- (Topic 7)
Bob is conducting a password assessment for one of his clients. Bob suspects that password policies are not in place and weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weakness and key loggers. What are the means that Bob can use to get password from his client hosts and servers?

1. A. Hardware, Software and Sniffing
2. B. Hardware and Software Keyloggers
3. C. Software only, they are the most effective
4. D. Passwords are always best obtained using Hardware key loggers

Correct Answer: A
All loggers will work as long as he has physical access to the computers.

- (Topic 5)
You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters.
With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results?

1. A. Online Attack
2. B. Dictionary Attack
3. C. Brute Force Attack
4. D. Hybrid Attack

Correct Answer: D
A dictionary attack will not work as strong passwords are enforced, also the minimum length of 8 characters in the password makes a brute force attack time consuming. A hybrid attack where you take a word from a dictionary and exchange a number of letters with numbers and special characters will probably be the fastest way to crack the passwords.

- (Topic 21)
Which of the following encryption is not based on Block Cipher?

1. A. DES
2. B. Blowfish
3. C. AES
4. D. RC4

Correct Answer: D
RC4 (also known as ARC4 or ARCFOUR) is the most widely-used software stream cipher and is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet traffic) and WEP (to secure wireless networks).

- (Topic 3)
An Nmap scan shows the following open ports, and nmap also reports that the OS guessing results to match too many signatures hence it cannot reliably be identified:
21 ftp
23 telnet
80 http
443 https
What does this suggest ?

1. A. This is a Windows Domain Controller
2. B. The host is not firewalled
3. C. The host is not a Linux or Solaris system
4. D. The host is not properly patched

Correct Answer: D
If the answer was A nmap would guess it, it holds the MS
signature database, the host not being firewalled makes no difference. The host is not linux or solaris, well it very well could be. The host is not properly patched? That is the closest; nmaps OS detection architecture is based solely off the TCP ISN issued by the operating systems TCP/IP stack, if the stack is modified to show output from randomized ISN's or if your using a program to change the ISN then OS detection will fail. If the TCP/IP IP ID's are modified then os detection could also fail, because the machine would most likely come back as being down.

- (Topic 7)
You are sniffing as unprotected WiFi network located in a JonDonalds Cybercafe with Ethereal to capture hotmail e-mail traffic. You see lots of people using their laptops browsing the web while snipping brewed coffee from JonDonalds. You want to sniff their email message traversing the unprotected WiFi network.
Which of the following ethereal filters will you configure to display only the packets with the hotmail messages?

1. A. (http contains “hotmail”) && ( http contains “Reply-To”)
2. B. (http contains “e-mail” ) && (http contains “hotmail”)
3. C. (http = “login.passport.com” ) && (http contains “SMTP”)
4. D. (http = “login.passport.com” ) && (http contains “POP3”)

Correct Answer: A
Each Hotmail message contains the tag Reply-To:<sender address> and “xxxx-xxx-xxx.xxxx.hotmail.com” in the received tag.