What type of attack involves the attacker modifying the source IP address of the packet quizlet?

Upgrade to remove ads

Only SGD 41.99/year

1. Social Science
2. Sociology

Terms in this set (117)

John creates an account and creates a listing for the sale of his home. He uses HTML tags to bold important words. Chris, an attacker, spots John's listing and notices the bolded words. Chris assumes HTML tags are enabled on the user end and uses this vulnerability to insert his own script, which will send him a copy of the cookie information for any user who looks at the ad.
Which type of attack method is Chris most likely using?

Cross-site scripting

A retail company is getting complaints from customers about how long product pages are taking to load, which is causing a decline in sales. Which of the following actions should you take first to discover the source of the problem?

Run a network bandwidth test on the company's network to determine if there are any anomalies.

Which of the following is a type of malware that can be purchased in a ready-to-use state, is created to be used with a variety of targets, can be integrated with other malware programs, and can be implemented in stages?

Commodity malware

Which of the following is a valuable resource for security analysts to find out what the newly discovered Trojan and malware risks are?

it-isac.org

A security analyst discovers that a system has been compromised through the building's thermostat. Which type of attack is this compromise from?

IoT Trojan

Which type of malware can infect the core of an operating system, giving an attacker complete control of the entire system remotely, including the ability to change code?

Rootkit

Some Remote Access Trojans (RATs) install a web server to allow access to the infected machine. Others use a custom application that is run on the remote machine, such as ProRAT. Once infected with this custom application, which other types of infections are possible with this tool installed? (Select two.)

Rootkit
Ransomware

You are testing a compromised machine on an isolated network, and you find a web server running on an open port. When you browse to it, you see the following information. Which kind of infection does this computer have?

Remote Access Trojan

File fingerprinting, scanning, string searches, and disassembly are all used to identify malware. When these techniques are used, what is the identifying information called?

Malware signature

Which method of malware analysis includes matching signatures, analyzing code without executing it, disassembly, and string searching?

Static analysis

Your company has just completed social engineering training for all employees. To test the training's effectiveness, you have been tasked with creating a simple computer virus that creates a file on a user's desktop. Approximately how long will you need to create the virus?

Less than one day

Which cybersecurity approach seeks to asymmetrically put the odds in the security analyst's favor by using maneuverability of sensitive data, honeypots, and anti-malware programs?

Active defense approach

A Windows machine in your office has been sending and receiving more traffic than usual, and a user is complaining that it has a slow connection. Your manager would like statistics on all protocol traffic to and from that machine over Ethernet. The netstat command can do that, but you need to know the switch that will give an output similar to what is shown below. Which command and options should you use?

netstat -e -s

A new openSSH vulnerability has been discovered. You are tasked with finding all systems running an SSH service on the network. The nmap 192.168.122.0/24 command has been run to find all potentially vulnerable systems, and the output is shown below. Which machines on the following IP addresses will likely need their SSH software updated immediately? (Select two.)

192.168.122.82
192.168.122.1

Part of a penetration test is checking for malware vulnerabilities. During this process, the penetration tester needs to manually check many different areas of the system. After these checks have been completed, which of the following is the next step?

Run anti-malware scans

A machine on your network has been infected with a crude ransomware application. You have obtained a copy of the software and are reverse engineering it with Ghidra. You are hoping that the password for the software is hard-coded into the application. You are presented with the default view in Ghidra, which displays the assembly (machine) code for the application. What might you do next to locate the password?

Use a string search looking for "password" and its variants.

A security analyst is working to discover zero-day attacks before the system is compromised. What is one method for discovering these types of attacks that the security analyst should try?

Write rules in a program like YARA that recognizes similar patterns of code found in other malware and flags them if they interact with the system.

Tom, a security analyst, is notified by Karen, an employee, that her work iPad has some setting changes and a new app that she didn't download. What is the first step Tom should take?

Run an antivirus software scan on Karen's device and scan the entire network.

A suspicious program is run in a controlled environment, where a security analyst monitors the program's execution to track the effect it has on computer resources, like its operating system. The analyst can set breakpoints or pause the program for reports on memory content, storage devices, or CPU registers. Which reverse engineering tool is the analyst using?

Debugger

Which of the following BEST describes a disassembler program?

