete application from within a web browser, desktop client, or mobile
app. The application and all of the infrastructure required to deliver it – servers, storage,
networking, middleware, application software, data storage – are hosted and managed
by the SaaS vendor.
BaaS (Backend as a Service)
BaaS takes care of all the backend services of an application, and the developers can
focus only on writing and maintaining the frontend side of the application. It provides
backend services like database management, user authentication, cloud storage,
hosting on the cloud, push notifications, etc.
22. Question
You need to hide the file in the Linux system. Which of the following characters will you
type at the beginning of the filename?

 ~ (Tilda)

 _ (Underscore)

 ! (Exclamation mark)
 . (Period)
Correct

https://en.wikipedia.org/wiki/Hidden_file_and_hidden_directory
Linux hides files and folders that have a period at the start of their name. To hide a file or
folder, rename it and place a period at the start of the filename.
23. Question
Practice Set 6
John, a black hacker, is trying to do an SMTP enumeration. What useful information can
John gather during a Simple Mail Transfer Protocol enumeration?

 He can find information about the daily outgoing message limits before
mailboxes are locked.

 He can receive a list of all mail proxy server addresses used by the
company.

 He can use the internal command RCPT provides a list of ports open.
 He can use two internal commands VRFY and EXPN, which provide
information about valid users, email addresses, etc.
Correct

https://info-savvy.com/what-is-enumeration/
SMTP is a service that can be found in most infrastructure penetration tests. This service
can help the penetration tester to perform username enumeration via the EXPN and
VRFY commands if these commands have not been disabled by the system
administrator.
The role of the EXPN command is to reveal the actual address of users aliases and lists
of email and VRFY which can confirm the existence of names of valid users.
The SMTP enumeration can be performed manually through utilities like telnet and
netcat or automatically via a variety of tools like metasploit, nmap and smtp-user-enum.
24. Question
John sends an email to his colleague Angela and wants to ensure that the message will
not be changed during the delivery process. He creates a checksum of the message and
encrypts it using asymmetric cryptography. What key did John use to encrypt the
checksum?

 His own private key.

 Angela‘s public key.

 Angela‘s private key

 His own public key.
Correct

https://en.wikipedia.org/wiki/Public-key_cryptography
Just a little tricky question. You should carefully read the sentence: “He creates a
checksum of the message and encrypts it using asymmetric cryptography“. This means
that he is encrypting something for Angela (even checksum), which she can then decrypt
using her private key.
Public-key cryptography, or asymmetric cryptography, is a cryptographic system that
uses pairs of keys. Each pair consists of a public key (which may be known to others)
and a private key (which may not be known by anyone except the owner). The
generation of such key pairs depends on cryptographic algorithms which are based on
mathematical problems termed one-way functions. Effective security requires keeping
Practice Set 6
the private key private; the public key can be openly distributed without compromising
security. In such a system, any person can encrypt a message using the intended
receiver‘s public key, but that encrypted message can only be decrypted with the
receiver‘s private key. This allows, for instance, a server program to generate a
cryptographic key intended for a suitable symmetric-key cryptography, then to use a
client‘s openly-shared public key to encrypt that newly generated symmetric key. The
server can then send this encrypted symmetric key over an insecure channel to the
client; only the client can decrypt it using the client‘s private key (which pairs with the
public key used by the server to encrypt the message). With the client and server both
having the same symmetric key, they can safely use symmetric key encryption (likely
much faster) to communicate over otherwise-insecure channels. This scheme has the
advantage of not having to manually pre-share symmetric keys (a fundamentally difficult
problem) while gaining the higher data throughput advantage of symmetric-key
cryptography.
25. Question
Which of the following is a rootkit that adds additional code or replaces portions of the
core operating system to obscure a backdoor on a system?

 User-mode rootkit.

 Hypervisor-level rootkit.

