xxxvi  Answers to Assessment Test

Answers to Assessment Test

1.C.  ​Replay attacks involve capturing passwords, most likely encrypted, and playing them back to fake authentication. For more information, see Chapter 4.

2.A.  ​An LM hash splits a password into two sections. If the password is 7 characters or less, then the blank portion of the password will always be a hex value of AAD3B435B51404EE. 0x preceding the value indicates it is in Hex. For more information, see Chapter 4.

3.A,B,C,D.  ​A dictionary word can always be broken using brute force. For more information, see Chapter 4.

4.D.  ​The CANSPAM Act is an acronym for Controlling the Assault of Non-Solicited Pornography and Marketing Act; the act attempts to prevent unsolicited spam. For more information, see Chapter 1.

5.A.  ​Network-Based Application Recognition is a Cisco IOS mechanism for controlling traffic through network ingress points. For more information, see Chapter 6.

6.B.  ​A way of locating Hotmail messages in Ethereal is to use a filter of email and Reply-to to find actual email messages. For more information, see Chapter 6.

7.A.  ​In a Smurf attack a large amount of ICMP echo request (ping) traffic is send to an IP broadcast address, with a spoofed source IP address of the intended victim. IRC servers are commonly used to perpetuate this attack so they are considered primary victims. For more information, see Chapter 7.

8.D.  ​The DNS reflector and amplification type attacks DNS servers directly. By adding amplification to the attack, many hosts send the attack and results in a denial-of-service to the DNS servers. For more information, see Chapter 8.

9.A.  ​TCP operates at the Transport layer, or Layer 4 of the OSI model, and consequently a TCP/IP session hijack occurs at the Transport layer. For more information, see Chapter 7.

10.D.  ​Website cloaking is serving different web pages based on the source IP address of the user. For more information, see Chapter 8.

11.A.  ​Basic Authentication uses cleartext passwords. For more information, see Chapter 8.

12.B.  ​A protection against cross-site scripting is to secure the server scripts. For more information, see Chapter 8.

13.A.  ​Machine Authentication would require the host system to have a domain account that would only be valid for corporate PCs. For more information, see Chapter 13.

14.C.  ​Privilege escalation can be done through capturing and modifying cookies. For more information, see Chapter 8.

15.A,B,C,D.  ​Installing service packs, personal firewall software, and antivirus signatures should all be done prior to using a new computer on the network. For more information, see Chapter 5.

16.A.  ​Microsoft Baseline Security Analyzer is a patch management utility built into Windows for analyzing security. For more information, see Chapter 15.

17.D.  ​POST should be used instead of GET for web page posts. For more information, see Chapter 8.

18.A,D.  ​Stackand heap-based are the two types of buffer overflow attacks. For more information, see Chapter 9.

19.C.  ​Polymorphic shellcode changes by using the XOR process to encrypt and decrypt the shellcode. For more information, see Chapter 5.

20.A.  ​Passwords are stored in the /shadow file in Linux. For more information, see Chapter 3.

21.B.  ​IP fragmentation or session splicing is a way of defeating an IDS. For more information, see Chapter 13.

22.A.  ​A message is encrypted with a user’s private key so that only the user’s public key can decrypt the signature and the user’s identity can be verified. For more information, see Chapter 14.

23.A.  ​Every company should have an Information Security Policy. For more information, see Chapter 15.

24.C.  ​Netcat is a multiuse Unix utility for reading and writing across network connections. For more information, see Chapter 4.

25.D.  ​Tripwire is a file and directory integrity checker. For more information, see Chapter 4.

26.B.  ​nmap -sS creates a stealth scan and the -O switch performs operating system detection. For more information, see Chapter 3.

27.A.  ​snort -c snort.conf indicates snort.conf is the config file containing snort rules. For more information, see Chapter 13.

28.E.  ​strcat() does not perform bounds checking and creates a buffer overflow vulnerability. For more information, see Chapter 9.

29.C.  ​SMB signing prevents SMB hijacking. For more information, see Chapter 4.

30.A.  ​Disgruntled employees are the biggest threat to a network. For more information, see Chapter 1.

31.C.  ​-O performs OS detection in Nmap. For more information, see Chapter 3.

32.B.  ​LM authentication can be disabled in the Windows Registry. For more information, see Chapter 4.

33.D.  ​ip.src== is the syntax to filter on a source IP address. For more information, see Chapter 6.

34.B.  ​The FIN flag is used to close a TCP/IP connection. For more information, see Chapter 6.

35.A.  ​ICMP Time Exceeded is type 11, code 0. For more information, see Chapter 3.