Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Ethical Hacking - ME
| Term | Definition |
|---|---|
| Which statement best describes the term ethical hacker? | a person who mimics an attacker to evaluate the security posture of a network |
| Which threat actor term describes a well-funded and motivated group that will use the latest attack techniques for financial gain? | organized crime |
| Which type of threat actor uses cybercrime to steal sensitive data and reveal it publicly to embarrass a target? | hacktivist |
| What is a state-sponsored attack? | An attack perpetrated by governments worldwide to disrupt or steal information from other nations. |
| What is an insider threat attack? | An attack perpetrated by disgruntled employees inside an organization. |
| What kind of security weakness is evaluated by application-based penetration tests? | logic flaws |
| What two resources are evaluated by a network infrastructure penetration test? (Choose two.) | AAA servers IPSs |
| When conducting an application-based penetration test on a web application, the assessment should also include testing access to which resources? | back-end databases |
| What is the purpose of bug bounty programs used by companies? | reward security professionals for finding vulnerabilities in the systems of the company |
| What characterizes a partially known environment penetration test? | The test is a hybrid approach between unknown and known environment tests. |
| What characterizes a known environment penetration test? | The tester could be provided with network diagrams, IP addresses, configurations, and user credentials. |
| Which type of penetration test would only provide the tester with limited information such as the domain names and IP addresses in the scope? | unknown-environment test |
| Match the penetration testing methodology to the description. | MITRE ATT&CK - collection of different matrices of tactics and techniques that adversaries use while preparing for an attack. OWASP WSTG - covers the high-level phases of web application security testing. |
| Match the penetration testing methodology to the description. | NIST SP 800-115 - provides organizations with guidelines on planning and conducting information security testing. OSSTMM - lays out repeatable and consistent security testing. PTES - provides information about types of attacks and methods. |
| Which three options are phases in the Penetration Testing Execution Standard (PTES)? (Choose three.) | Threat modeling Reporting Exploitation |
| Which two options are phases in the Information Systems Security Assessment Framework (ISSAF)? (Choose two.) | Maintaining access Vulnerability identification |
| Which two options are phases in the Open Source Security Testing Methodology Manual (OSSTMM)? (Choose two.) | Work Flow Trust Analysis |
| Which penetration testing methodology is a comprehensive guide focused on web application testing? | OWASP WSTG |
| Which option is a Linux distribution that includes penetration testing tools and resources? | BlackArch |
| Which option is a Linux distribution URL that provides a convenient learning environment about pen testing tools and methodologies? | parrotsec.org |
| What does the “Health Monitoring” requirement mean when setting up a penetration test lab environment? | The tester needs to be able to determine the causes when something crashes. |
| Which tool would be useful when performing a network infrastructure penetration test? | bypassing firewalls and IPSs tool |
| Which tool should be used to perform an application-based penetration test? | interception proxies tool |
| Which tools should be used to perform a wireless infrastructure penetration test? | de-authorizing network devices tools |
| Which tools should be used for testing the server and client platforms in an environment? | vulnerability scanning tools |
| Sometimes a tester cannot virtualize a system to do the proper penetration testing. What action should be taken if a system cannot be tested in a virtualized environment? | a full backup of the system |
| A contractor is hired to review and perform cybersecurity vulnerability assessments for a local health clinic facility. Which U.S. government regulation must the contractor understand before the contractor can start? | HIPAA |
| An Internal Revenue Service office in New York is considering moving some services to a cloud computing platform. Which U.S. government regulation must the office follow in the process? | FedRAMP |
| An US university in California plans to offer online courses to students in partner universities in France and Germany. Which regulation should the university follow when those courses are offered? | GDPR |
| Which U.S. government agency is responsible for enforcing the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act (GLB Act)? | Federal Trade Commission (FTC) |
| In the healthcare sector, which term defines an entity that processes nonstandard health information it receives from another entity into a standard format? | healthcare clearinghouse |
| In the healthcare sector, which term is used to define an entity that provides payment for medical services? | health plan |
| In e-commerce, what determines the application of the Payment Card Industry Data | primary account number |
| What are two examples of sensitive authentication data associated with a payment card that requires compliance with the Payment Card Industry Data Security Standard (PCI DSS)? (Choose two.) | CAV2/CVC2/CVV2/CID full magnetic strip data or equivalent data on a chip |
| Match the parts of Recommendation for Key Management in the NIST SP 800-57 to the description. | Part 1: General - provides general guidance and best practices for the management of cryptographic keying material. |
| Match the parts of Recommendation for Key Management in the NIST SP 800-57 to the description. | Part 2: Best Practices for Key Management Organization - provides guidance on policy and security planning requirements for U.S. government agencies. |
| Match the parts of Recommendation for Key Management in the NIST SP 800-57 to the description. | Part 3: Application Specific Key Management Guidance - provides guidance when using the cryptographic features of current systems |