A program that translates machine code into assembly language, or low-level language.

Jake, a security analyst, has been asked to examine the malware found on the company's network. He decides the best place to start is to use a tool to translate the executable files to assembly language so he can understand what the malware can do and what it can impact. Which tool is the BEST choice for Jake to use?

IDA Pro

Which of the following is a method of attack that is intended to overload the memory of a network switch, forcing the switch into open-fail mode and thereby causing it to broadcast incoming data to all ports?

MAC flooding

There is strong evidence that a machine is compromised on your company network, but you have not determined which computer. You are going to try to pinpoint the host by scanning for any network devices that are in promiscuous mode. Which of the following Nmap scripts would you use?

sniffer-detect

You configure your switches to shut down a port immediately after it being accessed by an unauthorized user. Which type of attack are you trying to prevent?

Sniffing

After a sniffing attack has been discovered on an organization's large network, Jim, a security analyst, has been asked to take steps to secure the network from future attacks. The organization has multiple buildings and departments. Which of the following is the BEST step Jim could take to make the network more secure?

Implement switched networks.

You are reviewing packets captured by a co-worker. The traffic is from a Linux server that hosts private customer data, and your job is to analyze the content for potential security risks. The .pcap file appears to be a bit small for what you wanted. (It contains traffic to and from the target system during a given time period.) Some of that traffic is shown below. You suspect that only SSH traffic is represented in this capture, which was done with tcpdump. What command do you think your co-worker used to capture only SSH traffic?

tcpdump port 22

While performing an audit of your company's network, you use Wireshark to sniff the network and then use the tcp contains password command to filter and see the results below. What might you conclude based on these findings?

There is a website that someone on your network logged into that has no encryption.

An attacker sends forged Address Resolution Protocol Reply packets over a LAN to a target machine. These packets include an IP address that matches the gateway's IP address but retains its own MAC address. The target machine then sends all traffic to the attacker's machine, believing it is the gateway. Which type of attack just happened?

ARP poisoning

An attacker has captured the username and password from an executive in your organization through ARP poisoning during an on-path (man-in-the-middle) attack. Which of the following will be MOST likely to stop this form of attack in the future?

Implement HTTPS

An attacker has, through reconnaissance, discovered the MAC address to Sam Black's computer. Sam is a user in your network with admin privileges. The attacker uses a software tool that allows him or her to mimic Sam's MAC address and use it to access your network. Which type of attack has the attacker performed?

MAC spoofing

A security analyst was alerted in real time that there is unusual incoming traffic on the network. The traffic was not and could not be prevented or altered by the program. Which type of program MOST likely sent the alert to the security analyst?

NIDS

Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what Jason has done?

Active hijacking

You have decided to configure an ARP cache poisoning on-path (man-in-the-middle) attack to test a new computer on your network to verify that it connects to required company resources securely. After defining the target hosts in Ettercap and capturing data during several login attempts, you see the following. What should your next step be in checking for a cookie hijacking attack?

Copy the user_token field value and use a cookie copy tool, such as the Google Chrome Copy Cookies extension, to attempt to access the same resource found at the URL listed.

While reviewing a machine that a user has reported for strange behavior, you decide to use ipconfig to review its network configuration. Afterward, you see the output shown below. No changes were made manually to the machine's network configuration and all IP configuration is automatic. The proper default gateway for this network segment is 10.10.10.1. Which of the following would explain the output shown

The machine in question is being targeted by a DHCP on-path (man-in-the-middle) attack.

The following steps describe the process for which type of attack?
Locate and sniff an active connection between a host and web server.
Monitor traffic to either capture or calculate the session ID.
Desynchronize the session.
Remove the authenticated user.
Inject packets to the server.

Session hijacking

Which of the following frame (packet) subtrees would you expand in order to view the POST data that was captured by Wireshark?

The HTML Form URL Encoded: subtree would have the POST data

Which of the following is an attack where injected script is immediately mirrored off a web server when a user inputs data in a form or search field?

Reflected cross-site scripting

Which of the following BEST describes a TCP session hijacking attack?

An attacker sniffs between two machines on a connection-based protocol, monitors the traffic to capture the session ID, terminates the target computer's connection, and injects packets to the server.

