GSNA : GIAC Systems and Network Auditor : Part 06

Last Updated on March 19, 2022 by Admin 2

GSNA : GIAC Systems and Network Auditor : Part 06

1. The tool works under Windows 9x/2000. Which of the following tools can be used to automate the MITM attack?

   • Airjack 
   • Kismet
   • Hotspotter
   • IKECrack

   Explanation:
   Airjack is a collection of wireless card drivers and related programs. It uses a program called monkey_jack that is used to automate the MITM attack. Wlan_jack is a DoS tool in the set of airjack tools, which accepts a target source and BSSID to send continuous deauthenticate frames to a single client or an entire network. Another tool, essid_jack is used to send a disassociate frame to a target client in order to force the client to reassociate with the network and giving up the network SSID.
   Answer: C is incorrect. Hotspotter is a wireless hacking tool that is used to detect rogue access point. It fools users to connect, and authenticate with the hacker’s tool. It sends the deauthenticate frame to the victim’s computer that causes the victim’s wireless connection to be switched to a non-preferred connection.
   Answer: D is incorrect. IKECrack is an IKE/IPSec authentication crack tool, which uses brute force for searching password and key combinations of Pre-Shared-Key authentication networks. The IKECrack tool undermines the latest Wi-Fi security protocol with repetitive attempts at authentication with random passphrases or keys.
   Answer: B is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode. Kismet can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the following tasks:
   – To identify networks by passively collecting packets
   – To detect standard named networks
   – To detect masked networks
   – To collect the presence of non-beaconing networks via data traffic

2. You work as a Software Developer for Cinera Softwares Inc. You create a DHTML page that contains ten TextBox controls to get information from the users who use your application. You want all the components placed on the DHTML page to be repositioned dynamically, when a user resizes the browser window.

   Which of the following will you use for this?

   • Use the position attribute of the Cascading Style Sheet.
   • Use the OnResizeevent for the DHTML page object.
   • Use the Resize event of the Document object.
   • Use the OnResize event of the Cascading Style Sheet.
   Explanation:
   Position attribute of the Cascading Style Sheet. The DHTML page object modal gives access to styles and style sheets. Therefore, you can easily set and change the position of an element.
   Reference: MSDN, Index “Dynamic HTML(DHTML), in DHTML Applications”, “Elements Positioning in DHTML Application”, Search “Positioning”, “Dynamic HTML”

3. You are concerned about rogue wireless access points being connected to your network.

   What is the best way to detect and prevent these?

   • Network anti-spyware software
   • Network anti-virus software
   • Protocol analyzers
   • Site surveys
   Explanation:
   Routinely doing site surveys (or better still, having them automatically conducted frequently) is the only way to know what is connected to your network. And it will reveal any rogue access points.
   Answer: B is incorrect. While antivirus software is always a good idea, it will do nothing to prevent rogue access points.
   Answer: A is incorrect. While anti-spyware software is always a good idea, it will do nothing to prevent rogue access points.
   Answer: C is incorrect. A protocol analyzer will help you analyze the specific traffic on a given node, but won’t be much help in directly detecting rogue access points.

4. You want to repeat the last command you entered in the bash shell.

   Which of the following commands will you use?

   • history ##
   • history !#
   • history !!
   • history !1
   Explanation:

   The history !! command shows the previously entered command in the bash shell. In the bash shell, the history command is used to view the recently executed commands. History is on by default. A user can turn off history using the command set +o history and turn it on using set -o history. An environment variable HISTSIZE is used to inform bash about how many history lines should be kept.
   The following commands are frequently used to view and manipulate history:

   

   Answer: B is incorrect. The history !# command shows the entire command line typed.
   Answer: D is incorrect. The history !n command shows the nth command typed. Since n is equal to 1 in this command, the first command willbe shown.
   Answer: A is incorrect. It is not a valid command.

5. You have been assigned a project to develop a Web site for a construction company. You have to develop a Web site and want to get more control over the appearance and presentation of your Web pages. You also want to increase the ability to precisely specify the location and appearance of the elements on a page and create special effects. You plan to use Cascading style sheets (CSS). You want to apply the same style consistently throughout your Web site.

   Which type of style sheet will you use?

