GSNA | Improved GSNA Preparation Exams For GIAC Systems And Network Auditor Certification

NEW QUESTION 1

You work as the Network Administrator for XYZ CORP. The company has a Unix-based network. You want to make changes on a per-directory basis. Which of the following Unix configuration files can you use to accomplish the task?

• A. $HOME/.profile
• B. $HOME/Xrootenv.0
• C. $HOME/.htaccess
• D. /var/log/btmp

Answer: C

Explanation:
In Unix, the $HOME/.htaccess file provides a way to make configuration changes on a per directory basis. Answer A is incorrect. In Unix, the $HOME/.profile file contains the user's environment stuff and startup programs.
Answer B is incorrect. In Unix, the $HOME/Xrootenv.0 file contains networking and environment info. Answer D is incorrect. In Unix, the /var/log/btmp file is used to store information about failed logins.

NEW QUESTION 2

Which of the following attacks allows the bypassing of access control lists on servers or routers, and helps an attacker to hide? (Choose two)

• A. DNS cache poisoning
• B. DDoS attack
• C. IP spoofing attack
• D. MAC spoofing

Answer: CD

Explanation:

Either IP spoofing or MAC spoofing attacks can be performed to hide the identity in the network. MAC spoofing is a hacking technique of changing an assigned Media Access Control (MAC) address of a networked device to a different one. The changing of the assigned MAC address may allow the bypassing of access control lists on servers or routers, either hiding a computer on a network or allowing it to impersonate another computer. MAC spoofing is the activity of altering the MAC address of a network card. Answer A is incorrect. DNS cache poisoning is a maliciously created or unintended situation that provides data to a caching name server that did not originate from authoritative Domain Name System (DNS) sources. Once a DNS server has received such non-authentic datA, Caches it for future performance increase, it is considered poisoned, supplying the non-authentic data to the clients of the server. To perform a cache poisoning attack, the attacker exploits a flaw in the DNS software. If the server does not correctly validate DNS responses to ensure that they are from an authoritative source, the server will end up caching the incorrect entries locally and serve them to other users that make the same request. Answer B is incorrect. In a distributed denial of service (DDOS) attack, an attacker uses multiple computers throughout the network that has been previously infected. Such computers act as zombies and work together to send out bogus messages, thereby increasing the amount of phony traffic. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track down and shut down. TFN, TRIN00, etc. are tools used for a DDoS attack.

NEW QUESTION 3

You work as an IT Technician for XYZ CORP. You have to take security measures for the wireless network of the company. You want to prevent other computers from accessing the company's wireless network. On the basis of the hardware address, which of the following will you use as the best possible method to accomplish the task?

• A. RAS
• B. MAC Filtering
• C. SSID
• D. WEP

Answer: B

Explanation:

MAC filtering is a security access control technique that allows specific network devices to access, or prevents them from accessing, the network. MAC filtering can also be used on a wireless network to prevent certain network devices from accessing the wireless network. MAC addresses are allocated only to hardware devices, not to persons.

NEW QUESTION 4

Which of the following text editing tools can be used to edit text files without having to open them?

• A. less
• B. sed
• C. vi
• D. more

Answer: B

Explanation:

The Unix utility sed (stream editor) is a text editing tool that can be used to edit text files without having to open them. This utility parses text files and implements a programming language which can apply textual transformations to such files. It reads input files line by line (sequentially), applying the operation which has been specified via the command line (or a sed script), and then outputs the line. Answer D is incorrect. The more command is used to view (but not modify) the contents of a text file on the terminal screen at a time. The syntax of the more command is as follows: more [options] file_name Where,

Answer A is incorrect. The less command is used to view (but not change) the contents of a text file, one screen at a time. It is similar to the more command. However, it has the extended capability of allowing both forwarB, Dackward navigation through the file. Unlike most Unix text editors/viewers, less does not need to read the entire file before starting; therefore, it has faster load times with large files. The command syntax of the less command is as follows: less [options] file_name Where,

Answer C is incorrect. The vi editor is an interactive, cryptic, and screen-based text editor used to create and edit a file. It operates in either Input mode or Command mode. In Input mode, the vi editor accepts a keystroke as text and displays it on the screen, whereas in Command mode, it interprets keystrokes as commands. As the vi editor is case sensitive, it interprets the same character or characters as different commands, depending upon whether the user enters a lowercase or uppercase character. When a user starts a new session with vi, he must put the editor in Input mode by pressing the "I" key. If he is not able to see the entered text on the vi editor's screen, it means that he has not put the editor in Insert mode. The user must change the editor to Input mode before entering any text so that he can see the text he has entered.

