Google hacking is a computer hacking technique that uses Google search and other Google
applications to find security holes in the configuration and computer code that Web sites use. Google hacking involves using advance operators in the Google search engine to locate specific strings of text within search results.
Q: Which of the following is a valid Google searching operator that is used to search a specified file type?
e. filetype f. inurl g. file type h. intitle
Explanation: Answer option A is correct.
The filetype google search query operator is used to search a specified file type. For example, if you want to search all pdf files having the word hacking, you will use the search query filetype:pdf pdf
www.trainace.com/security
hacking.
Answer option B is incorrect. inurl is used to search a specified text in the URL of Web sites.
Answer option C is incorrect. file type is not a valid search operator.
Answer option D is incorrect. intitle is used to search a specified text in the title of Web sites.
12. Q: You want to retrieve the default security report of nessus. Which of the following Google search queries will you use?
a. filetype:pdf "Assessment Report" nessus b. filetype:pdf nessus
c. site:pdf nessus "Assessment report"
d. link:pdf nessus "Assessment report"
Explanation: Answer option A is correct.
Nessus is a vulnerability scanner. What techniques do vulnerability scanners use?
a. Port Scanning b. banner grabbing
c. analyzing service responses d. malware analysis
answer: C
One way to defeat a multi-level security solution is to leak data via A. asymmetric routing
B. a covert channel.
C. steganography.
D. an overt channel answer: B
Administrators access their servers through Remote Desktop. How could a hacker exploit this to gain access?
a. Capture the LANMAN hashes and crack them with Cain and Abel b. capture the RDP traffic and decode it with Cain and Abel
c. Use social engineering to get the domain name of the server d. scan the server to see what ports are open
answer: B
www.trainace.com/security
What is the best defense against privilege escalation vulnerability?
A. Require all computers and servers to be patched immediately upon release of new updates.
B. Run administrator and applications on least privileges and use a content registry for tracking.
C. Run services with least privileged accounts and implement multi-factor authentication D. Periodically review user roles and administrator
answer: C
Hardware and software devices have been created to emulate computer services, such as web and mail. These can also be used to capture various information. What is being described?
a. Core Switch b. Honeypot c. Port Scanner d. Router answer: B
1. Q: You are the Security Consultant and have been hired to check security for a client's network. Your client has stated that he has many concerns but the most critical is the
security of Web applications on their Web server. What should be your highest priority now in checking his network?
a. Port scanning b. Setting up IDS
c. Setting up a honey pot d. Vulnerability scanning Explanation: Answer option D is correct.
Q: If you want to know what services are running on a target and the possible entry points to launch an attack, what will you do?
a. Nmap scan b. Ping c. Traceroute d. Banner grabbing
Explanation: Answer option A is correct.
www.trainace.com/security
In scanning the DMZ interface on a firewall Nmap reports that port 80 is unfiltered. What type of packet inspection is the firewall using?
a. Stateless b. Proxy c. Deep d. Stateful answer: A
Which of the following are detective controls? (Choose 2) a. audits
b. encryption c. DRP d. CCTV
e. two-factor authentication answer: A and D
IPSec can provides for which of the following?
a. availability b. non-repudiation c. anti-virus protection d. DDOS protection answer: B
The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?
A. The IDS will not distinguish among packets originating from different sources.
B. An attacker, working slowly enough, may be able to evade detection by the IDS.
www.trainace.com/security
C. Network packets will be dropped once the volume exceeds the threshold.
D. Thresholding disables the IDS’ ability to reassemble fragmented packets.
answer A
Q: Which of the following netcat command switches will you use to telnet a remote host?
a. nc -t b. nc -z c. nc -g d. nc -l -p
Explanation: Answer option A is correct.
Netcat is a freely available networking utility that reads and writes data across network connections using the TCP/IP protocol. Netcat has the following features:
It provides outbound and inbound connections for TCP and UDP ports.
It provides special tunneling, such as UDP to TCP, with the possibility of specifying all network parameters.
It is a good port scanner.
It contains advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of transmitted and received data.
It is an optional RFC854 telnet code parser and responder.
The common Netcat switches are as follows:
Command Description
nc -d It is used to detach Netcat from the console.
nc -l -p [port] It is used to create a simple listening TCP port; adding u will put it in UDP mode.
www.trainace.com/security
nc -e [program] It is used to redirect stdin/stdout from a program.
nc -z It is used for port scanning.
nc -g or nc -G It is used to specify source routing flags.
nc -t It is used for Telnet negotiation.
nc -w [timeout] It is used to set a timeout before Netcat automatically quits.
nc -v It is used to put Netcat into verbose mode.