   • Internal Style Sheet
   • External Style Sheet
   • Inline Style Sheet
   • Embedded Style Sheet
   Explanation:
   To apply the same style consistently throughout your Web site you should use external style sheet. Cascading style sheets (CSS) are used so that the Web site authors can exercise greater control on the appearance and presentation of their Web pages. And also because they increase the ability to precisely point to the location and look of elements on a Web page and help in creating special effects.
   Cascading Style Sheets have codes, which are interpreted and applied by the browser on to the Web pages and their elements.
   There are three types of cascading style sheets.
   – External Style Sheets
   – Embedded Style Sheets
   – Inline Style Sheets
   External Style Sheets are used whenever consistency in style is required throughout a Web site. A typical external style sheet uses a .css file extension, which can be edited using a text editor such as a Notepad.
   Embedded Style Sheets are used for defining styles for an active page.
   Inline Style Sheets are used for defining individual elements of a page.
   Reference: TechNet, Contents: Microsoft Knowledgebase, February 2000 issue PSS ID Number: Q179628

6. Which of the following can be the countermeasures to prevent NetBIOS NULL session enumeration in Windows 2000 operating systems?

   • Denying all unauthorized inbound connections to TCP port 53
   • Disabling SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface
   • Editing the registry key HKLM\SYSTEM\CurrentControlSet\LSA and adding the value RestrictAnonymous
   • Disabling TCP port 139/445
   Explanation:

   NetBIOS NULL session vulnerabilities are hard to prevent, especially if NetBIOS is needed as part of the infrastructure. One or more of the following steps can be taken to limit NetBIOS NULL session vulnerabilities:
   1.Null sessions require access to the TCP 139 or TCP 445 port, which can be disabled by a Network Administrator.
   2. A Network Administrator can also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface.
   3. A Network Administrator can also restrict the anonymous user by editing the registry values:
   – a.Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA.
   – b.Choose edit > add value.
   Value name: RestrictAnonymous
   Data Type: REG_WORD Value: 2

   Answer: A is incorrect. TCP port 53 is the default port for DNS zone transfer. Although disabling it can help restrict DNS zone transfer enumeration, it is not useful as a countermeasure against the NetBIOS NULL session enumeration.

7. From an auditing perspective, database security can be broken down into four key categories:
   – Server Security
   – Database Connections
   – Table Access Control
   – Restricting Database Access.

   Which of the following categories leads to the process of limiting access to the database server?

   • Table access control
   • Database connections
   • Restricting database access
   • Server security
   Explanation:
   Server security is the process of limiting access to the database server. This is one of the most basic and most important components of database security. It is imperative that an organization not let their database server be visible to the world. If an organization’s database server is supplying information to a web server, then it should be configured to allow connections only from that web server. Also, every server should be configured to allow only trusted IP addresses.
   Answer: B is incorrect. With regard to database connections, system administrators should not allow immediate unauthenticated updates to a database. If users are allowed to make updates to a database via a web page, the system administrator should validate all updates to make sure that they are warranted and safe. Also, the system administrator should not allow users to use their designation of “sa” when accessing the database. This gives employees complete access to all of the data stored on the database regardless of whether or not they are authenticated to have such access.
   Answer: A is incorrect. Table access control is related to an access control list, which is a table that tells a computer operating system which access rights each user has to a particular system object. Table access control has been referred to as one of the most overlooked forms of database security. This is primarily because it is so difficult to apply. In order to properly use table access control, the system administrator and the database developer need to collaborate with each other.
   Answer: C is incorrect. Restricting database access is important especially for the companies that have their databases uploaded on the Internet. Internet-based databases have been the most recent targets of attacks, due to their open access or open ports. It is very easy for criminals to conduct a “port scan” to look for ports that are open that popular database systems are using by default. The ports that are used by default can be changed, thus throwing off a criminal looking for open ports set by default.
   Following are the security measures that can be implemented to prevent open access from the Internet:
   Trusted IP addresses: Servers can be configured to answer pings from a list of trusted hosts only.
   Server account disabling: The server ID can be suspended after three password attempts.
   Special tools: Products can be used to send an alert when an external server is attempting to breach the system’s security. One such example is Real Secure by ISS.

8. John works as a Network Auditor for XYZ CORP. The company has a Windows-based network. John wants to conduct risk analysis for the company.

   Which of the following can be the purpose of this analysis? (Choose three.)