| An employee of a cybersecurity consulting firm in the U.S. is assigned to help assess the system and operation vulnerabilities of several financial institutions in Europe. The task includes penetration tests for compliance. What is a key element the empl | documentation of permission for performing the tests from the client institutions |
| Which legal document should be provided to the cybersecurity professional that specifies the expectations and constraints, including quality of work, timelines, and cost? | service-level agreement (SLA) |
| Document provided to the cybersecurity professional that specifies a detailed and descriptive list of all the deliverables, including the scope of the project, the timeline and report delivery schedule, the location of the work, and the payment schedule? | statement of work (SOW) |
| The company wants the consultant to disclose information to them and no one else. Which type of NDA agreement should be presented to the consultant? | unilateral NDA |
| Which document must the consultant receive that specifies the agreement between the consultant and the company for the penetration testing engagement? | contract |
| Which section of the report should the consultant cover the limitation of the work performed, such as the only dates when the testing is performed and that the findings mentioned in the report do not guarantee that all vulnerabilities are covered? | disclaimers |
| A company hires a cybersecurity consultant to perform penetration tests and review the rules of engagement documents. What are three examples of typical elements in the rules of engagement document? (Choose three.) | testing timeline location of testing preferred method of communication |
| www1.company.com and www2.company.com, with no social engineering attacks and no cross-site scripting attacks. Which element in the document is used for the specification? | types of allowed or disallowed tests |
| A company hires a cybersecurity consultant to assess applications using different APIs. Which document should the company provide to the consultant about an XML-based language used to document a web service’s functionality? | Web Services Description Language (WSDL) document |
| A company hires a cybersecurity consultant to assess applications using different APIs. Which document should the company provide to the consultant about a query language for APIs and a language for executing queries at runtime? | GraphQL documentation |
| A company hires a cybersecurity consultant to assess vulnerability on crucial web application devices such as web and database servers. Which document should the company provide to help the consultant document and define what systems are in the testing? | system and network architectural diagram |
| A company hires a cybersecurity consultant to perform penetration tests. What can cause scope creep of the engagement? | ineffective identification of what technical and nontechnical elements will be required for the penetration test. |
| A company hires a cybersecurity consultant to perform penetration tests. What should be the consultant’s first step in validating the engagement scope? | Question the company contact person and review contracts. |
| A company hires a cybersecurity consultant to perform penetration tests. The consultant is working with the company to set up communication procedures. Which two protocols should be considered for exchanging emails securely? (Choose two.) | PGP S/MIME |
| A company hires a cybersecurity consultant to perform penetration tests. The consultant is discussing with the company about the penetration testing strategy. Which statement describes the term unknown-environment testing? | This type of testing is where the consultant will be provided with very limited information about the targeted systems and network. |
| A company hires a cybersecurity consultant to perform penetration tests. What is the key difference between unknown-environment testing and known-environment testing? | the amount of information provided to the consultant |
| Which two tools could be used to gather DNS information passively? (Choose two.) | Recon-ng Dig |
| When performing passive reconnaissance, which Linux command can be used to identify the technical and administrative contacts of a given domain? | whois |
| Which specification defines the format used by image and sound files to capture metadata? | Exchangeable Image File Format (Exif) |
| Why would a penetration tester perform a passive reconnaissance scan instead of an active one? | to collect information about a network without being detected |
| What type of server is a penetration tester enumerating when they enter the nmap -sU command? | DNS, SNMP, or DHCP server |
| What is the disadvantage of conducting an unauthenticated scan of a target when performing a penetration test? | Vulnerability of services running inside the target may not be detected. |
| What is required for a penetration tester to conduct a comprehensive authenticated scan against a Linux host? | user credentials with root-level access to the target system |
| In which circumstance would a penetration tester perform an unauthenticated scan of a target? | when user credentials were not provided |
| Why would a penetration tester use the nmap -sF command? | when a TCP SYN scan is detected by a network filter or firewall |
| What is the purpose of host enumeration when beginning a penetration test? | to identify all active IP addresses within the scope of the test |
| What can be deduced when a tester enters the nmap -sF command to perform a TCP FIN scan and the target host port does not respond? | that the port is open |
| What is the disadvantage of running a TCP Connect scan compared to running a TCP SYN scan during a penetration test? | The extra packets required may trigger an IDS alarm. |
| When a penetration test identifies a vulnerability, how should the vulnerability be further verified? | determine if the vulnerability is exploitable |