Q: You are brought in as an external consultant to review the results of a vulnerability of an internal scan to be run on website hosting servers. All code has been developed in Java and the team wants to test the code for buffer overflow vulnerabilities with the SAINT scanning tool. When the internal team asks for your opinion, you discourage them from starting this exercise. What is the probable reason for your recommendation?
a. An automated vulnerability assessment tool like SAINT is too noisy.
b. Java is not vulnerable to buffer overflow attacks.
c. The vulnerability signatures have to be updated prior to running the scan.
d. The SAINT scanner does not incorporate the new OWASP Top 10 web application scanning policy.
Explanation: Answer option B is correct.
Java uses a sandbox to isolate code and is therefore not vulnerable to buffer overflow attacks.
Almost all known web servers, application servers, and web application environments are susceptible to buffer overflows, the notable exception being environments written in interpreted languages like Java or Python, which are immune to these attacks (except for overflows in the Interpreter itself).
Q: John works as a professional Ethical Hacker. He is assigned a project to test the security of
www.trainace.com/security
www.we-are-secure.com. He has to ping 500 computers to find out whether these computers are connected to the server or not. Which of the following will he use to ping these computers?
a. PING
b. TRACEROUTE c. Ping sweeping d. NETSTAT
Explanation: Answer option C is correct.
The Ping sweeping technique is used to ping a batch of devices and to get the list of active devices.
Since it is a time taking and tedious task to ping every address into the network, the ping sweeping technique is used by the attacker.
Answer option A is incorrect. The ping command-line utility is used to test connectivity with a host on a TCP/IP-based network. This is achieved by sending out a series of packets to a specified
destination host.
2. Q: During the attack process, what method is used to discover what rules are configured on a gateway?
a. Firewalking b. Firewalling c. OS Fingerprinting d. Ping Scan
Explanation: Answer option A is correct.
Firewalking is a technique used to discover what rules are configured on a gateway. Usually packets are sent to the remote host with the exact TTL of the target. Hping2 can also be used for firewalking.
What is the process of identifying hosts or services by sending packets into the network perimeter to see which ones get through?
A. firewalking B. Banner Grabbing C. Enumerating D. Trace-configuring
www.trainace.com/security
answer: A
Answer option B is incorrect. There is no separate term called Firewalling.
Which of the following statements are true regarding N-tier architecture? (Choose two.) A. The N-tier architecture must have at least one logical layer
B. Each layer should exchange information only with the layers above and below it.
C. When a layer is changed or updated, the other layers must also be changed D. Each layer must be able to exist on a physically independent system.
ANSWER: B, D
Q: Which of the following is a technique used to determine which range of IP addresses is mapped to live hosts?
a. TRACERT utility b. Ping sweep c. KisMAC d. PATHPING
Explanation: Answer option B is correct.
Q: You want to determine which protocols a router or firewall will block and which they will pass on to downstream hosts. You want to map out all intermediate routers or hops between a scanning host and the target host. Based upon the results of the scans, you are going to identify which ports are open. The tool displays "A!" when it determines that the metric host is directly behind the target gateway. Which tool are you using for the scan?
a. Firewalk b. nmap c. hping d. traceroute
Explanation: Answer option A is correct.
Answer option C is incorrect. hping is a free packet generator and analyzer for the TCP/IP protocol.
www.trainace.com/security
Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique.
9. Q: You are running an nmap scan to determine which ports are filtered. You send an ACK flag and receive a RST packet for open and closed ports. What kind of nmap scan are you running?
a. Null Scan -sN b. Fin Scan -sF c. XMAS Scan -sX d. TCP ACK scan -sA Explanation: Answer option D is correct.
TCP ACK Scan does not determine open/closed ports; instead it determines which ports are
filtered/unfiltered. When ACK flag is sent, Open/Closed ports will send RST. Ports that do not send a response are considered Filtered.
Answer option A is incorrect. In a NULL Scan, no flags are set on the packet. Target must follow RFC 793. It will receive no response if the port is open or filtered; it will receive RST if the port is closed.
Answer option B is incorrect. In Fin Scan, the Fin flag is set on the packet. Target must follow RFC 793. It will receive no response if the port is open or filtered; it will receive RST if the port is closed.
Answer option C is incorrect. In XMAS Scan, the FIN, URG, and PSH flags are set on the packet.