   • To ensure absolute safety during the audit
   • To analyze exposure to risk in order to support better decision-making and proper management of those risks
   • To try to quantify the possible impact or loss of a threat
   • To assist the auditor in identifying the risks and threats
   Explanation:
   There are many purposes of conducting risk analysis, which are as follows:
   – To try to quantify the possible impact or loss of a threat
   – To analyze exposure to risk in order to support better decision-making and proper management of those risks
   – To support risk-based audit decisions
   – To assist the auditor in determining the audit objectives
   – To assist the auditor in identifying the risks and threats
   Answer: A is incorrect. The analysis of risk does not ensure absolute safety. The main purpose of using a risk-based audit strategy is to ensure that the audit adds value with meaningful information.

9. Which of the following methods is used to get a cookie from a client?

   Note: Here, request is a reference of type HttpServletRequest, and response is a reference of type HttpServletResponse.

   • Cookie [] cookies = request.getCookies();
   • Cookie [] cookies = request.getCookie(String str)
   • Cookie [] cookies = response.getCookie(String str)
   • Cookie[] cookies = response.getCookies()
   Explanation:
   The getCookies() method of the HttpServletRequest interface is used to get the cookies from a client. This method returns an array of cookies.
   Answer: B, C are incorrect. The getCookie(String str)method does not exist.
   Answer: D is incorrect. The getCookies() method is present in the HttpServletRequest interface and not in the HttpServletResponse interface.

10. You work as a Software Developer for UcTech Inc. You build an online book shop, so that users can purchase books using their credit cards. You want to ensure that only the administrator can access the credit card information sent by users.

    Which security mechanism will you use to accomplish the task?

    • Confidentiality
    • Dataintegrity
    • Authentication
    • Authorization
    Explanation:
    Confidentiality is a mechanism that ensures that only the intended authorized recipients are able to read data. The data is so encrypted that even if an unauthorized user gets access to it, he will not get any meaning out of it.
    Answer: D is incorrect. Authorization is a process that verifies whether a user has permission to access a Web resource. A Web server can restrict access to some of its resources to only those clients that log in using a recognized username and password. To be authorized, a user must first be authenticated.
    Answer: C is incorrect. Authentication is the process of verifying the identity of a user. This is usually done using a user name and password. This process compares the provided user name and password with those stored in the database of an authentication server.
    Answer: B is incorrect. Data integrity is a mechanism that ensures that the data is not modified during transmission from source to destination. This means that the data received at the destination should be exactly the same as that sent from the source.

11. Which of the following is an enterprise-grade network/application/performance monitoring platform that tightly integrates with other smart building management systems, such as physical access control, HVAC, lighting, and time/attendance control?

    • Airwave Management Platform
    • Andrisoft WANGuard Platform
    • akk@da
    • Aggregate Network Manager
    Explanation:
    Aggregate Network Manager is an enterprise-grade network/application/performance monitoring platform that tightly integrates with other smart building management systems, such as physical access control, HVAC, lighting, and time/attendance control.
    Answer: A is incorrect. Airwave Management Platform (AMP) is wireless network management software. It offers centralized control for Wi-Fi networks. Some of its common features are access point configuration management, reporting, user tracking, help desk views, and rogue AP discovery.
    Answer: C is incorrect. akk@da is a simple network monitoring system. It is designed for small and middle size computer networks. Its function is to quickly detect the system or network faults and display the information about detected faults to the administrators. The information is collected by it in every single minute (a user can decrease this period to 1 second). Approximately all the services of the monitored hosts are discovered automatically.
    Answer: B is incorrect. Andrisoft WANGuard Platform offers solutions for various network issues such as WAN links monitoring, DDoS detection and mitigation, traffic accounting, and graphing.

12. Sam works as a Network Administrator for Blue Well Inc. All client computers in the company run the Windows Vista operating. Sam creates a new user account. He wants to create a temporary password for the new user such that the user is forced to change his password when he logs on for the first time. Which of the following options will he choose to accomplish the task?

    • User cannot change password
    • Delete temporary password at next logon
    • User must change password at next logon
    • Password never expires
    Explanation:
    Enabling the user must change password at next logon option will make the given password a temporary password. Enabling this option forces, a user to change his existing password at next logon.
    Answer: B is incorrect. There is no such option in Windows Vista.
    Answer: D is incorrect. This option sets the password to never expire.
    Answer: A is incorrect. This option sets the existing password as a permanent password for the user. Only administrators can change the password of the user.

