NEW QUESTION 1

Ethical hacker jane Smith is attempting to perform an SQL injection attach. She wants to test the response time of a true or false response and wants to use a second command to determine whether the database will return true or false results for user IDs. which two SQL Injection types would give her the results she is looking for?

• A. Out of band and boolean-based
• B. Time-based and union-based
• C. union-based and error-based
• D. Time-based and boolean-based

Answer: D

Explanation:
“Boolean based” we mean that it is based on Boolean values, that is, true or false / true and false. AND
Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.
Boolean-based (content-based) Blind SQLi
Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.
Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.
Time-based Blind SQLi
Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.
Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.
https://www.acunetix.com/websitesecurity/sql-injection2/

NEW QUESTION 2

Which Nmap switch helps evade IDS or firewalls?

• A. -n/-R
• B. -0N/-0X/-0G
• C. -T
• D. -D

Answer: C

NEW QUESTION 3

Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test for?

• A. To determine who is the holder of the root account
• B. To perform a DoS
• C. To create needless SPAM
• D. To illicit a response back that will reveal information about email servers and how they treat undeliverable mail
• E. To test for virus protection

Answer: D

NEW QUESTION 4

Why is a penetration test considered to be more thorough than vulnerability scan?

• A. Vulnerability scans only do host discovery and port scanning by default.
• B. A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability scan does not typically involve active exploitation.
• C. It is not – a penetration test is often performed by an automated tool, while a vulnerability scan requires active engagement.
• D. The tools used by penetration testers tend to have much more comprehensive vulnerability databases.

Answer: B

NEW QUESTION 5

What is the proper response for a NULL scan if the port is closed?

• A. SYN
• B. ACK
• C. FIN
• D. PSH
• E. RST
• F. No response

Answer: E

NEW QUESTION 6

The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the Central Processing Unit (CPU), rather than passing only the frames that the controller is intended to receive. Which of the following is being described?

• A. Multi-cast mode
• B. Promiscuous mode
• C. WEM
• D. Port forwarding

Answer: B

NEW QUESTION 7

is a set of extensions to DNS that provide the origin authentication of DNS data to DNS clients (resolvers) so as to reduce the threat of DNS poisoning, spoofing, and similar types of attacks.

• A. DNSSEC
• B. Resource records
• C. Resource transfer
• D. Zone transfer

Answer: A

Explanation:
The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by DNS for use on IP networks. DNSSEC is a set of extensions to DNS provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality. DNSSEC is necessary because the original DNS design did not include security but was designed to be a scalable distributed system. DNSSEC adds security while maintaining backward compatibility.

NEW QUESTION 8

When configuring wireless on his home router, Javik disables SSID broadcast. He leaves authentication “open” but sets the SSID to a 32-character string of random letters and numbers.
What is an accurate assessment of this scenario from a security perspective?

• A. Since the SSID is required in order to connect, the 32-character string is sufficient to prevent brute-force attacks.
• B. Disabling SSID broadcast prevents 802.11 beacons from being transmitted from the access point, resulting in a valid setup leveraging “security through obscurity”.
• C. It is still possible for a hacker to connect to the network after sniffing the SSID from a successful wireless association.
• D. Javik’s router is still vulnerable to wireless hacking attempts because the SSID broadcast setting can be enabled using a specially crafted packet sent to the hardware address of the access point.

Answer: C

NEW QUESTION 9

“........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hot-spot by posing as a legitimate provider. This type of attack may be used to steal the passwords of
unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there.”
Fill in the blank with appropriate choice.

• A. Evil Twin Attack
• B. Sinkhole Attack
• C. Collision Attack
• D. Signal Jamming Attack

Answer: A

Explanation:
https://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)
An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a legitimate access point to steal victims’ sensitive details. Most often, the victims of such attacks are ordinary people like you and me.
The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is used to eavesdrop on users and steal their login credentials or other sensitive information. Because the hacker owns the equipment being used, the victim will have no idea that the hacker might be intercepting things like bank transactions.
An evil twin access point can also be used in a phishing scam. In this type of attack, victims will connect to the evil twin and will be lured to a phishing site. It will prompt them to enter their sensitive data, such as their login details. These, of course, will be sent straight to the hacker. Once the hacker gets them, they might simply disconnect the victim and show that the server is temporarily unavailable.
ADDITION: It may not seem obvious what happened. The problem is in the question statement. The attackers were not Alice and John, who were able to connect to the network without a password, but on the contrary, they were attacked and forced to connect to a fake network, and not to the real network belonging to Jane.

NEW QUESTION 10

Tremp is an IT Security Manager, and he is planning to deploy an IDS in his small company. He is looking for an IDS with the following characteristics: - Verifies success or failure of an attack - Monitors system activities Detects attacks that a network-based IDS fails to detect - Near real-time detection and response - Does not require additional hardware - Lower entry cost Which type of IDS is best suited for Tremp's requirements?

• A. Gateway-based IDS
• B. Network-based IDS
• C. Host-based IDS
• D. Open source-based

Answer: C

NEW QUESTION 11

You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters. With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results?

• A. Online Attack
• B. Dictionary Attack
• C. Brute Force Attack
• D. Hybrid Attack

Answer: D

NEW QUESTION 12

In both pharming and phishing attacks, an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims.
What is the difference between pharming and phishing attacks?

• A. In a pharming attack, a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DN
• B. In a phishing attack, an attacker provides the victim with a URL that is either misspelled or looks similar to the actual websites domain name
• C. In a phishing attack, a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DN
• D. In a pharming attack, an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual websites domain name
• E. Both pharming and phishing attacks are purely technical and are not considered forms of social engineering
• F. Both pharming and phishing attacks are identical

Answer: A

NEW QUESTION 13

What is the proper response for a NULL scan if the port is open?

• A. SYN
• B. ACK
• C. FIN
• D. PSH
• E. RST
• F. No response

Answer: F

NEW QUESTION 14

When conducting a penetration test, it is crucial to use all means to get all available information about the target network. One of the ways to do that is by sniffing the network. Which of the following cannot be
performed by the passive network sniffing?

• A. Identifying operating systems, services, protocols and devices
• B. Modifying and replaying captured network traffic
• C. Collecting unencrypted information about usernames and passwords
• D. Capturing a network traffic for further analysis

Answer: B

NEW QUESTION 15

Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company's systems for, what is prohibited, and what will happen to them if they break the rules. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the company's computer systems until they have signed the policy in acceptance of its terms.
What is this document called?

• A. Information Audit Policy (IAP)
• B. Information Security Policy (ISP)
• C. Penetration Testing Policy (PTP)
• D. Company Compliance Policy (CCP)

Answer: B

NEW QUESTION 16

You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn scan in your network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run wireshark in the snort machine to check if the messages are going to the kiwi syslog machine. What Wireshark filter will show the connections from the snort machine to kiwi syslog machine?

• A. tcp.srcport= = 514 && ip.src= = 192.168.0.99
• B. tcp.srcport= = 514 && ip.src= = 192.168.150
• C. tcp.dstport= = 514 && ip.dst= = 192.168.0.99
• D. tcp.dstport= = 514 && ip.dst= = 192.168.0.150

Answer: D

NEW QUESTION 17
......