Q331. Leonard is a systems administrator who has been tasked by his supervisor to slow down or lessen the amount of SPAM their company receives on a regular basis. SPAM being sent to company email addresses has become a large problem within the last year for them. Leonard starts by adding SPAM prevention software at the perimeter of the network. He then builds a black list, white list, turns on MX callbacks, and uses heuristics to stop the incoming SPAM. While these techniques help some, they do not prevent much of the SPAM from coming in. Leonard decides to use a technique where his mail server responds very slowly to outside connected mail servers by using multi-line SMTP responses. By responding slowly to SMTP connections, he hopes that SPAMMERS will see this and move on to easier and faster targets. 

What technique is Leonard trying to employ here to stop SPAM? 

A. To stop SPAM, Leonard is using the technique called Bayesian Content Filtering 

B. Leonard is trying to use the Transparent SMTP Proxy technique to stop incoming SPAM 

C. This technique that Leonard is trying is referred to as using a Sender Policy Framework to aid in SPAM prevention 

D. He is using the technique called teergrubing to delay SMTP responses and hopefully stop SPAM 

Answer: D

Explanation: Teergrubing FAQ 

What does a UBE sender really need? What does he sell? 

A certain amount of sent E-Mails per minute. This product is called Unsolicited Bulk E-Mail. 

How can anyone hit an UBE sender? 

By destroying his working tools. 

What? 

E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the MX host of the recipient is established. Usually a computer is able to hold about 65500 TCP/IP connections from/to a certain port. But in most cases it's a lot less due to limited resources. 

If it is possible to hold a mail connection open (i.e. several hours), the productivity of the UBE sending equipment is dramatically reduced. SMTP offers continuation lines to hold a connection open without running into timeouts. 

A teergrube is a modified MTA (mail transport agent) able to do this to specified senders. 

Incorrect answer: 

Sender Policy Framework (SPF) deals with allowing an organization to publish “Authorized” SMTP servers for their organization through DNS records. 


Q332. Bob has been hired to do a web application security test. Bob notices that the site is dynamic and infers that they mist be making use of a database at the application back end. Bob wants to validate whether SQL Injection would be possible. 

What is the first character that Bob should use to attempt breaking valid SQL requests? 

A. Semi Column 

B. Double Quote 

C. Single Quote 

D. Exclamation Mark 

Answer: C

Explanation: In SQL single quotes are used around values in queries, by entering another single quote Bob tests if the application will submit a null value and probably returning an error. 


Q333. A simple compiler technique used by programmers is to add a terminator 'canary word' containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate? 

A. The system has crashed 

B. A buffer overflow attack has been attempted 

C. A buffer overflow attack has already occurred 

D. A firewall has been breached and this is logged 

E. An intrusion detection system has been triggered 

Answer: B

Explanation: Terminator Canaries are based on the observation that most buffer overflows and stack smash attacks are based on certain string operations which end at terminators. The reaction to this observation is that the canaries are built of NULL terminators, CR, LF, and -1. The undesirable result is that the canary is known. 


Q334. Network Intrusion Detection systems can monitor traffic in real time on networks. 

Which one of the following techniques can be very effective at avoiding proper detection? 

A. Fragmentation of packets. 

B. Use of only TCP based protocols. 

C. Use of only UDP based protocols. 

D. Use of fragmented ICMP traffic only. 

Answer: A

Explanation: If the default fragmentation reassembly timeout is set to higher on the client than on the IDS then the it is possible to send an attack in fragments that will never be reassembled in the IDS but they will be reassembled and read on the client computer acting victim. 


Q335. Jimmy, an attacker, knows that he can take advantage of poorly designed input validation routines to create or alter SQL commands to gain access to private data or execute commands in the database. What technique does Jimmy use to compromise a database? 

A. Jimmy can submit user input that executes an operating system command to compromise a target system 

B. Jimmy can utilize this particular database threat that is an SQL injection technique to penetrate a target system 

C. Jimmy can utilize an incorrect configuration that leads to access with higher-than-expected privilege of the database 

D. Jimmy can gain control of system to flood the target system with requests, preventing legitimate users from gaining access 

Answer: B

Explanation: SQL injection is a security vulnerability that occurs in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. 


Q336. What does ICMP (type 11, code 0) denote? 

A. Unknown Type 

B. Time Exceeded 

C. Source Quench 

D. Destination Unreachable 

Answer: B

Explanation: An ICMP Type 11, Code 0 means Time Exceeded [RFC792], Code 0 = Time to Live exceeded in Transit and Code 1 = Fragment Reassembly Time Exceeded. 


Q337. What are the limitations of Vulnerability scanners? (Select 2 answers) 

A. There are often better at detecting well-known vulnerabilities than more esoteric ones 

B. The scanning speed of their scanners are extremely high 

C. It is impossible for any, one scanning product to incorporate all known vulnerabilities in a timely manner 

D. The more vulnerabilities detected, the more tests required 

E. They are highly expensive and require per host scan license 

Answer: AC


Q338. John is using a special tool on his Linux platform that has a database containing signatures to be able to detect hundreds of vulnerabilities in UNIX, Windows, and commonly used web CGI/ASPX scripts. Moreover, the database detects DDoS zombies and Trojans as well. What would be the name of this tool? 

A. hping2 

B. nessus 

C. nmap 

D. make 

Answer: B


Q339. Exhibit: 

You are conducting pen-test against a company’s website using SQL Injection techniques. You enter “anuthing or 1=1-“ in the username filed of an authentication form. This is the output returned from the server. 

What is the next step you should do? 

A. Identify the user context of the web application by running_ 

http://www.example.com/order/include_rsa_asp?pressReleaseID=5 

AND 

USER_NAME() = ‘dbo’ 

B. Identify the database and table name by running: 

http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype=’U’),1))) > 109 

C. Format the C: drive and delete the database by running: http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND xp_cmdshell ‘format c: /q /yes ‘; drop database myDB; --

D. Reboot the web server by running: http://www.example.com/order/include_rsa.asp?pressReleaseID=5 AND xp_cmdshell ‘iisreset –reboot’; --

Answer: A


Q340. Jonathan being a keen administrator has followed all of the best practices he could find on securing his Windows Server. He renamed the Administrator account to a new name that can’t be easily guessed but there remain people who attempt to compromise his newly renamed administrator account. How can a remote attacker decipher the name of the administrator account if it has been renamed? 

A. The attacker guessed the new name 

B. The attacker used the user2sid program 

C. The attacker used to sid2user program 

D. The attacker used NMAP with the V option 

Answer: C

Explanation: User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more. These utilities do not exploit a bug but call the functions LookupAccountName and LookupAccountSid respectively. What is more these can be called against a remote machine without providing logon credentials save those needed for a null session connection.