GPEN GIAC Penetration Tester Question and Answers

Which of the following tools is a wireless sniffer and analyzer that works on the Windows operating system?

In which of the following attacks does the attacker overload the CAM table of the switch?

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He is using a tool to crack the wireless encryption keys. The description of the tool is as follows:

Which of the following tools is John using to crack the wireless encryption keys?

Which of the following penetration testing phases involves gathering data from whois, DNS, and network scanning, which helps in mapping a target network and provides valuable information regarding the operating system and applications running on the systems?

Which of the following does NOT use a proxy software to protect users?

In which of the following attacks does an attacker use packet sniffing to read network traffic between two parties to steal the session cookie?

Which of the following is NOT an example of passive footprinting?

You want to connect to your friend's computer and run a Trojan on it. Which of the following tools will you use to accomplish the task?

The employees of CCN Inc. require remote access to the company's proxy servers. In order to provide solid wireless security, the company uses LEAP as the authentication protocol. Which of the following is supported by the LEAP protocol?

Each correct answer represents a complete solution. Choose all that apply.

In which layer of the OSI model does a sniffer operate?

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He performs a Teardrop attack on the we-are-secure server and observes that the server crashes. Which of the following is the most likely cause of the server crash?

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He is using a tool to crack the wireless encryption keys. The description of the tool is as follows:

Which of the following tools is John using to crack the wireless encryption keys?

John, a novice web user, makes a new E-mail account and keeps his password as "apple", his favorite fruit. John's password is vulnerable to which of the following password cracking attacks?

Each correct answer represents a complete solution. Choose all that apply.

You enter the following URL on your Web browser:

http://www.we-are-secure.com/scripts/..%co%af../..%co%

af../windows/system32/cmd.exe?/c+dir+c:\

What task do you want to perform?

You want to perform passive footprinting against we-are-secure Inc. Web server. Which of the following tools will you use?

Adam, a malicious hacker, hides a hacking tool from a system administrator of his company by using Alternate Data Streams (ADS) feature. Which of the following statements is true in context with the above scenario?

Which of the following password cracking tools can work on the Unix and Linux environment?

The employees of EWS Inc. require remote access to the company's Web servers. In order to provide solid wireless security, the company uses EAP-TLS as the authentication protocol. Which of the following statements are true about EAP-TLS?

Each correct answer represents a complete solution. Choose all that apply.

Which of the following statements are true about session hijacking?

Each correct answer represents a complete solution. Choose all that apply.

Which of the following tools can be used to enumerate networks that have blocked ICMP Echo packets, however, failed to block timestamp or information packet or not performing sniffing of trusted addresses, and it also supports spoofing and promiscuous listening for reply packets?

TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote operating system (OS fingerprinting), or incorporated into a device fingerprint. Which of the following Nmap switches can be used to perform TCP/IP stack fingerprinting?

Which of the following statements are true about the Enum tool?

Each correct answer represents a complete solution. Choose all that apply.

You work as a Network Administrator for Tech Perfect Inc. The company has a Windows Active Directory-based single domain single forest network. The functional level of the forest is Windows Server 2003. You install access points for enabling a wireless network. The sales team members and the managers in the company will be using laptops to connect to the LAN through wireless connections. Therefore, you install WLAN network interface adapters on their laptops. However, you want to restrict the sales team members and managers from communicating directly to each other. Instead, they should communicate through the access points on the network. Which of the following topologies will you use to accomplish the task?

You work as a Penetration Tester for the Infosec Inc. Your company takes the projects of security auditing. Recently, your company has assigned you a project to test the security of the we-aresecure. com Website. The we-are-secure.com Web server is using Linux operating system. When you port scanned the we-are-secure.com Web server, you got that TCP port 23, 25, and 53 are open. When you tried to telnet to port 23, you got a blank screen in response. When you tried to type the dir, copy, date, del, etc. commands you got only blank spaces or underscores symbols on the screen. What may be the reason of such unwanted situation?

You have received a file named new.com in your email as an attachment. When you execute this file in your laptop, you get the following message:

'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!'

When you open the file in Notepad, you get the following string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

What step will you take as a countermeasure against this attack?

Victor wants to use Wireless Zero Configuration (WZC) to establish a wireless network connection using his computer running on Windows XP operating system. Which of the following are the most likely threats to his computer?

Each correct answer represents a complete solution. Choose two.

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He wants to perform a stealth scan to discover open ports and applications running on the We-are-secure server. For this purpose, he wants to initiate scanning with the IP address of any third party. Which of the following scanning techniques will John use to accomplish his task?

John works as a professional Ethical Hacker. He is assigned a project to test the security of www.we-are-secure.com. He enters a single quote in the input field of the login page of the Weare- secure Web site and receives the following error message:

Microsoft OLE DB Provider for ODBC Drivers error '0x80040E14'

This error message shows that the We-are-secure Website is vulnerable to __________.

