User A is writing a sensitive email message to user B outside the local network. User A has chosen to
use PKI to secure his message and ensure only user B can read the sensitive email. At what layer of
the OSI layer does the encryption and decryption of the message take place?
D
Explanation:
https://en.wikipedia.org/wiki/Presentation_layer
In the seven-layer OSI model of computer networking, the presentation layer is layer 6 and serves as
the data translator for the network. It is sometimes called the syntax layer. The presentation layer is
responsible for the formatting and delivery of information to the application layer for further
processing or display.
Encryption is typically done at this level too, although it can be done on the application, session,
transport, or network layers, each having its own advantages and disadvantages. Decryption is also
handled at the presentation layer. For example, when logging on to bank account sites the
presentation layer will decrypt the data as it is received.
A new wireless client is configured to join a 802.11 network. This client uses the same hardware and
software as many of the other clients on the network. The client can see the network, but cannot
connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to
the association requests being sent by the wireless client. What is a possible source of this problem?
A
Explanation:
https://en.wikipedia.org/wiki/MAC_filtering
MAC filtering is a security method based on access control. Each address is assigned a 48-bit address,
which is used to determine whether we can access a network or not. It helps in listing a set of
allowed devices that you need on your Wi-Fi and the list of denied devices that you don’t want on
your Wi-Fi. It helps in preventing unwanted access to the network. In a way, we can blacklist or white
list certain computers based on their MAC address. We can configure the filter to allow connection
only to those devices included in the white list. White lists provide greater security than blacklists
because the router grants access only to selected devices.
It is used on enterprise wireless networks having multiple access points to prevent clients from
communicating with each other. The access point can be configured only to allow clients to talk to
the default gateway, but not other wireless clients. It increases the efficiency of access to a network.
The router allows configuring a list of allowed MAC addresses in its web interface, allowing you to
choose which devices can connect to your network. The router has several functions designed to
improve the network's security, but not all are useful. Media access control may seem advantageous,
but there are certain flaws.
On a wireless network, the device with the proper credentials such as SSID and password can
authenticate with the router and join the network, which gets an IP address and access to the
internet and any shared resources.
MAC address filtering adds an extra layer of security that checks the device’s MAC address against a
list of agreed addresses. If the client’s address matches one on the router’s list, access is granted;
otherwise, it doesn’t join the network.
You are tasked to perform a penetration test. While you are performing information gathering, you
find an employee list in Google. You find the receptionist’s email, and you send her an email
changing the source email to her boss’s email (boss@company). In this email, you ask for a pdf with
information. She reads your email and sends back a pdf with links. You exchange the pdf links with
your malicious links (these links contain malware) and send back the modified pdf, saying that the
links don’t work. She reads your email, opens the links, and her machine gets infected. You now have
access to the company network. What testing method did you use?
A
Explanation:
Social engineering is the term used for a broad range of malicious activities accomplished through
human interactions. It uses psychological manipulation to trick users into making security mistakes or
giving away sensitive information.
Social engineering attacks typically involve some form of psychological manipulation, fooling
otherwise unsuspecting users or employees into handing over confidential or sensitive data.
Commonly, social engineering involves email or other communication that invokes urgency, fear, or
similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a
malicious link, or open a malicious file. Because social engineering involves a human element,
preventing these attacks can be tricky for enterprises.
Incorrect answers:
Tailgating and Piggybacking are the same thing
Tailgating, sometimes referred to as piggybacking, is a physical security breach in which an
unauthorized person follows an authorized individual to enter a secured premise.
Tailgating provides a simple social engineering-based way around many security mechanisms one
would think of as secure. Even retina scanners don't help if an employee holds the door for an
unknown person behind them out of misguided courtesy.
People who might tailgate include disgruntled former employees, thieves, vandals, mischief-makers,
and issues with employees or the company. Any of these can disrupt business, cause damage, create
unexpected costs, and lead to further safety issues.
Eavesdropping
https://en.wikipedia.org/wiki/Eavesdropping
Eavesdropping is the act of secretly or stealthily listening to the private conversation or
communications of others without their consent in order to gather information. Since the beginning
of the digital age, the term has also come to hold great significance in the world of cybersecurity.