13. You work as a Web Developer for XYZ CORP. The company has a Windows-based network. You have been assigned the task to secure the website of the company. To accomplish the task, you want to use a website monitoring service.

    What are the tasks performed by a website monitoring service?

    • It checks the health of various links in a network using end-to-end probes sent by agents located at vantage points in the network.
    • It checks SSL Certificate Expiry.
    • It checks HTTP pages.
    • It checks Domain Name Expiry.
    Explanation:
    Website monitoring service can check HTTP pages, HTTPS, FTP, SMTP, POP3, IMAP, DNS, SSH, Telnet, SSL, TCP, PING, Domain Name Expiry, SSL Certificate Expiry, and a range of other ports with great variety of check intervals from every four hours to every one minute. Typically, most website monitoring services test a server anywhere between once-per hour to once-per-minute. Advanced services offer in-browser web transaction monitoring based on browser add-ons such as Selenium or iMacros. These services test a website by remotely controlling a large number of web browsers. Hence, it can also detect website issues such a JavaScript bugs that are browser specific.
    Answer: A is incorrect. This task is performed under network monitoring. Network tomography deals with monitoring the health of various links in a network using end-to-end probes sent by agents located at vantage points in the network/Internet.

14. Which of the following statements is true about residual risks?

    • It is the probabilistic risk after implementing all security measures.
    • It can be considered as an indicator of threats coupled with vulnerability.
    • It is a weakness or lack of safeguard that can be exploited by a threat.
    • It is the probabilistic risk before implementing all security measures.
    Explanation:
    The residual risk is the risk or danger of an action or an event, a method or a (technical) process that still conceives these dangers even if all theoretically possible safety measures would be applied. The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats vulnerability).
    Answer: B is incorrect. In information security, security risks are considered as an indicator of threats coupled with vulnerability. In other words, security risk is a probabilistic function of a given threat agent exercising a particular vulnerability and the impact of that risk on the organization. Security risks can be mitigated by reviewing and taking responsible actions based on possible risks.
    Answer: C is incorrect. Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing harm to the information systems or networks. It can exist in hardware, operating systems, firmware, applications, and configuration files. Vulnerability has been variously defined in the current context as follows:
    1.A security weakness in a Target of Evaluation due to failures in analysis, design, implementation, or operation and such.
    2.Weakness in an information system or components (e.g. system security procedures, hardware design, or internal controls that could be exploited to produce an information-related misfortune.)
    3. The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system, network, application, or protocol involved.

15. Which of the following tools is a Windows-based commercial wireless LAN analyzer for IEEE 802.11b and supports all high level protocols such as TCP/IP, NetBEUI, and IPX?

    • SamSpade
    • John the Ripper
    • Cheops-ng
    • AiroPeek
    Explanation:
    AiroPeek is a Windows-based commercial wireless LAN analyzer for IEEE 802.11b. It supports all high level protocols such as TCP/IP, NetBEUI, IPX, etc. It can be used to perform the following tasks:
    – Site surveys
    – Security assessments
    – Channel scanning
    – Real time and past capture
    – WEP decryption
    – Client troubleshooting
    – WLAN monitoring
    – Remote WLAN analysis
    – Application layer protocol analysis ting tool
    Answer: A is incorrect. Sam Spade is a penetration-testing tool that is used in the discovery phase. It provides GUI graphics and a lot of functionalities. It can perform mainly who is queries, ping requests, DNS requests, tracerouting, OS finger-printing, zone transferring, SMTP mail relay checking, and Web site crawling and mirroring. Sam Spade runs on Windows operating systems.
    Answer: B is incorrect. John the Ripper is a fast password cracking tool that is available for most versions of UNIX, Windows, DOS, BeOS, and Open VMS. It also supports Kerberos, AFS, and Windows NT/2000/XP/2003 LM hashes. John the Ripper requires a user to have a copy of the password file.
    Answer: C is incorrect. Cheops-ng is a network management tool that is used for mapping and monitoring networks. It can detect a network of a host and provides OS detection for hosts. On some services, Cheops-ng is able to see what program is running for a service and what is the version number of that program. The main difference between Cheops and Cheops-ng is that Cheops-ng does not have monitoring capabilities.