You run the rdisk /s command to retrieve the backup SAM file on a computer. Where should you go on the computer to find the file?

Which of following tasks can be performed when Nikto Web scanner is using a mutation technique?

Each correct answer represents a complete solution. Choose all that apply.

You want to scan your network quickly to detect live hosts by using ICMP ECHO Requests. What type of scanning will you perform to accomplish the task?

You run the following bash script in Linux:

for i in 'cat hostlist.txt' ;do nc -q 2 -v $i 80 < request.txt done where, hostlist.txt file contains the list of IP addresses and request.txt is the output file.

Which of the following tasks do you want to perform by running this script?

Which of the following Web authentication techniques uses a single sign-on scheme?

Which of the following tools allow you to perform HTTP tunneling?

Each correct answer represents a complete solution. Choose all that apply.

You work as a Network Penetration tester in the Secure Inc. Your company takes the projects to test the security of various companies. Recently, Secure Inc. has assigned you a project to test the security of a Web site. You go to the Web site login page and you run the following SQL query:

SELECT email, passwd, login_id, full_name

FROM members

WHERE email = 'attacker@somehwere.com'; DROP TABLE members; --'

What task will the above SQL query perform?

Which of the following is the frequency range to tune IEEE 802.11a network?

Which of the following United States laws protects stored electronic information?

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He has successfully completed the following pre-attack phases while testing the security of the server:

Footprinting Scanning Now he wants to conduct the enumeration phase. Which of the following tools can John use to conduct it?

Each correct answer represents a complete solution. Choose all that apply.

You have received a file named new.com in your email as an attachment. When you execute this file in your laptop, you get the following message:

'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!'

When you open the file in Notepad, you get the following string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

What step will you take as a countermeasure against this attack?

Peter, a malicious hacker, obtains e-mail addresses by harvesting them from postings, blogs, DNS listings, and Web pages. He then sends large number of unsolicited commercial e-mail (UCE) messages on these addresses. Which of the following e-mail crimes is Peter committing?

Which of the following is the most common method for an attacker to spoof email?

Anonymizers are the services that help make a user's own Web surfing anonymous. An anonymizer removes all the identifying information from a user's computer while the user surfs the Internet. It ensures the privacy of the user in this manner. After the user anonymizes a Web access with an anonymizer prefix, every subsequent link selected is also automatically accessed anonymously. Which of the following are limitations of anonymizers?

Each correct answer represents a complete solution. Choose all that apply.

When DNS is being used for load balancing, why would a penetration tester choose to identify a scan target by its IP address rather than its host name?

What section of the penetration test or ethical hacking engagement final report is used to detail and prioritize the results of your testing?

A tester has been contracted to perform a penetration test for a corporate client. The scope of the test is limited to end-user workstations and client programs only. Which of die following actions is allowed in this test?

A customer has asked for a scan or vulnerable SSH servers. What is the penetration tester attempting to accomplish using the following Nmap command?

You have compromised a Windows XP system and Injected the Meterpreter payload into the lsass process. While looking over the system you notice that there is a popular password management program on the system. When you attempt to access the file that contains the password you find it is locked. Further investigation reveals that it is locked by the passmgr process. How can you use the Meterpreter to get access to this file?

Why is it important to have a cheat sheet reference of database system tables when performing SQL Injection?

Which of the following describes the direction of the challenges issued when establishing a wireless (IEEE 802.11) connection?

Which of the following TCP packet sequences are common during a SYN (or half-open) scan?

How can web server logs be leveraged to perform Cross-Site Scripting (XSSI?

What is the most likely cause of the responses on lines 10 and 11 of the output below?

When a DNS server transfers its zone file to a remote system, what port does it typically use?

Analyze the command output below. Given this information, which is the appropriate next step for the tester?

Starting Nmap4.53 (hnp://insecure.org I at2010-09-30 19:13 EDT interesting ports on 192.163.116.101:

PORT STATE SERVICE

130/tcp filtered cisco-fna

131/tcp filtered cisco-tna

132/tcp filtered cisco-sys

133/tcp filtered statsrv

134/tcp filtered Ingres-net

135/tcp filtered msrpc

136/tcp filtered profile

137/tcp filtered netbios-ns

138/tcp filtered netbios-dgm

139/tcp open netbios-ssn

140/tcp filtered emfis-data

MAC Address: 00:30:1&:B8:14:8B (Shuttle)

warning: OSS can results may be unreliable because we could not find at least l open and l

closed port

Device type, general purpose

Running: Microsoft Windows XP

OS details: Microsoft Windows XP SP2

Network Distance : 1 hop

Nmap done: I IP address (I host up) scanned in l .263 seconds