| Why is the Common Vulnerabilities and Exposures (CVE) resource useful when investigating vulnerabilities detected by a penetration test? | It is an international consolidation of cybersecurity tools and databases. |
| What is the purpose of applying the Common Vulnerability Scoring System (CVSS) to a vulnerability detected by a penetration test? | to calculate the severity of the vulnerability |
| A threat actor is looking at the IT and technical job postings of a target organization. What would be the most beneficial information to capture from these postings? | the type of hardware and software used |
| How is open-source intelligence (OSINT) gathering typically implemented during a penetration test? | by using public internet searches |
| What initial information can be obtained when performing user enumeration in a penetration test? | a valid list of users |
| What useful information can be obtained by running a network share enumeration scan during a penetration test? | systems on a network that are sharing files, folders, and printers |
| A penetration tester must run a vulnerability scan against a target. What is the benefit of running an authenticated scan instead of an unauthenticated scan? | Authenticated scans can provide a more detailed picture of the target attack surface. |
| What are three considerations when planning a vulnerability scan on a target production network during a penetration test? (Choose three.) | the timing of the scan the available network bandwidth the network topology |
| When performing a vulnerability scan of a target, how can adverse impacts on traversed devices be minimized? | The scan should be performed as close to the target as possible. |
| A company hires a cybersecurity consultant to conduct a penetration test to assess vulnerabilities in network systems. The consultant is preparing the final report to send to the company. What is an important feature of a final penetration test report? | It gives an accurate presentation of vulnerabilities. |
| What is the advantage of using the target Wi-Fi network for reconnaissance packet inspection? | Physical access to the building may not be required. |
| What guidance does the NIST Cybersecurity Framework provide to help improve an organization’s cybersecurity posture? | The framework outlines standards and industry best practices. |
| What type of threat allows an attacker to obtain the credentials of a bank client by spoofing the login webpage of a financial institution? | malvertising |
| What is a watering hole attack? | an attack that exploits a website that is commonly accessed by members of a targeted organization |
| What is the act of gaining knowledge or information from a victim without directly asking for that particular information? | elicitation |
| A threat actor has altered the host file for a commonly accessed website on the computer of a victim. Now when the user clicks on the website link, they are redirected to a malicious website. What type of attack has the threat actor accomplished? | pharming |
| Why would a threat actor use the Social-Engineering Toolkit (SET)? | to send a spear phishing email |
| Which option is a voice over IP management tool that can be used to impersonate caller ID | Asterisk |
| A salesperson is attempting to convince a customer to buy a product because limited supplies are available. Which social engineering method of influence is being used by the salesperson? | scarcity |
| What method of influence is characterized when a celebrity endorses a product on social media? | social proof |
| Therefore, the Apple brand is associated with ideals and values that customers can relate to and support. What method of influence is being used by Apple? | likeness |
| Threat actor has sent a phishing email to a victim stating suspicious activity has detected on their bank account and they must immediately click on a provided link to change their password. What method of influence is being used by the threat actor? | urgency |
| Which social engineering physical attack statement is correct? | Shoulder surfing can be prevented by using special screen filters for computer displays. |
| Which tool provides a threat actor a web console to manipulate users who are victims of cross-site scripting (XSS) attacks? | BeEF |
| Which Apple iOS and Android tool can be used to spoof a phone number? | SpoofApp |
| What two physical attacks are mitigated by using access control vestibules? (Choose two.) | tailgating piggybacking |
| Which two access control options are commonly used in conjunction with access control vestibules? (Choose two.) | proximity card and PIN biometric scan |
| Which resource would mitigate piggybacking and tailgating? | security guard |
| Which tool can launch social engineering attacks and be integrated with third-party tools and frameworks such as Metasploit? | SET |
| Who is the target of a whaling attack? | upper managers such as the CEO or key individuals in an organization |
| What is the purpose of a vishing attack? | to convince a victim on a phone call to disclose private or financial information |
| Which Apple iOS and Android tools can spoof a phone number, record calls, and generate different background noises? | SpoofCard |
| To claim their prize, the victim must click the provided link and enter their bank account information. What social engineering attack can be accomplished if the user enters their banking information? | SMS phishing |
| Which tool permits post-exploitation activities, such as Windows reverse VNC DLL and reverse TCP shell? | SET |
| Which tool can send fake notifications to the browser of a victim? | BeEF |
| A new employee is celebrating their position with a large company by posting a picture of their access identification on social media. What kind of physical attack has the new employee unknowingly enabled? | badge cloning |
| A user has found a USB pen drive in the corporate parking lot. What should the user do with this pen drive? | deliver the pen drive to the security sector of the company |
| Which NetBIOS service is used for connection-oriented communication? | NetBIOS-SSN |