The question does not specify at what level and how this attack is used. An attacker can eavesdrop
on a conversation or use special software and obtain information on the network. There are many
options, but this is not important because the correct answer is clearly not related to information
interception.
If a tester is attempting to ping a target that exists but receives no response or a response that states
the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which
other option could the tester use to get a response from a host using TCP?
B
Explanation:
https://tools.kali.org/information-gathering/hping3
http://www.carnal0wnage.com/papers/LSO-Hping2-Basics.pdf
Which is the first step followed by Vulnerability Scanners for scanning a network?
D
Explanation:
Vulnerability scanning solutions perform vulnerability penetration tests on the organizational
network in three steps:
1. Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network
using various scanning techniques.
2. Performing service and OS discovery on them: After detecting the live hosts in the target network,
the next step is to enumerate the open ports and services and the operating system on the target
systems.
3. Testing those services and OS for known vulnerabilities: Finally, after identifying the open services
and the operating system running on the target nodes, they are tested for known vulnerabilities.
Which of the following programs is usually targeted at Microsoft Office products?
C
Explanation:
A macro virus is a virus that is written in a macro language: a programming language which is
embedded inside a software application (e.g., word processors and spreadsheet applications). Some
applications, such as Microsoft Office, allow macro programs to be embedded in documents such
that the macros are run automatically when the document is opened, and this provides a distinct
mechanism by which malicious computer instructions can spread. (Wikipedia)
NB: The virus Melissa is a well-known macro virus we could find attached to word documents.
A technician is resolving an issue where a computer is unable to connect to the Internet using a
wireless access point. The computer is able to transfer files locally to other machines, but cannot
successfully reach the Internet. When the technician examines the IP address and default gateway
they are both on the 192.168.1.0/24. Which of the following has occurred?
B
Explanation:
https://en.wikipedia.org/wiki/Private_network
In IP networking, a private network is a computer network that uses private IP address space. Both
the IPv4 and the IPv6 specifications define private IP address ranges. These addresses are commonly
used for local area networks (LANs) in residential, office, and enterprise environments.
Private network addresses are not allocated to any specific organization. Anyone may use these
addresses without approval from regional or local Internet registries. Private IP address spaces were
originally defined to assist in delaying IPv4 address exhaustion. IP packets originating from or
addressed to a private IP address cannot be routed through the public Internet.
The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority
(IANA) to reserve the following IPv4 address ranges for private networks:
· 10.0.0.0 – 10.255.255.255
· 172.16.0.0 – 172.31.255.255
· 192.168.0.0 – 192.168.255.255
Backbone routers do not allow packets from or to internal IP addresses. That is, intranet machines, if
no measures are taken, are isolated from the Internet. However, several technologies allow such
machines to connect to the Internet.
· Mediation servers like IRC, Usenet, SMTP and Proxy server
· Network address translation (NAT)
· Tunneling protocol
NOTE: So, the problem is just one of these technologies.
Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of
communication?
C
Explanation:
https://en.wikipedia.org/wiki/Network_Time_Protocol
The Network Time Protocol (NTP) is a networking protocol for clock synchronization between
computer systems over packet-switched, variable-latency data networks.
NTP is intended to synchronize all participating computers within a few milliseconds of Coordinated
Universal Time (UTC). It uses the intersection algorithm, a modified version of Marzullo's algorithm,
to select accurate time servers and is designed to mitigate variable network latency effects. NTP can
usually maintain time to within tens of milliseconds over the public Internet and achieve better than
one millisecond accuracy in local area networks. Asymmetric routes and network congestion can
cause errors of 100 ms or more.
The protocol is usually described in terms of a client-server model but can easily be used in peer-to-
peer relationships where both peers consider the other to be a potential time source.
Implementations send and receive timestamps using the User Datagram Protocol (UDP) on port
number 123.
Incorrect answers:
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
19 - Character Generator Protocol (CHARGEN)
177 - X Display Manager Control Protocol (XDMCP)
161 - Simple Network Management Protocol (SNMP)
Which of the following tools performs comprehensive tests against web servers, including dangerous
files and CGIs?