You have been hired by an organization that has been victimized by session hijacking. What is one of the most important steps you as a security analyst can take to prevent further session hijacking attacks?

Encrypt network traffic.

Which IPsec method is the most used and protects an entire packet by wrapping it with a new IP header, encrypting it, and then sending it on to the receiving host?

Tunnel mode

In 2016, an attacker used a botnet of security cameras, DVRs, and network printers to target a cloud-based internet performance management organization that provided DNS services to large corporations. This created connectivity issues for legitimate users across the United States and Europe. Which type of attack was MOST likely used in this scenario?

DDoS attack

Which of the following attack types overflows the server, causing it to not function properly?

DoS

The information below is from Wireshark. Which kind of attack is occurring?

A DDoS attack

Which of the following BEST describes a DoS fragmentation attack?

An attack in which fake UDP or ICMP packets larger than the MTU are sent to exhaust the processing resources.

Which of the following tools would you use to perform a SYN flood attack?

Metasploit

An attack targets ICMP protocol vulnerabilities and is conducted by creating ICMP echo request packets using the spoofed IP address of the target machine. It then sends packets to the broadcast address network, which results in numerous devices responding with replies to the target's IP address, disabling it. Which type of attack is this?

Smurf DDoS attack

While analyzing network traffic on your company network, you see the following in Wireshark. What appears to be happening?

There is an ICMP flood attack.

You train your staff to notify you if they notice any of the following signs:
- Services are unavailable or very slow
- Unexpected 503 error messages
- Abnormal spikes in network traffic
- Customer complaints about access
Which type of attack are you preparing against?

DDoS attack

Which of the following BEST describes steps in an active defense against DDoS attacks?

Train staff for warning signs, allow only necessary outside access to servers, and configure network devices' preexisting mitigation settings, like router throttling.

What is a likely motivation for DoS and DDoS attacks?

Injury of the target's reputation

Which of the following SQL injection attack types uses true/false questions to perform reconnaissance?

Blind injection attack

Which of the following BEST describes a relational database?

A storage bank for data that is organized in tables linked by keys and which can be searched in multiple ways through those keys.

Which of the following cyberattacks involves an attacker inserting their own code through a data entry point created for regular users in such a way that the server accepts the malicious code as legitimate?

SQL injection

You have performed a SQL injection attack against a website using Burp Suite and see the following results. What are you looking for?

Any results that show something unexpected being passed back from the server

The field in the image below is supposed to return just the username associated with the user ID (a number). The output in the image, however, includes more information, including the username running the database. What is being exploited here?

SQL injection

A security analyst is testing to find SQL injection vulnerabilities. She uses automation of a large volume of random data inserted into the web application's input fields in order to check the output. Which type of testing was done?

Fuzz testing

Which of the following are uses for the sqlmap utility? (Select two.)

To detect vulnerable web apps
To determine SQL server parameters, including version, usernames, operating systems, etc.

An attacker performs a successful SQL injection attack against your employer's web application that they use for daily business. What is the MOST likely reason the web application was vulnerable to attack?

Input fields in the comment forms were not being validated.

An attacker wants to use a SQL injection attack against your web application. Which of the following can provide useful information to the attacker about your application's SQL vulnerabilities?

Error messages

In actively defending against SQL injection attacks, you create queries that have placeholders for values from your users' input. Which of the following SQL injection countermeasures did you implement with these queries?

Prepared statements

Which of the following attacks involves modifying the IP packet header and source address to make it look like they are coming from a trusted source?

Spoofing

Drag the possible detection state to the matching description:

The system accurately detected a threat.
True-Positive

The system accurately detected legitimate traffic and did not flag it.
True-Negative

The system flagged harmless traffic as a potential threat.
False-Positive

Malicious traffic is flagged as harmless.
False-Negative

You are the security analyst for your organization. During a vulnerability analysis, you have discovered what looks to be malware, but it does not match any signatures or identifiable patterns.
Which of the following BEST describes the threat you have discovered?

Zero-day

You are the security analyst for your organization. During a vulnerability analysis, you have noticed the following:
File attributes being altered
Unknown .ozd files
Files that do not match the existing naming scheme
Changes to the log files
Which of the following do these signs indicate has occurred?

