Q11. When a malicious hacker identifies a target and wants to eventually compromise this target, what would be among the first steps that he would perform? (Choose the best answer) 

A. Cover his tracks by eradicating the log files and audit trails. 

B. Gain access to the remote computer in order to conceal the venue of attacks. 

C. Perform a reconnaissance of the remote target for identical of venue of attacks. 

D. Always begin with a scan in order to quickly identify venue of attacks. 

Answer: C

Explanation: A hacker always starts with a preparatory phase (Reconnaissance) where he seeks to gather as much information as possible about the target of evaluation prior to launching an attack. The reconnaissance can be either passive or active (or both). 

Q12. Which of the following tools can be used to perform a zone transfer? 

A. NSLookup 

B. Finger 

C. Dig 

D. Sam Spade 

E. Host 

F. Netcat 

G. Neotrace 

Answer: ACDE

Explanation: There are a number of tools that can be used to perform a zone transfer. Some of these include: NSLookup, Host, Dig, and Sam Spade. 

Q13. Which definition below best describes a covert channel? 

A. Making use of a Protocol in a way it was not intended to be used 

B. It is the multiplexing taking place on communication link 

C. It is one of the weak channels used by WEP that makes it insecure 

D. A Server Program using a port that is not well known 

Answer: A

Explanation: A covert channel is a hidden communication channel not intended for information transfer at all. Redundancy can often be used to communicate in a covert way. There are several ways that hidden communication can be set up. 

Q14. What ICMP message types are used by the ping command? 

A. Timestamp request (13) and timestamp reply (14) 

B. Echo request (8) and Echo reply (0) 

C. Echo request (0) and Echo reply (1) 

D. Ping request (1) and Ping reply (2) 

Answer: B

Explanation: ICMP Type 0 = Echo Reply, ICMP Type 8 = Echo 

Q15. John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the logfiles to investigate the attack. 

Take a look at the following Linux logfile snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here? 

[root@apollo /]# rm rootkit.c 

[root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; 

rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; 

rm /sbin/por359 ? 00:00:00 inetd 359 ? 00:00:00 inetd 

rm: cannot remove `/tmp/h': No such file or directory 

rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory 

[root@apollo /]# ps -aux | grep portmap 

[root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm 

/sbin/portmap ; 

rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm - rf 

/usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 


rm: cannot remove `/sbin/portmap': No such file or directory 

rm: cannot remove `/tmp/h': No such file or directory 

>rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory 

[root@apollo /]# rm: cannot remove `/sbin/portmap': No such file or directory 

A. The hacker is planting a rootkit 

B. The hacker is trying to cover his tracks 

C. The hacker is running a buffer overflow exploit to lock down the system 

D. The hacker is attempting to compromise more machines on the network 


Explanation: By deleting temporary directories and emptying like bash_history that contains the last commands used with the bash shell he is trying to cover his tracks. 

Q16. When referring to the Domain Name Service, what is denoted by a ‘zone’? 

A. It is the first domain that belongs to a company. 

B. It is a collection of resource records. 

C. It is the first resource record type in the SOA. 

D. It is a collection of domains. 

Answer: B

Explanation: A reasonable definition of a zone would be a portion of the DNS namespace where responsibility has been delegated. 

Q17. Snort is an open source Intrusion Detection system. However, it can also be used for a few other purposes as well. 

Which of the choices below indicate the other features offered by Snort? 

A. IDS, Packet Logger, Sniffer 

B. IDS, Firewall, Sniffer 

C. IDS, Sniffer, Proxy 

D. IDS, Sniffer, content inspector 

Answer: A

Explanation: Snort is a free software network intrusion detection and prevention system capable of performing packet logging & real-time traffic analysis, on IP networks. Snort was written by Martin Roesch but is now owned and developed by Sourcefire 

Q18. Jason is the network administrator of Spears Technology. He has enabled SNORT IDS to detect attacks going through his network. He receives Snort SMS alerts on his iPhone whenever there is an attempted intrusion to his network. 

He receives the following SMS message during the weekend. 

An attacker Chew Siew sitting in Beijing, China had just launched a remote scan on Jason's network with the hping command. 

Which of the following hping2 command is responsible for the above snort alert? 

A. chenrocks:/home/siew # hping -S -R -P -A -F -U -p 22 -c 5 -t 118 

B. chenrocks:/home/siew # hping -F -Q -J -A -C -W -p 22 -c 5 -t 118 

C. chenrocks:/home/siew # hping -D -V -R -S -Z -Y -p 22 -c 5 -t 118 

D. chenrocks:/home/siew # hping -G -T -H -S -L -W -p 22 -c 5 -t 118 

Answer: A

Q19. Ron has configured his network to provide strong perimeter security. As part of his network architecture, he has included a host that is fully exposed to attack. The system is on the public side of the demilitarized zone, unprotected by a firewall or filtering router. What would you call such a host? 

A. Honeypot 

B. DMZ host 

C. DWZ host 

D. Bastion Host 

Answer: D

Explanation: A bastion host is a gateway between an inside network and an outside network. Used as a security measure, the bastion host is designed to defend against attacks aimed at the inside network. Depending on a network's complexity and configuration, a single bastion host may stand guard by itself, or be part of a larger security system with different layers of protection. 

Q20. You are having problems while retrieving results after performing port scanning during internal testing. You verify that there are no security devices between you and the target system. When both stealth and connect scanning do not work, you decide to perform a NULL scan with NMAP. The first few systems scanned shows all ports open. 

Which one of the following statements is probably true? 

A. The systems have all ports open. 

B. The systems are running a host based IDS. 

C. The systems are web servers. 

D. The systems are running Windows. 

Answer: D

Explanation: The null scan turns off all flags, creating a lack of TCP flags that should never occur in the real world. If the port is closed, a RST frame should be returned and a null scan to an open port results in no response. Unfortunately Microsoft (like usual) decided to completely ignore the standard and do things their own way. Thus this scan type will not work against systems running Windows as they choose not to response at all. This is a good way to distinguish that the system being scanned is running Microsoft Windows.