Last Updated on September 20, 2021 by Admin 2

312-38 : Certified Network Defender : Part 10

  1. John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He is using a tool to crack the wireless encryption keys. The description of the tool is as follows:

    „It is a Linux-based WLAN WEP cracking tool that recovers encryption keys. It operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys.“

    Which of the following tools is John using to crack the wireless encryption keys?

    • Cain.
    • PsPasswd
    • Kismet
    • AirSnort
    Explanation:
    AirSnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys.
    Answer option C is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode. Kismet can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the following tasks:
    To identify networks by passively collecting packets
    To detect standard named networks
    To detect masked networks
    To collect the presence of non-beaconing networks via data traffic Answer option A is incorrect. Cain is a multipurpose tool that can be used to perform many tasks such as Windows password cracking, Windows enumeration, and VoIP session sniffing. This password cracking program can perform the following types of password cracking attacks:
    Dictionary attack
    Brute force attack
    Rainbow attack
    Hybrid attack
    Answer option B is incorrect. PsPasswd is a tool that helps Network Administrators change an account password on the local or remote
    system. The command syntax of PsPasswd is as follows:
    pspasswd [\\computer[,computer[,..] | @file [-u user [-p psswd]] Username [NewPassword]
    312-38 Part 10 Q01 025
    312-38 Part 10 Q01 025
  2. Which of the following statements are true about volatile memory? Each correct answer represents a complete solution. Choose all that apply.

    • The content is stored permanently and even the power supply is switched off.
    • A volatile storage device is faster in reading and writing data.
    • Read only memory (ROM) is an example of volatile memory.
    • It is computer memory that requires power to maintain the stored information.
    Explanation:
    Volatile memory, also known as volatile storage, is computer memory that requires power to maintain the stored information, unlike non-volatile memory which does not require a maintained power supply. It has been less popularly known as temporary memory. Most forms of modern random access memory (RAM) are volatile storage, including dynamic random access memory (DRAM) and static random access memory (SRAM). A volatile storage device is faster in reading and writing data.
    Answer options A and C are incorrect. Non-volatile memory, nonvolatile memory, NVM, or non-volatile storage, in the most basic sense, is computer memory that can retain the stored information even when not powered. Examples of non-volatile memory include read-only memory, flash memory, most types of magnetic computer storage devices (e.g. hard disks, floppy disks, and magnetic tape), optical discs, and early computer storage methods such as paper tape and punched cards.
  3. You are a professional Computer Hacking forensic investigator. You have been called to collect evidences of buffer overflow and cookie snooping attacks. Which of the following logs will you review to accomplish the task? Each correct answer represents a complete solution. Choose all that apply.

    • Program logs
    • Web server logs
    • Event logs
    • System logs
    Explanation:
    Evidences of buffer overflow and cookie snooping attacks can be traced from system logs, event logs, and program logs, depending on the type of overflow or cookie snooping attack executed and the error recovery method used by the hacker.

    Answer option B is incorrect. Web server logs are used to investigate cross-site scripting attacks.

  4. John works as an Ethical Hacker for www.company.com Inc. He wants to find out the ports that are open in www.company.com’s server using a port scanner. However, he does not want to establish a full TCP connection. Which of the following scanning techniques will he use to accomplish this task?

    • TCP SYN
    • Xmas tree
    • TCP SYN/ACK
    • TCP FIN
    Explanation:
    According to the scenario, John does not want to establish a full TCP connection. Therefore, he will use the TCP SYN scanning technique. TCP SYN scanning is also known as half-open scanning because in this type of scanning, a full TCP connection is never opened. The steps of TCP SYN scanning are as follows:
    1.The attacker sends a SYN packet to the target port.
    2.If the port is open, the attacker receives the SYN/ACK message.
    3.Now the attacker breaks the connection by sending an RST packet.
    4.If the RST packet is received, it indicates that the port is closed.
    This type of scanning is hard to trace because the attacker never establishes a full 3-way handshake connection and most sites do not create a log of incomplete TCP connections.
    Answer option C is incorrect. In TCP SYN/ACK scanning, an attacker sends a SYN/ACK packet to the target port. If the port is closed, the victim assumes that this packet was mistakenly sent by the attacker, and sends the RST packet to the attacker. If the port is open, the SYN/ACK packet will be ignored and the port will drop the packet. TCP SYN/ACK scanning is stealth scanning, but some intrusion detection systems can detect TCP SYN/ACK scanning.
    Answer option D is incorrect. TCP FIN scanning is a type of stealth scanning through which the attacker sends a FIN packet to the target port.
    If the port is closed, the victim assumes that this packet was sent mistakenly by the attacker and sends the RST packet to the attacker. If the port is open, the FIN packet will be ignored and the port will drop that packet. TCP FIN scanning is useful only for identifying ports of non-Windows operating systems because Windows operating systems send only RST packets irrespective of whether the port is open or closed.
    Answer option B is incorrect. Xmas Tree scanning is just the opposite of null scanning. In Xmas Tree scanning, all packets are turned on. If the target port is open, the service running on the target port discards the packets without any reply. According to RFC 793, if the port is closed, the remote system replies with the RST packet. Active monitoring of all incoming packets can help system network administrators detect an Xmas Tree scan.
  5. FILL BLANK

