New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > GIAC > Security Administration > GPEN

GPEN GIAC Penetration Tester Question and Answers

Question # 4

Which of the following tools is a wireless sniffer and analyzer that works on the Windows operating system?

A.

Aeropeek

B.

Kismet

C.

Airsnort

D.

Void11

Full Access
Question # 5

In which of the following attacks does the attacker overload the CAM table of the switch?

A.

Mac flooding

B.

Man-in-the-middle attack

C.

Monkey-in-the-middle attack

D.

ARP poisoning

Full Access
Question # 6

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He is using a tool to crack the wireless encryption keys. The description of the tool is as follows:

Which of the following tools is John using to crack the wireless encryption keys?

A.

Cain

B.

Kismet

C.

AirSnort

D.

PsPasswd

Full Access
Question # 7

Which of the following penetration testing phases involves gathering data from whois, DNS, and network scanning, which helps in mapping a target network and provides valuable information regarding the operating system and applications running on the systems?

A.

Post-attack phase

B.

Attack phase

C.

On-attack phase

D.

Pre-attack phase

Full Access
Question # 8

Which of the following does NOT use a proxy software to protect users?

A.

Stateful inspection

B.

Packet filtering

C.

Application layer gateway

D.

Circuit level proxy server

Full Access
Question # 9

In which of the following attacks does an attacker use packet sniffing to read network traffic between two parties to steal the session cookie?

A.

Cross-site scripting

B.

Session sidejacking

C.

ARP spoofing

D.

Session fixation

Full Access
Question # 10

Which of the following is NOT an example of passive footprinting?

A.

Scanning ports.

B.

Analyzing job requirements.

C.

Querying the search engine.

D.

Performing the whois query.

Full Access
Question # 11

You want to connect to your friend's computer and run a Trojan on it. Which of the following tools will you use to accomplish the task?

A.

Remoxec

B.

Hk.exe

C.

PSExec

D.

GetAdmin.exe

Full Access
Question # 12

The employees of CCN Inc. require remote access to the company's proxy servers. In order to provide solid wireless security, the company uses LEAP as the authentication protocol. Which of the following is supported by the LEAP protocol?

Each correct answer represents a complete solution. Choose all that apply.

A.

Public key certificate for server authentication

B.

Password hash for client authentication

C.

Strongest security level

D.

Dynamic key encryption

Full Access
Question # 13

In which layer of the OSI model does a sniffer operate?

A.

Network layer

B.

Session layer

C.

Presentation layer

D.

Data link layer

Full Access
Question # 14

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He performs a Teardrop attack on the we-are-secure server and observes that the server crashes. Which of the following is the most likely cause of the server crash?

A.

The spoofed TCP SYN packet containing the IP address of the target is filled in both the source and destination fields.

B.

The we-are-secure server cannot handle the overlapping data fragments.

C.

The ICMP packet is larger than 65,536 bytes.

D.

Ping requests at the server are too high.

Full Access
Question # 15

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He is using a tool to crack the wireless encryption keys. The description of the tool is as follows:

Which of the following tools is John using to crack the wireless encryption keys?

A.

Kismet

B.

AirSnort

C.

Cain

D.

PsPasswd

Full Access
Question # 16

John, a novice web user, makes a new E-mail account and keeps his password as "apple", his favorite fruit. John's password is vulnerable to which of the following password cracking attacks?

Each correct answer represents a complete solution. Choose all that apply.

A.

Dictionary attack

B.

Rule based attack

C.

Hybrid attack

D.

Brute Force attack

Full Access
Question # 17

You enter the following URL on your Web browser:

http://www.we-are-secure.com/scripts/..%co%af../..%co%

af../windows/system32/cmd.exe?/c+dir+c:\

What task do you want to perform?

A.

Perform buffer overflow attack.

B.

Perform DDoS attack.

C.

View the directory list of c drive.

D.

Perform DoS attack.

Full Access
Question # 18

You want to perform passive footprinting against we-are-secure Inc. Web server. Which of the following tools will you use?