16. On which of the following does a CGI program execute?

    • Router
    • Web server
    • Client
    • Client and Web server
    Explanation:
    The Common Gateway Interface (CGI) specification is used for creating executable programs that run on a Web server. CGI defines the communication link between a Web server and Web applications. It gives a network or Internet resource access to specific programs. For example, when users submit an HTML form on a Web site, CGI is used to pass this information to a remote application for processing, and retrieve the results from the application. It then returns these results to the user by means of an HTML page.
    Answer: A is incorrect. CGI programs do not execute on routers.

17. Which of the following is required by a Web-based application to connect to a database?

    • DSN
    • DNS
    • CGI
    • FQDN
    Explanation:
    A Web-based application uses Data Source Name (DSN) to connect to a database. DSN is a logical name used by Open Database Connectivity (ODBC) to refer to connection information required to access data.
    Answer: C is incorrect. The Common Gateway Interface (CGI) specification is used for creating executable programs that run on a Web server. CGI defines the communication link between a Web server and Web applications. It gives a network or Internet resource access to specific programs. For example, when users submit an HTML form on a Web site, CGI is used to pass this information to a remote application for processing, and retrieve the results from the application. It then returns these results to the user by means of an HTML page.
    Answer: D is incorrect. Fully Qualified Domain Name (FQDN) is a unique name of a host or computer, which represents its position in the hierarchy. An FQDN begins with a host name and ends with the top-level domain name. FQDN includes the second-level domain and other lower level domains.
    For example, the FQDN of the address HTTP://WWW.UNI.ORG will be WWW.UNI.ORG where WWW is the host name, UNI is the second-level domain, and ORG is the top-level domain name.
    Answer: B is incorrect. Domain Name System (DNS) is a hierarchical naming system used for locating domain names on private TCP/IP networks and the Internet. It provides a service for mapping DNS domain names to IP addresses and vice versa. DNS enables users to use friendly names to locate computers and other resources on an IP network. TCP/IP uses IP addresses to locate and connect to hosts, but for users, it is easier to use names instead of IP address to locate or connect to a site.
    For example, users will be more comfortable in using the host name www.mycompany.com rather than using its IP address XX.XXX.XX.XXX.

18. What is the purpose of Cellpadding attribute of <Table> tag?

    • Cellpadding is used to set the width of cell border and its content.
    • Cellpadding is used to set the width of a table.
    • Cellpadding is used to set the space between the cell border and its content.
    • Cellpadding is used to set the space between two cells in a table.
    Explanation:
    Cellpadding attribute is used to set the space, in pixels, between the cell border and its content. If you have not set the value of Cellpadding attribute for a table, the browser takes the default value as 1.

19. You work as the Network Administrator for XYZ CORP. The company has a Unix-based network. You want to see the local device files or ‘links to device files’ for a non-standard device driver.

    Which of the following Unix configuration files should you use to accomplish the task?

    • profile
    • /etc/bootptab
    • /dev/MAKEDEV
    • /etc/aliases
    Explanation:
    In Unix, the /dev/MAKEDEV file is used by system administrators for local device files or links to device filesfor a non-standard device driver.
    Answer: A is incorrect. In Unix, the profile file stores the system wide environment and startup script program.
    Answer: D is incorrect. In Unix, the /etc/aliases file is where the user’s name is matched to a nickname fore-mail.
    Answer: B is incorrect. In Unix, the /etc/bootptab/ file contains the configuration for the BOOTP server daemon.

20. Which of the following firewalls inspects the actual contents of packets?

    • Circuit-level firewall
    • Stateful inspection firewall
    • Packet filtering firewall
    • Application-level firewall
    Explanation:
    The application level firewall inspects the contents of packets, rather than the source/destination or connection between the two. An Application level firewall operates at the application layer of the OSI model.
    Answer: A is incorrect. The circuit-level firewall regulates traffic based on whether or not a trusted connection has been established. It operates at the session layer of the OSI model.
    Answer: C is incorrect. The packet filtering firewall filters traffic based on the headers. It operates at the network layer of the OSI model.
    Answer: B is incorrect. The stateful inspection firewall assures the connection between the two parties is valid and inspects packets from this connection to assure the packets are not malicious.