 Application-level Rootkit.
 Kernel-level rootkit.
Correct

https://en.wikipedia.org/wiki/Rootkit
Kernel-Level rootkit: Kernel is the core of the Operating System and Kernel Level
Rootkits are created by adding additional code or replacing portions of the core
operating system, with modified code via device drivers (in Windows) or Loadable Kernel
Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the
system if the kit’s code contains bugs. Kernel rootkits are difficult to detect because they
have the same privileges of the Operating System, and therefore they can intercept or
subvert operating system operations.
Incorrect answers:
Application-level rootkit: Application-level rootkits operate inside the victim computer by
changing standard application files with rootkit files, or changing the behaviour of
present applications with patches, injected code etc.
Hypervisor-Level rootkit: Hypervisor (Virtualized) Level Rootkits are created by exploiting
hardware features such as Intel VT or AMD-V (Hardware-assisted virtualization
technologies). Hypervisor level rootkits hosts the target operating system as a virtual
machine and therefore they can intercept all hardware calls made by the target operating
system.
User-mode rootkit: User-mode rootkits run along with other applications as user, rather
than low-level system processes. They have a number of possible installation vectors to
intercept and modify the standard behavior of application programming interfaces (APIs).
Some inject a dynamically linked library (such as a .DLL file on Windows, or a .dylib file
on Mac OS X) into other processes, and are thereby able to execute inside any target
process to spoof it; others with sufficient privileges simply overwrite the memory of a
target application.
Practice Set 6
26. Question
Which antenna is commonly used in communications for a frequency band of 10 MHz to
VHF and UHF?

 Yagi antenna

 Omnidirectional antenna

 Dipole antenna
 Parabolic grid antenna
Incorrect

https://en.wikipedia.org/wiki/Yagi%E2%80%93Uda_antenna
A Yagi–Uda antenna or simply Yagi antenna, is a directional antenna consisting of two
or more parallel resonant antenna elements in an end-fire array; these elements are
most often metal rods acting as half-wave dipoles. Yagi–Uda antennas consist of a
single driven element connected to a radio transmitter and/or receiver through a
transmission line, and additional “parasitic elements“ with no electrical connection,
usually including one so-called reflector and any number of directors. It was invented in
1926 by Shintaro Uda of Tohoku Imperial University, Japan, with a lesser role played by
his colleague Hidetsugu Yagi.
Reflector elements (usually only one is used) are slightly longer than the driven dipole
and placed behind the driven element, opposite the direction of intended transmission.
Directors, on the other hand, are a little shorter and placed in front of the driven element
in the intended direction. These parasitic elements are typically off-tuned short-circuited
dipole elements, that is, instead of a break at the feedpoint (like the driven element) a
solid rod is used. They receive and reradiate the radio waves from the driven element
but in a different phase determined by their exact lengths. Their effect is to modify the
driven element‘s radiation pattern. The waves from the multiple elements superpose and
interfere to enhance radiation in a single direction, increasing the antenna‘s gain in that
direction.
Also called a beam antenna and parasitic array, the Yagi is very widely used as a high-
gain antenna on the HF, VHF and UHF bands. It has moderate to high gain depending
on the number of elements present, sometimes reaching as high as 20 dBi, in a
unidirectional beam pattern. As an end-fire array, it can achieve a front-to-back ratio of
up to 20 dB. It retains the polarization common to its elements, usually linear polarization
(its elements being half-wave dipoles). It is relatively lightweight, inexpensive and simple
to construct. The bandwidth of a Yagi antenna, the frequency range over which it
maintains its gain and feedpoint impedance, is narrow, just a few percent of the center
frequency, decreasing for models with higher gain, making it ideal for fixed-frequency
applications. The largest and best-known use is as rooftop terrestrial television
antennas, but it is also used for point-to-point fixed communication links, in radar
antennas, and for long distance shortwave communication by shortwave broadcasting
stations and radio amateurs.

the Yagi is very widely used as a high-gain antenna on the HF, VHF and UHF bands.

27. Question
Practice Set 6
You want to prevent possible SQLi attacks on your site. To do this, you decide to use a
practice whereby only a list of entities such as the data type, range, size, and value,
which have been approved for secured access, is accepted.
Which of the following practices are you going to adopt?