NEW QUESTION 5

Many organizations create network maps of their network system to visualize the network and understand the relationship between the end devices and the transport layer that provide services. Which of the following are the techniques used for network mapping by large organizations? Each correct answer represents a complete solution. Choose three.

• A. Route analytics
• B. Active Probing
• C. SNMP-based approaches
• D. Packet crafting

Answer: ABC

Explanation:

Many organizations create network maps of their network system. These maps can be made manually using simple tools such as Microsoft Visio, or the mapping process can be simplified by using tools that integrate auto network discovery with Network mapping. Many of the vendors from the Notable network Mappers list enable a user to do the following: Customize the maps Include one's own labels Add un-discoverable items Add background images Sophisticated mapping is used to help visualize the network and understand relationships between end devices and the transport layers that provide service. Items such as bottlenecks and root cause analysis can be easier to spot using these tools. There are three main techniques used for network mapping: SNMP-based approaches, Active Probing, and Route analytics. The SNMP-based approach retrieves data from Router and Switch MIBs in order to build the network map. The Active Probing approach relies on a series of trace route like probe packets in order to build the network map. The Route analytics approach relies on information from the routing protocols to build the network map. Each of the three approaches has advantages and disadvantages in the methods that they use. Answer D is incorrect. Packet crafting is a technique that allows probing firewall rule-sets and finding entry points into the targeted system or network. This can be done with a packet generator. A packet generator is a type of software that generates random packets or allows the user to construct detailed custom packets. Packet generators utilize raw sockets. This is useful for testing implementations of IP stacks for bugs and security vulnerabilities.

NEW QUESTION 6

Which of the following Web attacks is performed by manipulating codes of programming languages such as SQL, Perl, Java present in the Web pages?

• A. Command injection attack
• B. Code injection attack
• C. Cross-Site Scripting attack
• D. Cross-Site Request Forgery

Answer: B

Explanation:

A code injection attack exists whenever a scripting or programming language is used in a Web page. All that the attacker needs is an error or opening. That opening usually comes in the form of an input field that is not validated correctly. It is not necessary for the code injection attack to be on the Web page. It can be located in the back end as part of a database query of the Web site. If any part of the server uses Java, JavaScript, C, SQL, or any other code between the Internet and the data, it is vulnerable to the code injection attack.
Answer C is incorrect. A cross site scripting attack is one in which an attacker enters malicious data into a Website. For example, the attacker posts a message that contains malicious code to any newsgroup site. When another user views this message, the browser interprets this code and executes it and, as a result, the attacker is able to take control of the user's system. Cross site scripting attacks require the execution of client-side languages such as JavaScript, Java, VBScript, ActiveX, Flash, etc. within a user's Web environment. With the help of a cross site scripting attack, the attacker can perform cookie stealing, sessions hijacking, etc. Answer A is incorrect. A command injection attack is used to inject and execute commands specified by the attacker in the vulnerable application. The application, which executes unwanted system commands, is like a virtual system shell. The attacker may use it as any authorized system user. However, commands are executed with the same privileges and environment as the application has. The command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker. Answer D is incorrect. Cross-site request forgery, also known as one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. The attack works by including a link or script in a page that accesses a site to which the user is known to have authenticated.

NEW QUESTION 7

You work as a Network Administrator of a TCP/IP network. You are having DNS resolution problem. Which of the following utilities will you use to diagnose the problem?