    Fill in the blank with the appropriate term.
    ______________ is a prime example of a high-interaction honeypot.

    • Honeynet
    Explanation:
    Honeynet is a prime example of a high-interaction honeypot. Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion-detection systems. A honeyfarm is a centralized collection of honeypots and analysis tools.
  6. Which of the following tools is an open source protocol analyzer that can capture traffic in real time?

    • NetResident
    • Wireshark
    • Bridle
    • NetWitness
    • None
    Explanation:
    Wireshark is an open source protocol analyzer that can capture traffic in real time. Wireshark is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but it has a graphical front-end, and many more information sorting and filtering options. It allows the user to see all traffic being passed over the network (usually an Ethernet network but support is being added for others) by putting the network interface into promiscuous mode.
    Wireshark uses pcap to capture packets, so it can only capture the packets on the networks supported by pcap. It has the following features:
    Data can be captured “from the wire” from a live network connection or read from a file that records the already-captured packets.
    Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback.
    Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, tshark.
    Captured files can be programmatically edited or converted via command-line switches to the “editcap” program.
    Data display can be refined using a display filter. Plugins can be created for dissecting new protocols.
    Answer option C is incorrect. Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
    Answer option D is incorrect. NetWitness is used to analyze and monitor the network traffic and activity.
    Answer option A is incorrect. Netresident is used to capture, store, analyze, and reconstruct network events and activities.
  7. Which of the following tools are NOT used for logging network activities in the Linux operating system? Each correct answer represents a complete solution. Choose all that apply.

    • PsLoggedOn
    • PsGetSid
    • Timbersee
    • Swatch
    Explanation:
    PsLoggedOn and PsGetSid are not logging tools. They are command-line utilities used in the Windows operating system.
    PsLoggedOn is an applet that displays both the local and remote logged on users. If an attacker specifies a user name instead of a computer, PsLoggedOn searches the computers in the network and tells whether the user is currently logged on or not. The command syntax for PsLoggedOn is as follows:
    psloggedon [- ] [-l] [-x] [\\computername | username]
    PsGetSid is a tool that is used to query SIDs remotely. Using PsGetSid, the attacker can access the SIDs of user accounts and translate an SID into the user name. The command syntax for PsGetSid is as follows:
    psgetsid [\\computer[,computer[,…] | @file] [-u username [-p password]]] [account|SID]
    Answer options C and D are incorrect. Timbersee and Swatch are tools used for logging network activities in the Linux operating system.
  8. FILL BLANK

    Fill in the blank with the appropriate term.
    The______________ model is a description framework for computer network protocols and is sometimes called the Internet Model or the DoD Model.

    • TCP/IP
    Explanation:
    The TCP/IP model is a description framework for computer network protocols. It describes a set of general design guidelines and implementations of specific networking protocols to enable computers to communicate over a network. TCP/IP provides end-to-end connectivity specifying how data should be formatted, addressed, transmitted, routed and received at the destination. Protocols exist for a variety of different types of communication services between computers. The TCP/IP Model is sometimes called the Internet Model or the DoD Model.
    The TCP/IP model has four unique layers as shown in the image. This layer architecture is often compared with the seven-layer OSI Reference Model. The TCP/IP model and related protocols are maintained by the Internet Engineering Task Force (IETF).
    312-38 Part 10 Q08 026
    312-38 Part 10 Q08 026
  9. Which of the following is a software tool used in passive attacks for capturing network traffic?