A.

Ettercap

B.

Nmap

C.

Netcraft

D.

Ethereal

Full Access
Question # 19

Adam, a malicious hacker, hides a hacking tool from a system administrator of his company by using Alternate Data Streams (ADS) feature. Which of the following statements is true in context with the above scenario?

A.

Alternate Data Streams is a feature of Linux operating system.

B.

Adam's system runs on Microsoft Windows 98 operating system.

C.

Adam is using FAT file system.

D.

Adam is using NTFS file system.

Full Access
Question # 20

Which of the following password cracking tools can work on the Unix and Linux environment?

A.

Brutus

B.

Cain and Abel

C.

Ophcrack

D.

John the Ripper

Full Access
Question # 21

The employees of EWS Inc. require remote access to the company's Web servers. In order to provide solid wireless security, the company uses EAP-TLS as the authentication protocol. Which of the following statements are true about EAP-TLS?

Each correct answer represents a complete solution. Choose all that apply.

A.

It is supported by all manufacturers of wireless LAN hardware and software.

B.

It uses a public key certificate for server authentication.

C.

It uses password hash for client authentication.

D.

It provides a moderate level of security.

Full Access
Question # 22

Which of the following statements are true about session hijacking?

Each correct answer represents a complete solution. Choose all that apply.

A.

It is used to slow the working of victim's network resources.

B.

TCP session hijacking is when a hacker takes over a TCP session between two machines.

C.

Use of a long random number or string as the session key reduces session hijacking.

D.

It is the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system.

Full Access
Question # 23

Which of the following tools can be used to enumerate networks that have blocked ICMP Echo packets, however, failed to block timestamp or information packet or not performing sniffing of trusted addresses, and it also supports spoofing and promiscuous listening for reply packets?

A.

Nmap

B.

Zenmap

C.

Icmpenum

D.

Nessus

Full Access
Question # 24

TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote operating system (OS fingerprinting), or incorporated into a device fingerprint. Which of the following Nmap switches can be used to perform TCP/IP stack fingerprinting?

A.

nmap -O -p

B.

nmap -sS

C.

nmap -sU -p

D.

nmap –sT

Full Access
Question # 25

Which of the following statements are true about the Enum tool?

Each correct answer represents a complete solution. Choose all that apply.

A.

It is capable of performing brute force and dictionary attacks on individual accounts of Windows NT/2000.

B.

One of the countermeasures against the Enum tool is to disable TCP port 139/445.

C.

It is a console-based Win32 information enumeration utility.

D.

It uses NULL and User sessions to retrieve user lists, machine lists, LSA policy information, etc.

Full Access
Question # 26

You work as a Network Administrator for Tech Perfect Inc. The company has a Windows Active Directory-based single domain single forest network. The functional level of the forest is Windows Server 2003. You install access points for enabling a wireless network. The sales team members and the managers in the company will be using laptops to connect to the LAN through wireless connections. Therefore, you install WLAN network interface adapters on their laptops. However, you want to restrict the sales team members and managers from communicating directly to each other. Instead, they should communicate through the access points on the network. Which of the following topologies will you use to accomplish the task?

A.

Star

B.

Ad hoc

C.

Infrastructure

D.

Mesh

Full Access
Question # 27

You work as a Penetration Tester for the Infosec Inc. Your company takes the projects of security auditing. Recently, your company has assigned you a project to test the security of the we-aresecure. com Website. The we-are-secure.com Web server is using Linux operating system. When you port scanned the we-are-secure.com Web server, you got that TCP port 23, 25, and 53 are open. When you tried to telnet to port 23, you got a blank screen in response. When you tried to type the dir, copy, date, del, etc. commands you got only blank spaces or underscores symbols on the screen. What may be the reason of such unwanted situation?

A.

The we-are-secure.com server is using honeypot.

B.

The telnet session is being affected by the stateful inspection firewall.

C.

The telnet service of we-are-secure.com has corrupted.

D.

The we-are-secure.com server is using a TCP wrapper.