A
Explanation:
https://en.wikipedia.org/wiki/Nikto_(vulnerability_scanner)
Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous
files/CGIs, outdated server software, and other problems. It performs generic and server types
specific checks. It also captures and prints any cookies received. The Nikto code itself is free
software, but the data files it uses to drive the program are not.
An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and
Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible
breach of security. When the investigator attempts to correlate the information in all of the logs, the
sequence of many of the logged events do not match up.
What is the most likely cause?
A
Explanation:
Many network and system administrators don't pay enough attention to system clock accuracy and
time synchronization. Computer clocks can run faster or slower over time, batteries and power
sources die, or daylight-saving time changes are forgotten. Sure, there are many more pressing
security issues to deal with, but not ensuring that the time on network devices is synchronized can
cause problems. And these problems often only come to light after a security incident.
If you suspect a hacker is accessing your network, for example, you will want to analyze your log files
to look for any suspicious activity. If your network's security devices do not have synchronized times,
the timestamps' inaccuracy makes it impossible to correlate log files from different sources. Not only
will you have difficulty in tracking events, but you will also find it difficult to use such evidence in
court; you won't be able to illustrate a smooth progression of events as they occurred throughout
your network.
During a black-box pen test you attempt to pass IRC traffic over port 80/TCP from a compromised
web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type
of firewall is inspecting outbound traffic?
C
Explanation:
https://en.wikipedia.org/wiki/Internet_Relay_Chat
Internet Relay Chat (IRC) is an application layer protocol that facilitates communication in text. The
chat process works on a client/server networking model. IRC clients are computer programs that
users can install on their system or web-based applications running either locally in the browser or
on a third-party server. These clients communicate with chat servers to transfer messages to other
clients.
IRC is a plaintext protocol that is officially assigned port 194, according to IANA. However, running
the service on this port requires running it with root-level permissions, which is inadvisable. As a
result, the well-known port for IRC is 6667, a high-number port that does not require elevated
privileges. However, an IRC server can also be configured to run on other ports as well.
You can't tell if an IRC server is designed to be malicious solely based on port number. Still, if you see
an IRC server running on port a WKP such as 80, 8080, 53, 443, it's almost always going to be
malicious; the only real reason for IRCD to be running on port 80 is to try to evade firewalls.
https://en.wikipedia.org/wiki/Application_firewall
An application firewall is a form of firewall that controls input/output or system calls of an
application or service. It operates by monitoring and blocking communications based on a configured
policy, generally with predefined rule sets to choose from. The application firewall can control
communications up to the OSI model's application layer, which is the highest operating layer, and
where it gets its name. The two primary categories of application firewalls are network-based and
host-based.
Application layer filtering operates at a higher level than traditional security appliances. This allows
packet decisions to be made based on more than just source/destination IP Addresses or ports. It can
also use information spanning across multiple connections for any given host.
Network-based application firewalls
Network-based application firewalls operate at the application layer of a TCP/IP stack. They can
understand certain applications and protocols such as File Transfer Protocol (FTP), Domain Name
System (DNS), or Hypertext Transfer Protocol (HTTP). This allows it to identify unwanted applications
or services using a non-standard port or detect if an allowed protocol is being abused.
Host-based application firewalls
A host-based application firewall monitors application system calls or other general system
communication. This gives more granularity and control but is limited to only protecting the host it is
running on. Control is applied by filtering on a per-process basis. Generally, prompts are used to
define rules for processes that have not yet received a connection. Further filtering can be done by
examining the process ID of the owner of the data packets. Many host-based application firewalls are
combined or used in conjunction with a packet filter.
By using a smart card and pin, you are using a two-factor authentication that satisfies
B
Explanation:
Two-factor Authentication or 2FA is a user identity verification method, where two of the three
possible authentication factors are combined to grant access to a website or application.1)
something the user knows, 2) something the user has, or 3) something the user is.
The possible factors of authentication are:
· Something the User Knows:
This is often a password, passphrase, PIN, or secret question. To satisfy this authentication challenge,
the user must provide information that matches the answers previously provided to the organization
by that user, such as “Name the town in which you were born.”
· Something the User Has:
This involves entering a one-time password generated by a hardware authenticator. Users carry
around an authentication device that will generate a one-time password on command. Users then
authenticate by providing this code to the organization. Today, many organizations offer software
authenticators that can be installed on the user’s mobile device.