    • Intrusion prevention system
    • Intrusion detection system
    • Warchalking
    • Sniffer
    Explanation:
    A sniffer is a software tool that is used to capture any network traffic. Since a sniffer changes the NIC of the LAN card into promiscuous mode, the NIC begins to record incoming and outgoing data traffic across the network. A sniffer attack is a passive attack because the attacker does not directly connect with the target host. This attack is most often used to grab logins and passwords from network traffic. Tools such as Ethereal, Snort, Windump, EtherPeek, Dsniff are some good examples of sniffers. These tools provide many facilities to users such as graphical user interface, traffic statistics graph, multiple sessions tracking, etc.
    Answer option A is incorrect. An intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass.
    Answer option B is incorrect. An IDS (Intrusion Detection System) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.
    Answer option C is incorrect. Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi wireless network. Having found a Wi-Fi node, the warchalker draws a special symbol on a nearby object, such as a wall, the pavement, or a lamp post. The name warchalking is derived from the cracker terms war dialing and war driving.
  10. Which of the following types of coaxial cable is used for cable TV and cable modems?

    • RG-8
    • RG-62
    • RG-59
    • RG-58
    Explanation:
    RG-59 type of coaxial cable is used for cable TV and cable modems.
    Answer option A is incorrect. RG-8 coaxial cable is primarily used as a backbone in an Ethernet LAN environment and often connects one wiring closet to another. It is also known as 10Base5 or ThickNet.
    Answer option B is incorrect. RG-62 coaxial cable is used for ARCNET and automotive radio antennas.
    Answer option D is incorrect. RG-58 coaxial cable is used for Ethernet networks. It uses baseband signaling and 50-Ohm terminator. It is also known as 10Base2 or ThinNet.
  11. In an Ethernet peer-to-peer network, which of the following cables is used to connect two computers, using RJ-45 connectors and Category-5 UTP cable?

    • Serial
    • Loopback
    • Crossover
    • Parallel
    Explanation:
    In an Ethernet peer-to-peer network, a crossover cable is used to connect two computers, using RJ-45 connectors and Category-5 UTP cable.
    Answer options D and A are incorrect. Parallel and serial cables do not use RJ-45 connectors and Category-5 UTP cable. Parallel cables are used to connect printers, scanners etc., to computers, whereas serial cables are used to connect modems, digital cameras etc., to computers.
    Answer option B is incorrect. A loopback cable is used for testing equipments.
  12. You work as a Network Security Analyzer. You got a suspicious email while working on a forensic project. Now, you want to know the IP address of the sender so that you can analyze various information such as the actual location, domain information, operating system being used, contact information, etc. of the email sender with the help of various tools and resources. You also want to check whether this email is fake or real. You know that analysis of email headers is a good starting point in such cases. The email header of the suspicious email is given below:

    312-38 Part 10 Q12 027
    312-38 Part 10 Q12 027

    What is the IP address of the sender of this email?

    • 209.191.91.180
    • 141.1.1.1
    • 172.16.10.90
    • 216.168.54.25
    Explanation:
    The IP address of the sender of this email is 216.168.54.25. According to the scenario, you want to know the IP address of the sender so that you can analyze various information such as the actual location, domain information, operating system being used, contact information, etc. of the email sender with the help of various tools and resources. You also want to check whether this email is fake or real. You know that analysis of email headers is a good starting point in such cases. Once you start to analyze the email header, you get an entry entitled as X-Originating-IP. You know that in Yahoo, the X-Originating-IP is the IP address of the email sender and in this case, the required IP address is 216.168.54.25.
    Answer options A, C, and B are incorrect. All these are the IP addresses of the Yahoo and Wetpaint servers.
  13. Which of the following is the practice of sending unwanted e-mail messages, frequently with commercial content, in large quantities to an indiscriminate set of recipients? Each correct answer represents a complete solution. Choose all that apply.

    • Email spoofing
    • Junk mail
    • E-mail spam
    • Email jamming
    Explanation:
    E-mail spam, also known as unsolicited bulk email (UBE), junk mail, or unsolicited commercial email (UCE), is the practice of sending unwanted e-mail messages, frequently with commercial content, in large quantities to an indiscriminate set of recipients.
    Answer option A is incorrect. Email spoofing is a fraudulent email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. Email spoofing is a technique commonly used in spam and phishing emails to hide the origin of the email message. By changing certain properties of the email, such as the From, Return-Path and Reply-To fields (which can be found in the message header), ill-intentioned users can make the email appear to be from someone other than the actual sender. The result is that, although the email appears to come from the address indicated in the From field (found in the email headers), it actually comes from another source.
    Answer option D is incorrect. Email jamming is the use of sensitive words in e-mails to jam the authorities that listen in on them by providing a form of a red herring and an intentional annoyance. In this attack, an attacker deliberately includes “sensitive” words and phrases in otherwise innocuous emails to ensure that these are picked up by the monitoring systems. As a result, the senders of these emails will eventually be added to a “harmless” list and their emails will be no longer intercepted, hence it will allow them to regain some privacy.
  14. Which of the following is a worldwide organization that aims to establish, refine, and promote Internet security standards?