• A. PING
• B. IPCONFIG
• C. TRACERT
• D. NSLOOKUP

Answer: D

Explanation:

NSLOOKUP is a tool for diagnosing and troubleshooting Domain Name System (DNS) problems. It performs its function by sending queries to the DNS server and obtaining detailed responses at the command prompt. This information can be useful for diagnosing and resolving name resolution issues, verifying whether or not the resource records are added or updated correctly in a zone, and debugging other server-related problems. This tool is installed along with the TCP/IP protocol through the Control Panel. Answer A is incorrect. The ping command-line utility is used to test connectivity with a host on a TCP/IP-based network. This is achieved by sending out a series of packets to a specified destination host. On receiving the packets, the destination host responds with a series of replies. These replies can be used to determine whether or not the network is working properly. Answer B is incorrect. IPCONFIG is a command-line utility used to display current TCP/IP network configuration values and update or release the Dynamic Host Configuration Protocol (DHCP) allocated leases. It is also used to display, register, or flush Domain Name System (DNS) names. Answer C is incorrect. TRACERT is a route- tracing Windows utility that displays the path an IP packet takes to reach the destination. It shows the Fully Qualified Domain Name (FQDN) and the IP address of each gateway along the route to the remote host.

NEW QUESTION 8

Mark is an attacker. He wants to discover wireless LANs by listening to beacons or sending probe requests and thereby provide a launch point for further attacks. Which of the following tools can he use to accomplish the task?

• A. DStumbler
• B. Wellenreiter
• C. KisMAC
• D. Airmon-ng

Answer: ACD

Explanation:

War driving is an attack in which the attacker discovers wireless LANs by listening to beacons or sending probe requests, thereby providing a launch point for further attacks. Airmon-ng, DStumbler, KisMAC, MacStumbler, NetStumbler, Wellenreiter, and WiFiFoFum are the tools that can be used to perform a war driving attack. Answer B is incorrect. Wellenreiter is a tool that is used to perform MAC spoofing attacks.

NEW QUESTION 9

Which of the following evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person?

• A. Incontrovertible
• B. Corroborating
• C. Direct
• D. Circumstantial

Answer: D

Explanation:

Circumstantial evidences are the collection of facts that, when considered together, can be used to infer a conclusion about the malicious activity/person. Answer B is incorrect. Corroborating evidence is evidence that tends to support a proposition that is already supported by some evidence. Answer A is incorrect. Incontrovertible evidence is a colloquial term for evidence introduced to prove a fact that is supposed to be so conclusive that there can be no other truth as to the matter; evidence so strong, it overpowers contrary evidence, directing a fact-finder to a specific and certain conclusion. Answer C is incorrect. Direct evidence is testimony proof for any evidence, which expressly or straight-forwardly proves the existence of a fact.

NEW QUESTION 10

Which of the following statements are true about KisMAC?

• A. It scans for networks passively on supported cards.
• B. It cracks WEP and WPA keys by Rainbow attack or by dictionary attack.
• C. It is a wireless network discovery tool for Mac OS X.
• D. Data generated by KisMAC can also be saved in pcap forma
• E. \

Answer: ACD

Explanation:

KisMAC is a wireless network discovery tool for Mac OS X. It has a wide range of features, similar to those of Kismet, its Linux/BSD namesake and far exceeding those of NetStumbler, its closest equivalent on Windows. The program is geared toward network security professionals, and is not as novice-friendly as similar applications. KisMAC will scan for networks passively on supported cards - including Apple's AirPort, and AirPort Extreme, and many third-party cards, and actively on any card supported by Mac OS X itself. Cracking of WEP and WPA keys, both by brute force, and exploiting flaws
such as weak scheduling and badly generated keys is supported when a card capable of monitor mode is used, and packet reinjection can be done with a supported card. GPS mapping can be performed when an NMEA compatible GPS receiver is attached. Data can also be saved in pcap format and loaded into programs such as Wireshark.

NEW QUESTION 11

You have just installed a Windows 2003 server. What action should you take regarding the default shares?

• A. Disable them only if this is a domain server.
• B. Disable them.
• C. Make them hidden shares.
• D. Leave them, as they are needed for Windows Server operations.

Answer: B

Explanation:

Default shares should be disabled, unless they are absolutely needed. They pose a significant security risk by providing a way for an intruder to enter your machine. Answer A is incorrect. Whether this is a domain server, a DHCP server, a file server, or database server does not change the issue with shared drives/folders. Answer C is incorrect. They cannot be hidden. Shared folders are, by definition, not hidden but rather available to users on the network. Answer D is incorrect. These are not necessary for Windows Server operations.

