Correct Answer:

Tcpdump is correct. Tcpdump is a free command-line packet analyzer, much like Wireshark. Another free tool, tcptrace, can be used to help analyze tcpdump files (along with lots of other tool outputs).

Incorrect Answers:

Nessus, netcat, and ethereal are incorrect.

Nessus is a vulnerability scanner.

Netcat is a backdoor tool (which provides a lot of other features as well).

Ethereal is the old name for Wireshark.

Correct Answer:

All is correct. All these registry locations are good bets for malware insertion.

Incorrect Answers:

All answers are correct; therefore, “All the above” is the appropriate choice.

Correct Answer:

Wrapping attack is correct.

Wrapping attacks involve messing with SOAP messages and replaying them as legitimate.

Incorrect Answers:

CSRF, CR SOAP, and side channel are incorrect.

These attacks do not involve SOAP messaging.

Correct Answer:

A directory traversal attempt is correct.

The “dot-dot-slash” is a dead giveaway on directory traversal (in this case, attempting to view the system.ini file). The idea in this attack is to travel the directory structure back to the root, then on to a location known to contain an executable of use to the attacker.

Incorrect Answers:

An offline attack attempt, a cross-site scripting attack attempt, and a SQL injection attempt are incorrect.

The URL does not indicate XSS or SQL injection. Offline attacks deal with the theft of passwords and the attempt to crack them offline.

Correct Answers:

Pre-attack, attack, and post-attack are correct.

The pen test phases are pre-attack, attack, and post-attack.

Incorrect Answers:

Reconnaissance, footprinting, and covering tracks are incorrect.

These are all steps of ethical hacking.

Correct Answer:

Netstat -an is correct.

Netstat can display network connections, routing tables, and all sorts of information about the interface. The -a switch displays all connections and listening ports, and the -n switch puts everything in numerical format.

Incorrect Answers:

Netstat -a localhost -n., listport -an, and listport -a localhost -n are incorrect.

These answers either have incorrect syntax or are not legitimate (listport).

Risk assessment:

• This is the process of evaluating assets to determine their vulnerabilities and the potential impact on the organization.
• Example: Assessing a database to evaluate how exposed it is to SQL injection attacks and estimating the financial impact if it were breached.

Why the other options are incorrect:

• Pen test (Penetration testing):
• Involves simulating attacks on systems to find security weaknesses. Focuses on active exploitation rather than evaluating asset vulnerability.
• Example: Attempting to hack into a web server to discover exploitable vulnerabilities.
• Security analysis:
• A broader term that includes various methods for understanding an organization's security posture, but it doesn't specifically focus on evaluating asset vulnerabilities.
• Example: Reviewing the organization’s overall security policies and architecture.
• Vulnerability scanning:
• Identifies vulnerabilities in systems by using automated tools, but it doesn't assess the organizational impact of those vulnerabilities.
• Example: Using a scanner to find outdated software versions on servers.

Correct Answers:

Active sniffing is used when you are on a switch and active sniffing is easier to detect than passive sniffing are correct.

If you’re connected to a switch, you’re on your own collision domain—meaning you’ll only see traffic intended for your port. Active sniffing is typically required in order to force the switch to send you other traffic to sniff. Active attacks, by their nature, are easier to detect—you’re actively injecting packets to make your sniffing efforts successful; therefore, there’s something to see.

Incorrect Answers:

Active sniffing is used when you are on a hub and active sniffing is harder to detect than passive sniffing are incorrect.

Hubs share a collision domain, so passive sniffing is all that’s necessary. And it’s worlds more difficult to detect a passive sniffer—after all, it’s just sitting there doing nothing but listening.

Correct Answer:

False negative is correct.

In this case, the IDS reacted in a negative fashion (that is, it did not send any alerts) when in fact it should have alerted. This could be due to a variety of reasons—poor configuration, anomaly-based IDS without the appropriate baseline time to learn proper traffic patterns, and so on.

Incorrect Answers:

False positive, true negative, and true positive are incorrect.

A false positive occurs when the IDS alerts on traffic as malicious when, in truth, it is allowable and expected. The other choices are included as distractors.

Correct Answers:

Auditory alarms set on doorways and audit logs are correct.

Detective controls are in place to let you know when something has happened or is happening.

Incorrect Answers:

System backups and authentication badges are incorrect.

A system backup does a great job of fixing things after everything is over (a corrective control).

Authentication badges are used to keep bad guys from getting in to begin with (preventive control). Neither is a detective control.