Full Access
Question # 28

You have received a file named new.com in your email as an attachment. When you execute this file in your laptop, you get the following message:

'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!'

When you open the file in Notepad, you get the following string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

What step will you take as a countermeasure against this attack?

A.

Immediately shut down your laptop.

B.

Do nothing.

C.

Traverse to all of your drives, search new.com files, and delete them.

D.

Clean up your laptop with antivirus.

Full Access
Question # 29

Victor wants to use Wireless Zero Configuration (WZC) to establish a wireless network connection using his computer running on Windows XP operating system. Which of the following are the most likely threats to his computer?

Each correct answer represents a complete solution. Choose two.

A.

Attacker by creating a fake wireless network with high power antenna cause Victor's computer to associate with his network to gain access.

B.

Information of probing for networks can be viewed using a wireless analyzer and may be used to gain access.

C.

Attacker can use the Ping Flood DoS attack if WZC is used.

D.

It will not allow the configuration of encryption and MAC filtering. Sending information is not secure on wireless network.

Full Access
Question # 30

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He wants to perform a stealth scan to discover open ports and applications running on the We-are-secure server. For this purpose, he wants to initiate scanning with the IP address of any third party. Which of the following scanning techniques will John use to accomplish his task?

A.

UDP

B.

TCP SYN/ACK

C.

IDLE

D.

RPC

Full Access
Question # 31

John works as a professional Ethical Hacker. He is assigned a project to test the security of www.we-are-secure.com. He enters a single quote in the input field of the login page of the Weare- secure Web site and receives the following error message:

Microsoft OLE DB Provider for ODBC Drivers error '0x80040E14'

This error message shows that the We-are-secure Website is vulnerable to __________.

A.

A SQL injection attack

B.

A Denial-of-Service attack

C.

A buffer overflow

D.

An XSS attack

Full Access
Question # 32

You run the rdisk /s command to retrieve the backup SAM file on a computer. Where should you go on the computer to find the file?

A.

%systemroot%\password\sam._

B.

%systemroot%\sam._

C.

%systemroot%\repair\sam._

D.

%systemroot%\backup\sam._

Full Access
Question # 33

Which of following tasks can be performed when Nikto Web scanner is using a mutation technique?

Each correct answer represents a complete solution. Choose all that apply.

A.

Guessing for password file names.

B.

Sending mutation payload for Trojan attack.

C.

Testing all files with all root directories.

D.

Enumerating user names via Apache.

Full Access
Question # 34

You want to scan your network quickly to detect live hosts by using ICMP ECHO Requests. What type of scanning will you perform to accomplish the task?

A.

Idle scan

B.

TCP SYN scan

C.

Ping sweep scan

D.

XMAS scan

Full Access
Question # 35

You run the following bash script in Linux:

for i in 'cat hostlist.txt' ;do nc -q 2 -v $i 80 < request.txt done where, hostlist.txt file contains the list of IP addresses and request.txt is the output file.

Which of the following tasks do you want to perform by running this script?

A.

You want to perform port scanning to the hosts given in the IP address list.

B.

You want to transfer file hostlist.txt to the hosts given in the IP address list.

C.

You want to perform banner grabbing to the hosts given in the IP address list.

D.

You want to put nmap in the listen mode to the hosts given in the IP address list.

Full Access
Question # 36

Which of the following Web authentication techniques uses a single sign-on scheme?

A.

NTLM authentication

B.

Microsoft Passport authentication

C.

Basic authentication

D.

Digest authentication

Full Access
Question # 37

Which of the following tools allow you to perform HTTP tunneling?

Each correct answer represents a complete solution. Choose all that apply.

A.

BackStealth

B.

Tunneled

C.

Nikto

D.

HTTPort

Full Access
Question # 38

You work as a Network Penetration tester in the Secure Inc. Your company takes the projects to test the security of various companies. Recently, Secure Inc. has assigned you a project to test the security of a Web site. You go to the Web site login page and you run the following SQL query:

SELECT email, passwd, login_id, full_name

FROM members

WHERE email = 'attacker@somehwere.com'; DROP TABLE members; --'

What task will the above SQL query perform?