NEW QUESTION 12

John works as a Network Administrator for Perfect Solutions Inc. The company has a Linux-based network. John is working as a root user on the Linux operating system. He wants to break a dat a.txt file, 200MB in size, into two files in which the size of the first file named data.txt.aa should be 150MB and that of the second file named data.txt.ab should be 50MB. To accomplish his task and to further delete the data.txt file, he enters the following command: split --verbose -b 150m data.txt data.txt. ; rm -vf data.txt Which of the following commands can John use to join the splitted files into a new data.txt file?

• A. vi data.txt.* > data.txt
• B. less data.txt.* > data.txt
• C. vi data.txt.*
• D. cat data.txt.* > data.txt

Answer: D

Explanation:

The cat data.txt.* command will display both the splitted files, and the > command will redirect the output into a new data.txt file.

NEW QUESTION 13

An executive in your company reports odd behavior on her PDA. After investigation you discover that a trusted device is actually copying data off the PDA. The executive tells you that the behavior started shortly after accepting an e-business card from an unknown person. What type of attack is this?

• A. Session Hijacking
• B. Bluesnarfing
• C. Privilege Escalation
• D. PDA Hijacking

Answer: B

Explanation:

Bluesnarfing is a rare attack in which an attacker takes control of a bluetooth enabled device. One way to do this is to get your PDA to accept the attacker's device as a trusted device.

NEW QUESTION 14

John works as a Security Professional. He is assigned a project to test the security of www.we-are-secure.com. John wants to get the information of all network connections and listening ports in the numerical form. Which of the following commands will he use?

• A. netstat -e
• B. netstat –r
• C. netstat -s
• D. netstat –an

Answer: D

Explanation:

According to the scenario, John will use the netstat -an command to accomplish the task. The netstat -an command is used to get the information of all network connections and listening ports in the numerical form. The netstat command displays
protocol-related statistics and the state of current TCP/IP connections. It is used to get information about the open connections on a computer, incoming and outgoing data, as well as the ports of remote computers to which the computer is connected. The netstat command gets all this networking information by reading the kernel routing tables in the memory. Answer A is incorrect. The netstat -e command displays the Ethernet information. Answer B is incorrect. The netstat -r command displays the routing table information. Answer C is incorrect. The netstat -s command displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP.

NEW QUESTION 15

You work as a Security manager for Qualoxizz Inc. Your company has number of network switches in the site network infrastructure. Which of the following actions will you perform to ensure the security of the switches in your company?

• A. Open up all the unused management ports.
• B. Set similar passwords for each management port.
• C. Set long session timeouts.
• D. Ignore usage of the default account settings.

Answer: D

Explanation:

A switch with a management port using a default user account permits an attacker to intrude inside by making connections using one or more of the well-known default user accounts (e.g., administrator, root, security). Therefore, the default account settings should not be used. Answer A is incorrect. The unused management ports on a switch should always be blocked to prevent port scanning attacks from the attackers. Answer B is incorrect. Setting similar passwords on all management ports increases the vulnerability of password cracking. The matching passwords on all ports can be used by the attacker to break into all ports once the password of one of the ports is known. Answer C is incorrect. Short timeout sessions should always be set to reduce the session period. If the connections to a management port on a switch do not have a timeout period set or have a large timeout period (greater than 9 minutes), then the connections will be more available for an attacker to hijack them.

NEW QUESTION 16

Which of the following applications work as mass-emailing worms? (Choose two)

• A. Chernobyl virus
• B. I LOVE YOU virus
• C. Nimda virus
• D. Melissa virus

Answer: BC

Explanation:

The Nimda and I LOVE YOU viruses work as mass-emailing worms.

NEW QUESTION 17

Which of the following is the most secure place to host a server that will be accessed publicly through the Internet?

• A. A DNS Zone
• B. An Intranet
• C. A stub zone
• D. A demilitarized zone (DMZ)

Answer: D

Explanation:

A demilitarized zone (DMZ) is the most secure place to host a server that will be accessed publicly through the Internet. Demilitarized zone (DMZ) or perimeter network is a small network that lies in between the Internet and a private network. It is the boundary between the Internet and an internal network, usually a combination of firewalls and bastion hosts that are gateways between inside networks and outside networks. DMZ provides a large enterprise network or corporate network the ability to use the Internet while still maintaining its security. Answer B is incorrect. Hosting a server on the intranet for public access will not be good from a security point of view.

NEW QUESTION 18
......