    • ANSI
    • WASC
    • IEEE
    • ITU
    Explanation:
    Web Application Security Consortium (WASC) is a worldwide organization that aims to establish, refine, and promote Internet security standards. WASC is vendor-neutral, although members may belong to corporations involved in the research, development, design, and distribution of Web security-related products.
    Answer option A is incorrect. ANSI (American National Standards Institute) is the primary organization for fostering the development of technology standards in the United States. ANSI works with industry groups and is the U.S. member of the International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC). Long-established computer standards from ANSI include the American Standard Code for Information Interchange (ASCII) and the Small Computer System Interface (SCSI).
    Answer option D is incorrect. The International Telecommunication Union (ITU) is an organization established to standardize and regulate international radio and telecommunications. Its main tasks include standardization, allocation of the radio spectrum, and organizing interconnection arrangements between different countries to allow international phone calls. ITU sets standards for global telecom networks.
    The ITU’s telecommunications division (ITU-T) produces more than 200 standard recommendations each year in the converging areas of telecommunications, information technology, consumer electronics, broadcasting and multimedia communications. ITU was streamlined into the following three sectors:
    ITU-D (Telecommunication Development)
    ITU-R (Radio communication)
    ITU-T (Telecommunication Standardization)
    Answer option C is incorrect. The Institute of Electrical and Electronic Engineers (IEEE) is a society of technical professionals. It promotes the development and application of electro-technology and allied sciences. IEEE develops communications and network standards, among other activities. The organization publishes number of journals, has many local chapters, and societies in specialized areas.
  15. Which of the following statements are TRUE about Demilitarized zone (DMZ)? Each correct answer represents a complete solution. Choose all that apply.

    • In a DMZ configuration, most computers on the LAN run behind a firewall connected to a public network like the Internet.
    • Demilitarized zone is a physical or logical sub-network that contains and exposes external services of an organization to a larger un-trusted network.
    • The purpose of a DMZ is to add an additional layer of security to the Local Area Network of an
      organization.
    • Hosts in the DMZ have full connectivity to specific hosts in the internal network.
    Explanation:
    A demilitarized zone (DMZ) is a physical or logical subnetwork that contains and exposes external services of an organization to a larger network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than the whole of the network. Hosts in the DMZ have limited connectivity to specific hosts in the internal network, though communication with other hosts in the DMZ and to the external network is allowed. This allows hosts in the DMZ to provide services to both the internal and external networks, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients. In a DMZ configuration, most computers on the LAN run behind a firewall connected to a public network such as the Internet.
  16. Which of the following network scanning tools is a TCP/UDP port scanner that works as a ping sweeper and hostname resolver?

    • Hping
    • SuperScan
    • Netstat
    • Nmap
    Explanation:
    SuperScan is a TCP/UDP port scanner. It also works as a ping sweeper and hostname resolver. It can ping a given range of IP addresses and resolve the host name of the remote system.
    The features of SuperScan are as follows:
    It scans any port range from a built-in list or any given range.
    It performs ping scans and port scans using any IP range.
    It modifies the port list and port descriptions using the built in editor.
    It connects to any discovered open port using user-specified “helper” applications.
    It has the transmission speed control utility.
    Answer option D is incorrect. Nmap is a free open-source utility for network exploration and security auditing. It is used to discover computers and services on a computer network, thus creating a “map” of the network. Just like many simple port scanners, Nmap is capable of discovering passive services. In addition, Nmap may be able to determine various details about the remote computers. These include operating system, device type, uptime, software product used to run a service, exact version number of that product, presence of some firewall techniques and, on a local area network, even vendor of the remote network card. Nmap runs on Linux, Microsoft Windows, etc.
    Answer option C is incorrect. Netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems. It is used to find problems on the network and to determine the amount of traffic on the network as a performance measurement.
    Answer option A is incorrect. Hping is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de facto tools for security auditing and testing of firewalls and networks. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in very short time. Like most tools used in computer security, hping is useful to both system administrators and crackers (or script kiddies).
  17. Which of the following is a network layer protocol used to obtain an IP address for a given hardware (MAC) address?