A.

Performs the XSS attacks.

B.

Deletes the entire members table.

C.

Deletes the rows of members table where email id is 'attacker@somehwere.com' given.

D.

Deletes the database in which members table resides.

Full Access
Question # 39

Which of the following is the frequency range to tune IEEE 802.11a network?

A.

1.15-3.825 GHz

B.

5.15-5.825 GHz

C.

5.25-9.825 GHz

D.

6.25-9.825 GHz

Full Access
Question # 40

Which of the following United States laws protects stored electronic information?

A.

Title 18, Section 1029

B.

Title 18, Section 1362

C.

Title 18, Section 2701

D.

Title 18, Section 2510

Full Access
Question # 41

John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He has successfully completed the following pre-attack phases while testing the security of the server:

Footprinting Scanning Now he wants to conduct the enumeration phase. Which of the following tools can John use to conduct it?

Each correct answer represents a complete solution. Choose all that apply.

A.

PsFile

B.

PsPasswd

C.

UserInfo

D.

WinSSLMiM

Full Access
Question # 42

You have received a file named new.com in your email as an attachment. When you execute this file in your laptop, you get the following message:

'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!'

When you open the file in Notepad, you get the following string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

What step will you take as a countermeasure against this attack?

A.

Do nothing.

B.

Traverse to all of your drives, search new.com files, and delete them.

C.

Clean up your laptop with antivirus.

D.

Immediately shut down your laptop.

Full Access
Question # 43

Peter, a malicious hacker, obtains e-mail addresses by harvesting them from postings, blogs, DNS listings, and Web pages. He then sends large number of unsolicited commercial e-mail (UCE) messages on these addresses. Which of the following e-mail crimes is Peter committing?

A.

E-mail spoofing

B.

E-mail Spam

C.

E-mail bombing

D.

E-mail Storm

Full Access
Question # 44

Which of the following is the most common method for an attacker to spoof email?

A.

Back door

B.

Replay attack

C.

Man in the middle attack

D.

Open relay

Full Access
Question # 45

Anonymizers are the services that help make a user's own Web surfing anonymous. An anonymizer removes all the identifying information from a user's computer while the user surfs the Internet. It ensures the privacy of the user in this manner. After the user anonymizes a Web access with an anonymizer prefix, every subsequent link selected is also automatically accessed anonymously. Which of the following are limitations of anonymizers?

Each correct answer represents a complete solution. Choose all that apply.

A.

Java applications

B.

Secure protocols

C.

ActiveX controls

D.

JavaScript

E.

Plugins

Full Access
Question # 46

When DNS is being used for load balancing, why would a penetration tester choose to identify a scan target by its IP address rather than its host name?

A.

Asingle IP may have multiple domains.

B.

A single domain name can only have one IP address.

C.

Scanning tools only recognize IP addresses

D.

A single domain name may have multiple IP addresses.

Full Access
Question # 47

What section of the penetration test or ethical hacking engagement final report is used to detail and prioritize the results of your testing?

A.

Methodology

B.

Conclusions

C.

Executive Summary

D.

Findings

Full Access
Question # 48

A tester has been contracted to perform a penetration test for a corporate client. The scope of the test is limited to end-user workstations and client programs only. Which of die following actions is allowed in this test?

A.

Attempting to redirect the internal gateway through ARP poisoning

B.

Activating bot clients and performing a denial-of-service against the gateway.

C.

Sniffing and attempting to crack the Domain Administrators password hash.

D.

Sending a malicious pdf to a user and exploiting a vulnerable Reader version.

Full Access
Question # 49

A customer has asked for a scan or vulnerable SSH servers. What is the penetration tester attempting to accomplish using the following Nmap command?

A.

Checking operating system version

B.

Running an exploit against the target

C.

Checking configuration

D.