| Match the port type and number with the respective NetBIOS protocol service. | UDP port 138: NetBIOS Datagram Service UDP port 137: NetBIOS Name Service TCP port 445: SMB protocol TCP port 139: NetBIOS Session Service TCP port 135: Microsoft Remote Procedure Call (MS-RPC) |
| What two features are present on DNS servers using BIND 9.5.0 and higher that help mitigate DNS cache poisoning attacks? (Choose two.). | randomization of ports provision of cryptographically secure DNS transaction identifiers |
| What UDP port number is used by SNMP protocol? | 161 |
| Which is a characteristic of a DNS poisoning attack? | The DNS resolver cache is manipulated. |
| Which Kali Linux tool or script can gather information on devices configured for SNMP? | snmp-check |
| Match the SMTP command with the respective description. | MAIL: Used to denote the email address of the sender RSET: Used to cancel an email transaction EHELO: Used to initiate a conversation with an Extended Simple Mail Transport Protocol server |
| Match the SMTP command with the respective description. | DATA: Used to initiate the transfer of the contents of an email message STARTTLS: Used to start a Transport Layer Security connection to an email server HELO: Used to initiate an SMTP conversation with an email server |
| Which two best practices would help mitigate FTP server abuse and attacks? (Choose two.) | use encryption at rest require re-authentication of inactive sessions |
| Which is a characteristic of the pass-the-hash attack? | capture of a password hash (as opposed to the password characters) and using the same hashed value for authentication and lateral access to other networked systems |
| What is a Kerberoasting attack? | It is a post-exploitation attempt that is used to extract service account credential hashes from Active Directory for offline cracking. |
| Match the attack type with the respective description. | Reflected DOS - This attack uses spoofed packets that appear to be from the victim. Then the sources become unwitting participants in the attack by sending the response traffic back to the intended victim |
| Match the attack type with the respective description. | DNS Amplification - This an attack in which the attacker exploits vulnerabilities in target servers to initially turn small queries into much larger payloads, which are used to bring down the servers of the victim. |
| Match the attack type with the respective description. | Direct DOS - This occurs when the source of the attack generates the packets, regardless of protocol, application, and so on, that are sent directly to the victim of the attack. |
| Match the attack type with the respective description. | DDOS - This attack uses botnets that can be manipulated from a command and control (CnC, or C2) system. |
| Match the attack type with the respective description. | Route Manipulation attacks - typically a BGP hijacking attack by configuring or compromising an edge router to announce prefixes that have not been assigned to the organization |
| Match the attack type with the respective description. | Downgrade attacks - the attacker forces a system to favor a weak encryption protocol or hashing algorithm that may be susceptible to other vulnerabilities |
| Match the attack type with the respective description. | DHCP Starvation attack - an attacker floods a server with bogus DISCOVER packets until the server exhausts the supply of IP addresses |
| Match the attack type with the respective description. | VLAN Hopping attack - an attacker bypass any layer 2 restrictions built to divide hosts |
| Match the attack type with the respective description. | MAC address spoofing attack - an attacker spoofs the physical address of the NIC device to match the address of another on a network in order to gain unauthorized access or launch a Man-in-the-Middle attack |
| Which tool can be used to perform a Disassociation attack? | Airmon-ng |
| Which is a characteristic of a Bluesnarfing attack? | An attack that can be performed using Bluetooth with vulnerable devices in range. This attack actually steals information from the device of the victim. |
| Which Wi-Fi protocol is most vulnerable to a brute-force attack during a Wi-Fi network deployment? | WPS |
| What does the MFP feature in the 802.11w standard do to protect against wireless attacks? | It helps defend against deauthentication attacks. |
| What is a DNS resolver cache on a Windows system? | It is a temporary database that contains records of all the recent visits and attempted visits to websites and other internet domains. |
| Match the TCP port number with the respective email protocol that uses it. | 465: The port registered by the Internet Assigned Numbers Authority (IANA) for SMTP over SSL (SMTPS). 587: The Secure SMTP (SSMTP) protocol for encrypted communications, as defined in RFC 2487, using STARTTLS. |
| Match the TCP port number with the respective email protocol that uses it. | 143: The default port used by the IMAP protocol in non-encrypted communications. 995: The default port used by the POP3 protocol in encrypted communications. 993: The default port used by the IMAP protocol in encrypted (SSL/TLS) communications. |
| Which is the default TCP port used in SMTP for non-encrypted communications? | 25 |
| What is a characteristic of a Kerberos silver ticket attack? | It uses forged service tickets for a given service on a particular server. |
| Which attack is a post-exploitation activity that an attacker uses to extract service account credential hashes from Active Directory for offline cracking? | Kerberoasting |
| Which four items are needed by an attacker to create a silver ticket for a Kerberos silver ticket attack? (Choose four.) | system account SID FQDN target service |
| Which kind of attack is an IP spoofing attack? | On-path |
| What is a common mitigation practice for ARP cache poisoning attacks on switches to prevent spoofing of Layer 2 addresses? | DAI |
| An attacker is launching a reflected DDoS attack in which the response traffic is made up of packets that are much larger than those that the attacker initially sent. Which type of attack is this? | amplification |
Created by:
user-1835460