- (Topic 23)
What type of session hijacking attack is shown in the exhibit?

1. A. Session Sniffing Attack
2. B. Cross-site scripting Attack
3. C. SQL Injection Attack
4. D. Token sniffing Attack

Correct Answer: A

- (Topic 19)
Basically, there are two approaches to network intrusion detection: signature detection, and anomaly detection. The signature detection approach utilizes well- known signatures for network traffic to identify potentially malicious traffic. The anomaly detection approach utilizes a previous history of network traffic to search for patterns that are abnormal, which would indicate an intrusion. How can an attacker disguise his buffer overflow attack signature such that there is a greater probability of his attack going undetected by the IDS?

1. A. He can use a shellcode that will perform a reverse telnet back to his machine
2. B. He can use a dynamic return address to overwrite the correct value in the target machine computer memory
3. C. He can chain NOOP instructions into a NOOP "sled" that advances the processor's instruction pointer to a random place of choice
4. D. He can use polymorphic shell code-with a tool such as ADMmutate - to change the signature of his exploit as seen by a network IDS

Correct Answer: D
ADMmutate is using a polymorphic technique designed to circumvent certain forms of signature based intrusion detection. All network based remote buffer overflow exploits have similarities in how they function. ADMmutate has the ability to emulate the protocol of the service the attacker is attempting to exploit. The data payload (sometimes referred to as an egg) contains the instructions the attacker wants to execute on the target machine. These eggs are generally interchangeable and can be utilized in many different buffer overflow exploits. ADMmutate uses several techniques to randomize the contents of the egg in any given buffer overflow exploit. This randomization effectively changes the content or 'signature' of the exploit without changing the functionality of the exploit.

- (Topic 2)
Your company trainee Sandra asks you which are the four existing Regional Internet Registry (RIR's)?

1. A. APNIC, PICNIC, ARIN, LACNIC
2. B. RIPE NCC, LACNIC, ARIN, APNIC
3. C. RIPE NCC, NANIC, ARIN, APNIC
4. D. RIPE NCC, ARIN, APNIC, LATNIC

Correct Answer: B
All other answers include non existing organizations (PICNIC, NANIC, LATNIC). See http://www.arin.net/library/internet_info/ripe.html

- (Topic 3)
While doing fast scan using –F option, which file is used to list the range of ports to scan by nmap?

1. A. services
2. B. nmap-services
3. C. protocols
4. D. ports

Correct Answer: B
Nmap uses the nmap-services file to provide additional port detail for almost every scanning method. Every time a port is referenced, it's compared to an available description in this support file. If the nmap-services file isn't available, nmap reverts to the /etc/services file applicable for the current operating system.

- (Topic 22)
Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test for?

1. A. To determine who is the holder of the root account
2. B. To perform a DoS
3. C. To create needless SPAM
4. D. To illicit a response back that will reveal information about email servers and how they treat undeliverable mail
5. E. To test for virus protection

Correct Answer: D
Sending a bogus email is one way to find out more about internal servers. Also, to gather additional IP addresses and learn how they treat mail.