Checking protocol version

Full Access
Question # 50

You have compromised a Windows XP system and Injected the Meterpreter payload into the lsass process. While looking over the system you notice that there is a popular password management program on the system. When you attempt to access the file that contains the password you find it is locked. Further investigation reveals that it is locked by the passmgr process. How can you use the Meterpreter to get access to this file?

A.

Use the getuid command to determine the user context the process is runningunder, then use the imp command to impersonate that user.

B.

use the getpid command to determine the user context the process is runningunder, then use the Imp command to impersonate that user.

C.

Use the execute command to the passmgr executable. That will give you access to

the file.

D.

Use the migrate command to jump to the passmgr process. That will give you accessto the file.

Full Access
Question # 51

Why is it important to have a cheat sheet reference of database system tables when performing SQL Injection?

A.

This is where sites typically store sensitive information such as credit card numbers.

B.

These tables contain a list of allowed database applications

C.

The information in these tables will reveal details about the web application's code.

D.

These tables contain metadata that can be queried to gain additional helpful information.

Full Access
Question # 52

Which of the following describes the direction of the challenges issued when establishing a wireless (IEEE 802.11) connection?

A.

One-way, the client challenges the access point

B.

One-way, the access point challenges the client

C.

No challenges occur (or wireless connection

D.

Two-way, both the client and the access point challenge each other

Full Access
Question # 53

Which of the following TCP packet sequences are common during a SYN (or half-open) scan?

A.

The source computer sends SYN and the destination computer responds with RST

B.

The source computer sends SYN-ACK and no response Is received from the destination computer

C.

The source computer sends SYN and no response is received from the destination computer

D.

The source computer sends SYN-ACK and the destination computer responds with RST-ACK

E.

A,B and C

F.

A and C

G.

C and D

Full Access
Question # 54

How can web server logs be leveraged to perform Cross-Site Scripting (XSSI?

A.

Web logs containing XSS may execute shell scripts when opened In a GUI textbrowser

B.

XSS attacks cause web logs to become unreadable and therefore are an effective DOS attack.

C.

If web logs are viewed in a web-based console, log entries containing XSS mayexecute on the browser.

D.

When web logs are viewed in a terminal. XSS can escape to the shell and executecommands.

Full Access
Question # 55

What is the most likely cause of the responses on lines 10 and 11 of the output below?

A.

The device at hop 10 silently drops UDP packets with a high destination port.

B.

The device at hop 10 is down and not forwarding any requests at all.

C.

The host running the tracer utility lost its network connection during the scan

D.

The devices at hops 10 and II did not return an "ICMP TTL Exceeded in Transit" message.

Full Access
Question # 56

When a DNS server transfers its zone file to a remote system, what port does it typically use?

A.

53/TCP

B.

153/UDP

C.

35/TCP

D.

53/UDP

Full Access
Question # 57

Analyze the command output below. Given this information, which is the appropriate next step for the tester?

Starting Nmap4.53 (hnp://insecure.org I at2010-09-30 19:13 EDT interesting ports on 192.163.116.101:

PORT STATE SERVICE

130/tcp filtered cisco-fna

131/tcp filtered cisco-tna

132/tcp filtered cisco-sys

133/tcp filtered statsrv

134/tcp filtered Ingres-net

135/tcp filtered msrpc

136/tcp filtered profile

137/tcp filtered netbios-ns

138/tcp filtered netbios-dgm

139/tcp open netbios-ssn

140/tcp filtered emfis-data

MAC Address: 00:30:1&:B8:14:8B (Shuttle)

warning: OSS can results may be unreliable because we could not find at least l open and l

closed port

Device type, general purpose

Running: Microsoft Windows XP

OS details: Microsoft Windows XP SP2

Network Distance : 1 hop

Nmap done: I IP address (I host up) scanned in l .263 seconds

A.

Determine the MAC address of the scanned host.

B.

Send a single SYN packet to port 139/tcp on the host.

C.

Send spoofed packets to attempt to evade any firewall

D.

Request a list of shares from the scanned host.

Full Access