Host-based intrusion

The network IDS has sent alerts regarding malformed messages and sequencing errors. Which of the following IDS detection methods is most likely being used?

Protocol

You are in the process of configuring pfSense Snort as your intrusion detection and prevention system (IDS/IPS). You want to ensure that it includes the anti-malware IDS/IPS rule set that enables users with cost constraints to enhance their existing network-based malware detection.
Select the option that would add these rule sets.

Click to enable download of Emerging Threats Open rules

You are in the process of configuring pfSense Snort as your intrusion detection and prevention system (IDS/IPS). You have configured the options shown in the image, but when you try to save your changes, pfSense won't let you continue.
What did you forget to configure?

A Snort Oinkmaster Code was not entered.

You are in the process of configuring pfSense Suricata as your intrusion detection and prevention system (IDS/IPS). You have just finished configuring the Global Settings and have enable the installation of the ETOpen Emerging Threats rules.
To get these rules, select the option tab you must use next.

Updates

You discover that your network is under a DDoS SYN flood attack. Which of the following DDoS attack methods does this fall under?

Protocol DDoS

Fill in the missing piece of the command:
Nmap has the ability to generate decoys that make the detection of the actual scanning system become much more difficult. The nmap command to generate decoys is nmap ____ RND:10 target_IP_address

-D

In what order are rules in an ACL processed?

Top to bottom

You are configuring a new email server for your organization and need to implement a firewall solution. The firewall will be designed to handle connections to the email server.
Which of the following would be the BEST firewall solution?

Bastion host

While configuring a perimeter firewall on your network using pfSense, you created the rule shown in the image. The intent of the rule is to allow secure traffic coming from the internet through the firewall and to the web server (172.16.1.5) in the DMZ.
What have you configured incorrectly?

The source and destination ports should be HTTPs.

Which of the following needs to be configured so a firewall knows which traffic to allow or block?

Rules

Which of the following firewall evasion countermeasures should be implemented to mitigate firewall evasion? (Select two.)

Defense in Depth
Filtering an intruder's IP address

Which of the following firewall identification methods uses a TCP packet with a TTL value set to expire one hop past the firewall?

Firewalking

Which of the following firewall evasion techniques is used to redirect a user to a malicious website?

DNS poisoning

You have just run the nmap command shown below. Which vulnerabilities were found on the target firewall?

VPN

Which of the following BEST describes a network policy?

A set of conditions, constraints, and settings used to authorize which remote users and computers can or cannot connect to a network.

You have just finished creating several network polices using the Network Policy Server (NPS) as shown in the image. Vera belongs to the Sales, Marketing, and Research groups.
What kind of access will Vera have?

She will be granted access because she belongs to the Sales group, and that group is evaluated first.

Which of the following should be designed to look and function like a real resource in order attract attackers?

Honeypot

Which of the following honeypot interaction levels simulates a real OS, its applications, and its services?

Medium

Which type of honeypot is a high-interaction honeypot that is deployed by research institutes, governments, or military organizations to gain detailed knowledge about the actions of intruders?

Research honeypot

Which of the following is a popular honeypot that can be used to create thousands of other honeypots?

Honeyd

Which of the following uses the TCP/IP stack and is effectively employed to slow down the spread of worms, backdoors, and similar malware?

Layer 4 tarpit

You created a honeypot server using Pentbox. After a while, you go back to the honeypot server to see what it has been capturing.
Which of the following can be gleaned from the results shown?

The operating system used by the attacker

Your company has decided to use a Pentbox honeypot to learn which types of attacks may be targeting your site. They have asked you to install and configure the honeypot. You have already installed Pentbox.
Which menu allows you to configure the honeypot?

2- Network tools

Which of the following should be implemented as protection against malware attacks?

DNS sinkhole

Cisco devices have a special interface called _____, which is designed to act as a blackhole.

null0

Which of the following blackhole implementations sends traffic going to a specific destination to the blackhole?

Remote blackhole filtering

Which of the following web server technologies does Linux typically use?

Apache

What does the HTTP response message 5xx indicate?

The server did not complete the request.

Which of the following HTTP request/response types is used to request that the web server send data using HTML forms?

POST

Which of the following attacks would use the following syntax?
http://www.testout.com.br/../../../../ some_dir/ some_file

Directory traversal

Which of the following attack types takes advantage of user input fields on a website?