 Output encoding.

 Whitelist validation.

 Enforce least privileges.

 Blacklist validation.
Incorrect

According to EC-council courseware:

Whitelist validation
Whitelist validation is a best practice whereby only the list of entities (i.e., data type,
range, size, value, etc.) that have been approved for secured access is accepted.
Whitelist validation can also be termed as positive validation or inclusion.
Blacklist Validation
Blacklist validation rejects all malicious inputs that have been disapproved for protected
access. Blacklist validation can be challenging as every content and character of the
attack should be interpreted, understood, and anticipated for future attacks as well.
Blacklist validation can also be termed as negative validation or exclusion.
Output Encoding
Output encoding is a validation technique that can be used after input validation. This
technique is used to encode the input to ensure that it is properly sanitized before
passing it to the database.
Enforcing Least Privileges
Enforcing least privileges is a security best practice whereby the lowest level of
privileges is assigned to every account accessing the database. It is recommended not
to assign DBA level and administrator-level access rights to the application. In some
critical situations, some applications may require elevated access rights; hence, proper
groundwork should be done by the security professionals and they should also figure out
the exact requirements of the application.

28. Question
Which of the following tools is an automated tool that eases his work and performs
vulnerability scanning to find hosts, services, and other vulnerabilities in the target
server?

 Infoga

 Netsparker

 NCollector Studio
 WebCopier Pro
Correct
Practice Set 6
https://www.netsparker.com/support/what-is-netsparker/
Netsparker is an automated, yet fully configurable, web application security scanner
that enables you to scan websites, web applications, and web services, and identify
security flaws. Netsparker can scan all types of web applications, regardless of the
platform or the language with which they are built.
Netsparker is the only online web application security scanner that automatically
exploits identified vulnerabilities in a read-only and safe way, in order to confirm
identified issues.
It also presents proof of the vulnerability so that you do not need to waste time
manually verifying it. For example, in the case of a detected SQL injection
vulnerability, it will show the database name as the proof of exploit.
Incorrect answers:
Infoga https://github.com/m4ll0k/Infoga
Infoga is a tool gathering email accounts informations (ip,hostname,country,…) from
different public source (search engines, pgp key servers and shodan) and check if
emails was leaked using haveibeenpwned.com API.
NCollector Studio
NCollector Studio is an all in one offline browser, website ripper/crawler aimed at home
users and professionals needing to download specific files from a website or full
websites for offline browsing.
WebCopier Pro
WebCopier Pro allows saving complete copies of your favorite sites, magazines, or stock
quotes. Companies can transfer their intranet contents to staff computers, create a copy
of companies‘ online catalogs and brochures for sales personal, backup corporate web
sites, print downloaded files.
29. Question
Identify technique for securing the cloud resources according to describe below:
This technique assumes by default that a user attempting to access the network is not
an authentic entity and verifies every incoming connection before allowing access to the
network. When using this technique imposed conditions such that employees can
access only the resources required for their role.

