Cybersecurity Fundamentals: Tools, Protocols, and Ethical Hacking Q&A
Cybersecurity Fundamentals and Controls
Security Controls and Policy Implementation
Q: You’ve been asked to implement a set of standards to support a policy. What type of security control are you developing?
A: Administrative
Q: Which type of security control is a firewall?
A: Technical
Q: Which of the following is one factor of a defense-in-depth approach to network design?
A: Access control lists on routers
Q: What additional properties does the Parkerian hexad offer over the CIA triad?
A: Utility, possession, and authenticity
Risk Management and Security Principles
Q: How would you calculate risk?
A: Probability * loss
Q: Management has been informed of a risk to personally identifiable information (PII) that results from an application being developed and managed by the company. They have chosen not to do anything with the risk. What risk management approach have they taken?
A: Risk acceptance
Q: If you were on a client engagement and discovered that you had left an external hard drive with essential data on it at home, which of the security principles would you be violating?
A: Availability
Ethical Hacking and Attack Lifecycle
Hacking Roles and Methodologies
Q: Which type of hacking involves looking for vulnerabilities in a computer or network system to test a target and ultimately fix them?
A: Ethical
Q: Which of the following hackers refers to people who always do their work for good?
A: White-hat
Q: Who among the following hackers are engaged in potentially illegal activities, such as attacking computer systems for malicious purposes?
A: Black-hat
Q: Which teaming is the practice of rigorously challenging plans, policies, systems, and assumptions by adopting an adversarial approach?
A: Red
Q: Which of the following is most important when you embark on an engagement, regardless of whether you are working on a contract or are a full-time employee?
A: Communication
Q: Which of the following is an act of locating weaknesses and vulnerabilities of information systems by copying the intent and actions of malicious hackers?
A: Penetration testing
Reconnaissance and Attack Phases
Q: Which of the following describes the process of identifying information about the target before an attack, a crucial step in ethical hacking?
A: Reconnaissance
Q: Which method identifies the size and scope of the target network?
A: Footprinting
Q: Which of the following phases of the cyber kill chain model allows the outside server to communicate with the weapons providing “hands-on keyboard access” inside the target’s network?
A: Command and control
Q: What do you mean by establishing footholds in the attack lifecycle?
A: Ensuring that the attackers retain access to the system so they can get back in when they need to.
Q: Which of the following ethical hacking stages installs any access mechanism to persist on a system?
A: Maintaining access
Q: Which of these is not an example of an attack that compromises integrity?
A: Watering hole
Q: Which type of attack is a compromise of availability?
A: DoS (Denial of Service)
Q: An attacker has registered the domain name ‘facebookmailings.com’ to send phishing messages. Which MITRE ATT&CK category does this fall into?
A: Resource development
Q: Which of the following server types are used by attackers to send commands to malware residing on endpoints?
A: C2 (Command and Control)
Q: Which of the following is a collection of software tools that gives a threat actor remote access to and control over a computer or other system?
A: Rootkit
Q: What is the main purpose of the Rain Forest Puppy Policy (RFP or RFPolicy)?
A: Ensures that the vendors had time to fix issues before announcing them.
Information Gathering and Enumeration Tools
Vulnerability Scanning and Evasion
Q: If you were to see that someone was using OpenVAS, followed by Nessus, what might you assume?
A: They were trying to reduce false positives
Q: Which of these may be considered an evasive technique?
A: Encoding data
Q: Which of these may be considered the worst practice when it comes to vulnerability scans?
A: Taking no action on the results.
OSINT and Public Data Sources
Q: What information would you not expect to find in the response to a whois query about an IP address?
A: Domain association
Q: If you wanted to locate detailed information about a person using either their name or a username you have, which website would you use?
A: PeekYou
Q: What would you use the website PeekYou for?
A: Person search
Q: Which social networking site would be most likely to be useful in gathering information about a company, including job titles?
A: LinkedIn
Q: Which tool could be used to gather email addresses from PGP servers such as Bing, Google, or LinkedIn?
A: theHarvester
Q: Why would you use the tool Sherlock for?
A: Looking for potential usernames
Q: What are you looking for with the following Google dork or Google query? site:pastebin.com intext:password.txt
A: A file of passwords on a common storage website.
Enumeration Utilities
Q: What is the purpose of using MegaPing?
A: Running a port scan
Q: What would you be trying to enumerate if you were to use enum4linux?
A: Shares and/or users
Q: Which of these is a built-in program on Windows for gathering information using SMB?
A: nbtstat
Q: Which of these is not a way to protect against enumeration with SMB?
A: Implement the latest NetBIOS patches
Q: The utility dirb is used for what purpose?
A: Directory enumeration
Networking Protocols and Scanning Techniques
TCP/IP Stack and Addressing
Q: From bottom to top, what order does the TCP/IP architecture use?