HTTP response splitting

You are the security analyst working for CorpNet (198.28.1.1). You are trying to see if you can discover weaknesses in your network. You have just run the nmap command shown in the image.
Which weakness, if any, was found?

A compromise was found while scanning port 8080.

You have just used OWASP ZAP to run a vulnerability scan on your company's site.
From the Information window, select the tab that lets you view the vulnerabilities found.

Alerts

Which of the following attacks is a SYN flood attack an example of?

Protocol DDoS

You are the security analyst for a small corporate network. You are concerned that several employees may still be using the unsecured FTP protocol against company policy. You have been capturing data for a while using Wireshark and are now examining the filtered FTP results. You see that several employees are still using FTP.
Which user account used the password of lsie*$11?

jsmith

Drag the vulnerability to the appropriate mitigation technique.

Run all processes using the least privileged account. Use secure web permissions and access control mechanisms.
Unused User Accounts and Services

Disable the directory listing option and remove the ability to load non-web files from a URL
File and Directory Management

Use scripts and systems to compare file hash values with the master value to detect possible changes.
Website Changes

Remove user input fields when possible.
HTTP Response Splitting Attacks

Which of the following is used to define minimum security requirements a device must meet before it can connect to a network?

NAC

Which of the following NAC policies is MOST commonly implemented?

Health

Which of the following BEST describes the process of verifying that a device meets the minimum health requirements?

Posture assessment

Which of the following BEST describes the role of a remediation server?

Works to bring devices up to a minimum security level.

You are working with ACLs on your Windows machine and have created some complex permissions with many users and groups defined. Now you want to back up those permissions so that they can be restored in the event of a system failure. What is missing from the below command?

There has been no file name specified.

Which of the following permissions would take precedence over the others?

Deny Read

Which Windows command line tool can be used to show and modify a file's permissions?

icacls

Which of the following Windows permissions apply to local files and directories?

NTFS

You are the security administrator for your organization. You need to provide Mary with the needed access to make changes to the finances.xlsx file located in the Accounting directory.
Which of the following permissions should you set for Mary?

Allow Write permission on the finances.xlsx file.

Which of the following Linux permissions allows files to be added or deleted from a directory?

Write

Which web application architecture layer includes the physical devices that are used to access the web application?

Client/Presentation

Which type of web application is designed to work on Android or iOS?

Mobile

Which of the following types of attacks involves constructing malicious commands with the goal of modifying a database?

SQL injection

Which of the following attacks exploit vulnerabilities in the web application and allows the attacker to compromise a user's interactions with the app?

XSS

You are using Burpsuite to evaluate a new employee portal that will be put into production soon. Based on the highlighted POST traffic and the information in the bottom pane, what can you conclude?

The portal is using HTTP and login information is probably being transmitted in cleartext.

Which of the following works together by calling on each other, passing data to each other, and returning values in a program?

Function

Which command is used to allow a string to be copied in the code, but can be exploited to carry out overflow attacks?

strcpy

Sets found in the same folder

Chapter 12 Quizzes

35 terms

mizzybee

Chapter 14 Quizzes

23 terms

mizzybee

Web Application Attack Countermeasures

13 terms

ahmadhalimi

405 Midterm

230 terms

Kendra_Sharrock

Other sets by this creator

PSYCH 365 Unit 4 Quiz

52 terms

Kendra_Sharrock

PSYCH 365 Unit 3 Quiz

97 terms

Kendra_Sharrock

PSYCH 365 Unit 2 Quiz

72 terms

Kendra_Sharrock

PSYCH 365 Unit 1 Quiz

49 terms

Kendra_Sharrock

Other Quizlet sets

BA 350 FINAL - Chp. 7 Motivation

18 terms

Amanda_Both3

Biology Final Semester 1

11 terms

Alexandra_Romero224

Bio Review for Final

15 terms

dyanflores

Life Wellness

53 terms

gabriellajb1115

What type of attack involves the attacker modifying the source IP address of the packet?

Which of the following attacks involves modifying the IP packet header and source address to make it look like they are coming from a trusted source?

What type of attack involves the attacker sending too much data to a service or application that typically results in the attacker gaining administrative access to the system?

What type of attack is a password attack quizlet?