 Container technology

 Serverless computing

 Zero trust network

 DMZ
Incorrect

https://en.wikipedia.org/wiki/Zero_trust_security_model
Zero Trust Network Access (ZTNA) is a category of technologies that provides
secure remote access to applications and services based on defined access control
policies. Unlike VPNs, which grant complete access to a LAN, ZTNA solutions
default to deny, providing only the access to services the user has been explicitly
granted.
Incorrect answers:
DMZ https://en.wikipedia.org/wiki/DMZ_(computing)
DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened
Practice Set 6
subnet) is a physical or logical subnetwork that contains and exposes an organization‘s
external-facing services to an untrusted, usually larger, network such as the Internet.
The purpose of a DMZ is to add an additional layer of security to an organization‘s local
area network (LAN): an external network node can access only what is exposed in the
DMZ, while the rest of the organization‘s network is firewalled. The DMZ functions as a
small, isolated network positioned between the Internet and the private network.
Serverless computing https://en.wikipedia.org/wiki/Serverless_computing
Serverless computing is a cloud computing execution model in which the cloud provider
allocates machine resources on demand, taking care of the servers on behalf of their
customers. Serverless computing does not hold resources in volatile memory; computing
is rather done in short bursts with the results persisted to storage. When an app is not in
use, there are no computing resources allocated to the app. Pricing is based on the
actual amount of resources consumed by an application. It can be a form of utility
computing. “Serverless“ is a misnomer in the sense that servers are still used by cloud
service providers to execute code for developers.
Container technology
Container technology, also simply known as just a container, is a method to package an
application so it can be run, with its dependencies, isolated from other processes. The
major public cloud computing providers, including Amazon Web Services, Microsoft
Azure and Google Cloud Platform have embraced container technology, with container
software having names including the popular choices of Docker, Apache Mesos, rkt
(pronounced “rocket”), and Kubernetes.
30. Question
Which of the following USB tools using to copy files from USB devices silently?

 USBSniffer

 USBDumper

 USBSnoopy
 USBGrabber
Correct

https://www.ghacks.net/2006/09/15/how-to-dump-all-usb-files-without-the-user-knowing/
USBdumper runs silently as a background process once started and copies the
complete contents of every connected usb device to the system without the knowledge
of the user. It creates a directory with the current date and begins the background
copying process. The user has no indication that the files stored on the USB device are
copied from the USB to the local system.

USB Snifer:- helps in developing,debugging,testing and analyzing devices their driver that
exchange data using usb communication protocols
Usb grabber: also known as usb video capture devices allow you to connect any analogue
video source eg., a cctv camer
Usb snoopy: is a small but very useful utility program which can sniff/monitor works like usb
sniffer but in a small way
Practice Set 6
31. Question
Andrew, an evil hacker, research the website of the company which he wants to attack.
During the research, he finds a web page and understands that the company‘s
application is potentially vulnerable to Server-side Includes Injection. Which web-page
file type did Andrew find while researching the site?

 .rss

 .html

 .cms
 .stm
Incorrect

https://medium.com/@briskinfosec/server-side-includes-injection-4b2b624393c7
SSIs are directives present on Web applications used to feed an HTML page with
dynamic contents. They are similar to CGIs, except that SSIs are used to execute some
actions before the current page is loaded or while the page is being visualized. In order
to do so, the webserver analyzes SSI before supplying the page to the user.
The Server-Side Includes attack allows the exploitation of a web application by injecting
scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through
manipulation of SSI in use in the application or force its use through user input fields.
It is possible to check if the application is properly validating input fields data by inserting
characters that are used in SSI directives, like:
< ! # = / . “ - > and [a-zA-Z0-9]
Another way to discover if the application is vulnerable is to verify the presence of pages
with extension .stm, .shtm and .shtml. However, the lack of these types of pages does
not mean that the application is protected against SSI attacks.
In any case, the attack will be successful only if the webserver permits SSI execution
without proper validation. This can lead to access and manipulation of file system and
process under the permission of the webserver process owner.

.rss is am xml file that contains structured information and also it is a family of web feed
formats used to publish frequently updated pages such as blogs or news feeds
.cms manages the data in files and the files placed on disks using a mapping system.

32. Question
Alex was assigned to perform a penetration test against a website using Google dorks.
He needs to get results with file extensions. Which operator should Alex use to achieve
the desired result?

 filetype:

 site:

 inurl:
Practice Set 6
 define:
Correct

https://ahrefs.com/blog/google-advanced-search-operators/
filetype: Restrict results to those of a certain filetype. E.g., PDF, DOCX, TXT, PPT,
etc. Note: The “ext:” operator can also be used—the results are identical.
Incorrect answers:
site: If you include [site:] in your query, Google will restrict the results to those websites
in the given domain.
inurl: Find pages with a certain word (or words) in the URL. For this example, any results
containing the word “apple” in the URL will be returned.
define: A dictionary built into Google, basically. This will display the meaning of a word in
a card-like result in the SERPs.
33. Question
You have been instructed to organize the possibility of working remotely for employees.
Their remote connections could be exposed to session hijacking during the work, and
you want to prevent this possibility. You decide to use the technology that creates a safe
and encrypted tunnel over a public network to securely send and receive sensitive
information and prevent hackers from decrypting the data flow between the endpoints.
Which of the following technologies will you use?