Target must follow RFC 793. It will receive no response if the port is open or filtered; it will receive RST if the port is closed.
Reference: http://nmap.org/
11.
Q: A war dialer is a tool that is used to scan thousands of telephone numbers to detect vulnerable modems. It provides an attacker unauthorized access to a computer. Which of the following tools can an attacker use to perform war dialing?Each correct answer represents a complete solution. Choose two.
a. THC-Scan b. ToneLoc c. NetStumbler
www.trainace.com/security
d. Wingate
Explanation: Answer options A and B are correct.
THC-Scan and ToneLoc are tools used for war dialing. A war dialer is a tool that is used to scan thousands of telephone numbers to detect vulnerable modems. It provides the attacker unauthorized access to a computer.
Q: Which of the following network scanning tools is a TCP/UDP port scanner that works as a ping sweeper and hostname resolver?
a. SuperScan b. Nmap c. Netstat d. Hping
Explanation: Answer option A is correct.
SuperScan is a TCP/UDP port scanner. It also works as a ping sweeper and hostname resolver. It can ping a given range of IP addresses and resolve the host name of the remote system.
Q: Which of the following is the correct sequence of packets to perform the 3-way handshake method?
e. SYN, SYN/ACK, ACK f. SYN, ACK, SYN/ACK g. SYN, ACK, ACK h. SYN, SYN, ACK
Explanation: Answer option A is correct.
The TCP/IP 3-way handshake method is used by the TCP protocol to establish a connection between a client and the server. It involves three steps:
1. In the first step of the three-way handshake method, a SYN message is sent from a client to the server.
2. In the second step of the three-way handshake method, SYN/ACK is sent from the server to the client.
3. In the third step of the three-way handshake method, ACK (usually called SYN-ACK-ACK) is sent from the client to the server. At this point, both the client and server have received an acknowledgment of the TCP connection.
www.trainace.com/security
13. Q: In which of the following scanning methods do Windows operating systems send only RST packets irrespective of whether the port is open or closed?
a. TCP FIN b. FTP bounce c. UDP port d. TCP SYN
Explanation: Answer option A is correct.
In the TCP FIN scanning method, Windows operating systems send only RST packets irrespective of whether the port is open or closed. TCP FIN scanning is a type of stealth scanning through which the attacker sends a FIN packet to the target port. If the port is closed, the victim assumes that this packet was sent mistakenly by the attacker and sends the RST packet to the attacker
Q: Which of the following Nmap commands is used to perform a UDP port scan?
e. nmap -sU f. nmap -sS g. nmap -sF h. nmap -sN
Explanation: Answer option A is correct.
www.trainace.com/security
The nmap -sU command is used to perform a UDP port scan.
Answer option B is incorrect. The nmap -sS command is used to perform stealth scanning.
Answer option C is incorrect. The nmap -sF command is used to perform FIN scanning.
Answer option D is incorrect. The nmap -sN command is used to perform TCP NULL port scanning.
14. Q: In which of the following scanning methods does an attacker send SYN packets and then a RST packet?
a. TCP FIN scan b. IDLE scan c. TCP SYN scan d. XMAS scan
Explanation: Answer option C is correct.
In a TCP SYN scan, an attacker sends SYN packets and then a RST packet. TCP SYN scanning is also known as half-open scanning because in this type of scanning, a full TCP connection is never opened. The steps of TCP SYN scanning are as follows:
1. The attacker sends a SYN packet to the target port.
2. If the port is open, the attacker receives the SYN/ACK message.
3. Now the attacker breaks the connection by sending an RST packet.
4. If the RST packet is received, it indicates that the port is closed.
15.
Answer option D is incorrect. Xmas scanning is just the opposite of null scanning. In Xmas Tree scanning, multiple flags( at least FIN, URG and PSH) are turned on. If the target port is open, the service running on the target port discards the packets without any reply. According to RFC 793, if the port is closed, the remote system replies with the RST packet
16. Q: In which of the following scanning methods does an attacker send the spoofed IP address to send a SYN packet to the target?
a. IDLE b. NULL c. TCP FIN d. XMAS
www.trainace.com/security
Explanation: Answer option A is correct.
In the IDLE scan method, an attacker sends the spoofed IP address to send a SYN packet to the target. The IDLE scan is initiated with the IP address of a third party; hence, the scan is the only totally stealth scan. Since the IDLE scan uses the IP address of a third party, it becomes difficult to detect the hacker.