A: Link, Internet, Transport, and Application
Q: In computer networking, what is the protocol data unit (PDU) for the Transmission Control Protocol (TCP)?
A: Segment
Q: The UDP headers contain which of the following fields?
A: Destination port, source port, checksum, and length
Q: If you wanted a lightweight protocol to send real-time data over, which of these would you use?
A: UDP
Q: Which network topology are you most likely to run across in a large enterprise network?
A: Star-bus hybrid
Q: What is the common separator for the 6 octets of a MAC address?
A: Colons
Q: Which of these addresses would be considered a private address (RFC 1918 address)?
A: 172.20.128.240
Q: If you were to see the subnet mask 255.254.0.0, which CIDR notation (prefix) would you use to indicate the same thing?
A: /15
Q: Which header field is used to reassemble fragmented Internet Protocol packets?
A: IP identification
Q: Which protocol is necessary to enable the functionality of traceroute?
A: ICMP
Nmap and Scanning Parameters
Q: What number does the MTU setting need to be a multiple of when you are using MTU fragmenting with nmap?
A: Eight
Q: If you wanted to have nmap perform fragmentation for you, which command-line parameters could you use?
A: -f and --mtu
Q: What is the difference between the SYN scan and a full connect scan?
A: The SYN scan doesn’t complete the three-way handshake
Q: What is an Xmas scan?
A: TCP scan with FIN/PSH/URG set
Q: Why does an ACK scan not indicate clearly that ports are open?
A: The target system ignores the message.
Q: What is nmap looking at when it conducts a version scan?
A: Application banners
Q: What command-line parameter would you use to perform a decoy scan with nmap?
A: -D
Q: When could you use MAC spoofing with your nmap scan?
A: If you were on the local network
Q: Which of these tools allows you to create your own enumeration function based on ports being identified as open?
A: nmap
Q: What is the main purpose of fragroute?
A: Fragmenting application traffic
Q: If you were to see the command hping -S -p 25 10.5.16.2, what would you assume?
A: Someone was trying to probe an email port on the target.
Q: What information could you get from running p0f?
A: Uptime
Q: What type of scan would you use to take advantage of firewall rules that may be in place to accommodate protocols like DNS and FTP?
A: Source port spoofing
Specialized Protocols and Services
DNS and Email Protocols
Q: What record would you use to identify a name server associated with a specific domain?
A: NS
Q: What would you get by running the command dig ns domain.com?
A: Name server records for domain.com
Q: What two records are referenced in this given query response?
A: CNAME and A
Q: Which SMTP command would be easiest to disable to prevent attackers from misusing it for enumeration?
A: VRFY
Q: If you try to use the VRFY command against an SMTP server and it fails, what status code will you get?
A: 550
Q: You are working with a colleague and you see them interacting with an email server using the VRFY command. What is your colleague doing?
A: Verifying email addresses
Remote Procedure Calls (RPC) and SMB
Q: What underlying functionality does SMB need to enable Windows file sharing?
A: RPC
Q: What are RPCs primarily used for?
A: Interprocess communications
Q: What tool does a Java program need to use to implement remote process communication?
A: rmic
Q: What is the process Java programs identify themselves to if they are sharing procedures over the network?
A: RMI registry
SNMP and IoT
Q: Which version of SNMP should network administrators be running?
A: V3
Q: What version of SNMP introduced encryption and user-based authentication?
A: Version 3
Q: Which of these devices would not be considered part of the Internet of Things?
A: Smartphone
Q: Which of these protocols would be used to communicate with an IoT device?
A: HTTP
Security Solutions and Regulatory Compliance
Detection and Prevention Systems
Q: What can an intrusion prevention system do that an intrusion detection system can’t?
A: Block or reject network traffic
Q: Which of the following products might be used as an intrusion detection system (IDS)?
A: Snort
Q: To remove malware in the network before it gets to the endpoint, you would use which of the following?
A: UTM appliance
Q: What important function can EDR offer to security operations staff?
A: All of these
Q: Your risk management team has asked for a technical control that could mitigate the risk that may be associated with insider threat. Which of these controls would work for that?
A: IAM solution
Q: Which Metasploit module would you use to take advantage of potentially weaker permissions on an end user’s workstation?
A: auxiliary/scanner/smb/smb_enumshares
Cloud and Regulatory Bodies
Q: Which of these services would be considered as a “storage as a service” solution?
A: iCloud
Q: Which financial filing is required for public companies and would provide you with the annual report?
A: 14-A
Q: If you were looking for detailed financial information on a target company, with what resource would you have the most success?
A: EDGAR
Q: If you were looking for definitive documentation on a protocol, what would you consult?
A: RFC
Q: If you were checking on the IP addresses for a company in France (Europe), which RIR would you be checking with for details?
A: RIPE NCC
Q: If you were looking up information about a company in New Zealand, which RIR would you be looking in for data?
A: APNIC