 Split tunneling

 DMZ

 Bastion host
 VPN
Correct

https://en.wikipedia.org/wiki/Virtual_private_network
A virtual private network (VPN) extends a private network across a public network and
enables users to send and receive data across shared or public networks as if their
computing devices were directly connected to the private network. The benefits of a VPN
include increases in functionality, security, and management of the private network. It
provides access to resources inaccessible on the public network and is typically used for
telecommuting workers. Encryption is common, although not an inherent part of a VPN
connection. A VPN is created by establishing a virtual point-to-point connection through
the use of dedicated circuits or with tunnelling protocols over existing networks. A VPN
available from the public Internet can provide some of the benefits of a wide area
network (WAN). From a user perspective, the resources available within the private
network can be accessed remotely.
Incorrect answers:
Split tunneling https://en.wikipedia.org/wiki/Split_tunneling
Split tunneling is a computer networking concept which allows a user to access
dissimilar security domains like a public network (e.g., the Internet) and a local LAN or
WAN at the same time, using the same or different network connections. This
connection state is usually facilitated through the simultaneous use of a Local Area
Network (LAN) Network Interface Card (NIC), radio NIC, Wireless Local Area Network
Practice Set 6
(WLAN) NIC, and VPN client software application without the benefit of access control.
DMZ https://en.wikipedia.org/wiki/DMZ_(computing)
DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened
subnet) is a physical or logical subnetwork that contains and exposes an organization‘s
external-facing services to an untrusted, usually larger, network such as the Internet.
The purpose of a DMZ is to add an additional layer of security to an organization‘s local
area network (LAN): an external network node can access only what is exposed in the
DMZ, while the rest of the organization‘s network is firewalled. The DMZ functions as a
small, isolated network positioned between the Internet and the private network.
Bastion host https://en.wikipedia.org/wiki/Bastion_host
A bastion host is a special-purpose computer on a network specifically designed and
configured to withstand attacks. The computer generally hosts a single application or
process, for example, a proxy server or load balancer, and all other services are
removed or limited to reduce the threat to the computer. It is hardened in this manner
primarily due to its location and purpose, which is either on the outside of a firewall or
inside of a demilitarized zone (DMZ) and usually involves access from untrusted
networks or computers. These computers are also equipped with special networking
interfaces to withstand high-bandwidth attacks through the internet.
34. Question
Are you sure your network is perfectly protected and no evil hacker Ivan listens to all
your traffic? What, ignorance is the greatest source of happiness. There is a powerful
tool written in Go that will allow an attacker to carry out a Man in the middle (MITM)
attack using, for example, ordinary arp spoofing. What kind of tool are we talking about?

 DerpNSpoof

 Wireshark

 BetterCAP
 Gobbler
Correct

https://www.bettercap.org/
bettercap is a powerful, easily extensible and portable framework written in Go which
aims to offer to security researchers, red teamers and reverse engineers an easy to use,
all-in-one solution with all the features they might possibly need for performing
reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless
HID devices and Ethernet networks.
One of the main feature is:
· ARP, DNS, NDP and DHCPv6 spoofers for MITM attacks on IPv4 and IPv6 based
networks.
Incorrect answers:
Wireshark https://www.wireshark.org/
Wireshark is a free and open-source packet analyzer. It is used for network
troubleshooting, analysis, software and communications protocol development, and
education.
DerpNSpoof https://github.com/Trackbool/DerpNSpoof
Simple DNS Spoofing tool made in Python 3 with Scapy.
Gobbler http://gobbler.sourceforge.net/
Spoofed remote OS detection tool.
Practice Set 6