Q41. You have successfully run a buffer overflow attack against a default IIS installation running on a Windows 2000 Server. The server allows you to spawn a shell. In order to perform the actions you intend to do, you need elevated permission. You need to know what your current privileges are within the shell. Which of the following options would be your current privileges? 

A. Administrator 



D. Whatever account IIS was installed with 

Answer: C

Explanation: If you manage to get the system to start a shell for you, that shell will be running as LOCAL_SYSTEM. 

Q42. What happens during a SYN flood attack? 

A. TCP connection requests floods a target machine is flooded with randomized source address & ports for the TCP ports. 

B. A TCP SYN packet, which is a connection initiation, is sent to a target machine, giving the target host’s address as both source and destination, and is using the same port on the target host as both source and destination. 

C. A TCP packet is received with the FIN bit set but with no ACK bit set in the flags field. 

D. A TCP packet is received with both the SYN and the FIN bits set in the flags field. 

Answer: A

Explanation: To a server that requires an exchange of a sequence of messages. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending a SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message and then data can be exchanged. At the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message, there is a half-open connection. A data structure describing all pending connections is in memory of the server that can be made to overflow by intentionally creating too many partially open connections. Another common attack is the SYN flood, in which a target machine is flooded with TCP connection requests. The source addresses and source TCP ports of the connection request packets are randomized; the purpose is to force the target host to maintain state information for many connections that will never be completed. SYN flood attacks are usually noticed because the target host (frequently an HTTP or SMTP server) becomes extremely slow, crashes, or hangs. It's also possible for the traffic returned from the target host to cause trouble on routers; because this return traffic goes to the randomized source addresses of the original packets, it lacks the locality properties of "real" IP traffic, and may overflow route caches. On Cisco routers, this problem often manifests itself in the router running out of memory. 

Q43. Which of the following commands runs snort in packet logger mode? 

A. ./snort -dev -h ./log 

B. ./snort -dev -l ./log 

C. ./snort -dev -o ./log 

D. ./snort -dev -p ./log 

Answer: B

Explanation: Note: If you want to store the packages in binary mode for later analysis use ./snort -l ./log -b 

Q44. Sandra is conducting a penetration test for ABC.com. She knows that ABC.com is using wireless networking for some of the offices in the building right down the street. Through social engineering she discovers that they are using 802.11g. Sandra knows that 802.11g uses the same 2.4GHz frequency range as 802.11b. Using NetStumbler and her 802.11b wireless NIC, Sandra drives over to the building to map the wireless networks. However, even though she repositions herself around the building several times, Sandra is not able to detect a single AP. 

What do you think is the reason behind this? 

A. Netstumbler does not work against 802.11g. 

B. You can only pick up 802.11g signals with 802.11a wireless cards. 

C. The access points probably have WEP enabled so they cannot be detected. 

D. The access points probably have disabled broadcasting of the SSID so they cannot be detected. 

E. 802.11g uses OFDM while 802.11b uses DSSS so despite the same frequency and 802.11b card cannot see an 802.11g signal. 

F. Sandra must be doing something wrong, as there is no reason for her to not see the signals. 

Answer: D

Explanation: Netstumbler can not detect networks that do not respond to broadcast requests. 

Q45. 802.11b is considered a ____________ protocol. 

A. Connectionless 

B. Secure 

C. Unsecure 

D. Token ring based 

E. Unreliable 

Answer: C

Explanation: 802.11b is an insecure protocol. It has many weaknesses that can be used by a hacker. 

Q46. Which Type of scan sends a packets with no flags set ? 

Select the Answer 

A. Open Scan 

B. Null Scan 

C. Xmas Scan 

D. Half-Open Scan 



The types of port connections supported are: 

Q47. Which of the following best describes Vulnerability? 

A. The loss potential of a threat 

B. An action or event that might prejudice security 

C. An agent that could take advantage of a weakness 

D. A weakness or error that can lead to compromise 

Answer: D

Explanation: A vulnerability is a flaw or weakness in system security procedures, design or implementation that could be exercised (accidentally triggered or intentionally exploited) and result in a harm to an IT system or activity. 

Q48. Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing "server publishing"? 

A. Overloading Port Address Translation 

B. Dynamic Port Address Translation 

C. Dynamic Network Address Translation 

D. Static Network Address Translation 

Answer: D

Explanation: Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network. 

Q49. Leesa is the senior security analyst for a publicly traded company. The IT department recently rolled out an intranet for company use only with information ranging from training, to holiday schedules, to human resources data. Leesa wants to make sure the site is not accessible from outside and she also wants to ensure the site is Sarbanes-Oxley (SOX) compliant. Leesa goes to a public library as she wants to do some Google searching to verify whether the company's intranet is accessible from outside and has been indexed by Google. Leesa wants to search for a website title of "intranet" with part of the URL containing the word "intranet" and the words "human resources" somewhere in the webpage. 

What Google search will accomplish this? 

A. related:intranet allinurl:intranet:"human resources" 

B. cache:"human resources" inurl:intranet(SharePoint) 

C. intitle:intranet inurl:intranet+intext:"human resources" 

D. site:"human resources"+intext:intranet intitle:intranet 

Answer: C

Q50. In TCP communications there are 8 flags; FIN, SYN, RST, PSH, ACK, URG, ECE, CWR. These flags have decimal numbers assigned to them: 

FIN = 1 SYN = 2 RST = 4 PSH = 8 ACK = 16 URG = 32 ECE = 64 CWR = 128 

Jason is the security administrator of ASPEN Communications. He analyzes some traffic using Wireshark and has enabled the following filters. 

What is Jason trying to accomplish here? 





Answer: B