· Something the User Is:
This third authentication factor requires the user to authenticate using biometric data. This can
include fingerprint scans, facial scans, behavioral biometrics, and more.
For example: In internet security, the most used factors of authentication are:
something the user has (e.g., a bank card) and something the user knows (e.g., a PIN code). This is
two-factor authentication. Two-factor authentication is also sometimes referred to as strong
authentication, Two-Step Verification, or 2FA.
The key difference between Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA)
is that, as the term implies, Two-Factor Authentication utilizes a combination of two out of three
possible authentication factors. In contrast, Multi-Factor Authentication could utilize two or more of
these authentication factors.
“........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on
the premises, but actually has been set up to eavesdrop on wireless communications. It is the
wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or
mobile phone to a tainted hot-spot by posing as a legitimate provider. This type of attack may be
used to steal the passwords of
unsuspecting users by either snooping the communication link or by phishing, which involves setting
up a fraudulent web site and luring people there.”
Fill in the blank with appropriate choice.
A
Explanation:
https://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)
An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a
legitimate access point to steal victims’ sensitive details. Most often, the victims of such attacks are
ordinary people like you and me.
The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is
used to eavesdrop on users and steal their login credentials or other sensitive information. Because
the hacker owns the equipment being used, the victim will have no idea that the hacker might be
intercepting things like bank transactions.
An evil twin access point can also be used in a phishing scam. In this type of attack, victims will
connect to the evil twin and will be lured to a phishing site. It will prompt them to enter their
sensitive data, such as their login details. These, of course, will be sent straight to the hacker. Once
the hacker gets them, they might simply disconnect the victim and show that the server is
temporarily unavailable.
ADDITION: It may not seem obvious what happened. The problem is in the question statement. The
attackers were not Alice and John, who were able to connect to the network without a password, but
on the contrary, they were attacked and forced to connect to a fake network, and not to the real
network belonging to Jane.
What term describes the amount of risk that remains after the vulnerabilities are classified and the
countermeasures have been deployed?
A
Explanation:
https://en.wikipedia.org/wiki/Residual_risk
The residual risk is the risk or danger of an action or an event, a method or a (technical) process that,
although being abreast with science, still conceives these dangers, even if all theoretically possible
safety measures would be applied (scientifically conceivable measures); in other words, the amount
of risk left over after natural or inherent risks have been reduced by risk controls.
· Residual risk = (Inherent risk) – (impact of risk controls)
Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small sized
packets to the target computer, making it very difficult for an IDS to detect the attack signatures.
Which tool can be used to perform session splicing attacks?
D
Explanation:
«Many IDS reassemble communication streams; hence, if a packet is not received within a
reasonable period, many IDS stop reassembling and handling that stream. If the application under
attack keeps a session active for a longer time than that spent by the IDS on reassembling it, the IDS
will stop. As a result, any session after the IDS stops reassembling the sessions will be susceptible to
malicious data theft by attackers. The IDS will not log any attack attempt after a successful splicing
attack. Attackers can use tools such as Nessus for session splicing attacks.»
Did you know that the EC-Council exam shows how well you know their official book? So, there is no
"Whisker" in it. In the chapter "Evading IDS" -> "Session Splicing", the recommended tool for
performing a session-splicing attack is Nessus. Where Wisker came from is not entirely clear, but I
will assume the author of the question found it while copying Wikipedia.
https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques
One basic technique is to split the attack payload into multiple small packets so that the IDS must
reassemble the packet stream to detect the attack. A simple way of splitting packets is by
fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker'
evasion tool calls crafting packets with small payloads 'session splicing'.
By itself, small packets will not evade any IDS that reassembles packet streams. However, small
packets can be further modified in order to complicate reassembly and detection. One evasion
technique is to pause between sending parts of the attack, hoping that the IDS will time out before
the target computer does. A second evasion technique is to send the packets out of order, confusing
simple packet re-assemblers but not the target computer.
NOTE: Yes, I found scraps of information about the tool that existed in 2012, but I can not give you
unverified information. According to the official tutorials, the correct answer is Nessus, but if you
know anything about Wisker, please write in the QA section. Maybe this question will be updated
soon, but I'm not sure about that.