    • IP
    • PIM
    • RARP
    • ARP
    Explanation:
    Reverse Address Resolution Protocol (RARP) is a Network layer protocol used to obtain an IP address for a given hardware (MAC) address. RARP is sort of the reverse of an ARP. Common protocols that use RARP are BOOTP and DHCP.
    Answer option D is incorrect. Address Resolution Protocol (ARP) is a network maintenance protocol of the TCP/IP protocol suite. It is responsible for the resolution of IP addresses to media access control (MAC) addresses of a network interface card (NIC). The ARP cache is used to maintain a correlation between a MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions. ARP is limited to physical network systems that support broadcast packets.
    Answer option B is incorrect. Protocol-Independent Multicast (PIM) is a family of multicast routing protocols for Internet Protocol (IP) networks that provide one-to-many and many-to-many distribution of data over a LAN, WAN, or the Internet. It is termed protocol-independent because PIM does not include its own topology discovery mechanism, but instead uses routing information supplied by other traditional routing protocols, such as Border Gateway Protocol (BGP).
    Answer option A is incorrect. The Internet Protocol (IP) is a protocol used for communicating data across a packet-switched inter-network using the Internet Protocol Suite, also referred to as TCP/IP.
    IP is the primary protocol in the Internet Layer of the Internet Protocol Suite and has the task of delivering distinguished protocol datagrams (packets) from the source host to the destination host solely based on their addresses. For this purpose, the Internet Protocol defines addressing methods and structures for datagram encapsulation. The first major version of addressing structure, now referred to as Internet Protocol Version 4 (IPv4), is still the dominant protocol of the Internet, although the successor, Internet Protocol Version 6 (IPv6), is being deployed actively worldwide.
  18. FILL BLANK

    Fill in the blank with the appropriate term.
    A ______________ is a term in computer terminology used for a trap that is set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

    • honeypot
    Explanation:
    A honeypot is a term in computer terminology used for a trap that is set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, and monitored, and which seems to contain information or a resource of value to attackers.
  19. FILL BLANK

    Fill in the blank with the appropriate term.
    A ______________ gateway is a type of network gateway that provides the added capability to control devices across the Internet.

    • home automation
    Explanation:
    A home automation gateway is a type of network gateway that provides the added capability to control devices across the Internet. Most gateways plug in to the home broadband router (and a wall outlet for power). When connected to a router that has Internet connectivity, the automation gateway helps in enabling computers and Web-enabled phones to remotely access automation devices at home.
  20. Which of the following is a network maintenance protocol of the TCP/IP protocol suite that is responsible for the resolution of IP addresses to media access control (MAC) addresses of a network interface card (NIC)?

    • DHCP
    • ARP
    • PIM
    • RARP
    Explanation:
    Address Resolution Protocol (ARP) is a network maintenance protocol of the TCP/IP protocol suite. It is responsible for the resolution of IP addresses to media access control (MAC) addresses of a network interface card (NIC). The ARP cache is used to maintain a correlation between a MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions. ARP is limited to physical network systems that support broadcast packets.
    Answer option A is incorrect. The Dynamic Host Configuration Protocol (DHCP) is a computer networking protocol used by hosts (DHCP clients) to retrieve IP address assignments and other configuration information. DHCP uses a client-server architecture. The client sends a broadcast request for configuration information. The DHCP server receives the request and responds with configuration information from its configuration database. In the absence of DHCP, all hosts on a network must be manually configured individually – a time-consuming and often error-prone undertaking. DHCP is popular with ISP’s because it allows a host to obtain a temporary IP address.
    Answer option D is incorrect. Reverse Address Resolution Protocol (RARP) is a Network layer protocol used to obtain an IP address for a given hardware (MAC) address. RARP is sort of the reverse of an ARP. Common protocols that use RARP are BOOTP and DHCP.
    Answer option C is incorrect. Protocol-Independent Multicast (PIM) is a family of multicast routing protocols for Internet Protocol (IP) networks that provide one-to-many and many-to-many distribution of data over a LAN, WAN, or the Internet. It is termed protocol-independent because PIM does not include its own topology discovery mechanism, but instead uses routing information supplied by other traditional routing protocols, such as Border Gateway Protocol (BGP).