Preparation for the SPSU Information Security Challenge 2006

1. Overview

The competition consists of two parts: hands-off and hands-on. Part I (hands-off part) asks each participating student 20 multiple-choice questions covering the common knowledge of administrative and protective duties for a computer network, and students answer these questions on a paper for hand-off grade. Part II (hands-on part) is an ethical hacking practice. This document gives you a number of questions preparing for the hands-off part of the competition.

 

2. Review Questions

For each question below, please select only one choice which is the best answer to that question.

1.      Persistent cookies could be used to store authentication credentials on client computers after a session terminates. To check out whether an application uses persistent cookies, you can log out the application, close the browser and check _____ to see whether a cookie has been placed there and check whether the identification or authentication data exist.

A    \Windows\cookies

B     \Windows\profiles\user\cookies

C    \documents and settings\user\cookies

D    All of the above

 

2.      When describing a system as vulnerable as that “non-privileged users can perform privileged functions”, which of the following does not apply most likely?

A    Logging on as an unprivileged user, a tester can create, modify and delete user accounts and groups.

B     Logging on as an unprivileged user, a tester can grant, modify and remove file or database permissions.

C    Logging on as an unprivileged user, a tester can list all the readable files with their names and sizes.

D    Logging on as an unprivileged user, a tester can change passwords or certificates of users other than oneself.

 

3.      Which of the following code is not possibly a piece of mobile code?

A    ActiveX

B     Java Applets

C    PDF (Portable Document Format)

D    Windows Scripting Host

 

4.      An email message can include executable code if it contains files with any of the following extensions:

A    .wsh, .wsf, .sct.

B     .wsc, .txt, .gif

C    .vbe, .jpg, .java

D    .shs, .img, .bmp

 

5.      To minimize the possibility of a piece of C code being a buffer-overflow-based exploit, examine the source code to make sure:

A    It uses only unsigned values, not signed values.

B     Buffer size should not be smaller than a source buffer.

C    Buffer size should not be greater than a source buffer.

D    Buffer sizes should be defined as a fixed size.

 

6.      Which of the following best describes the difference between hacking and ethical hacking?

A.     Ethical hacking is done for offensive reasons, where hacking is done for defensive reasons.

B.     Ethical hacking is done for defensive reasons, where hacking is done for offensive reasons.

C.     Hacking and ethical hacking are the same thing, because the same toolset is used.

D.     Hacking and ethical hacking differ only by the tools and skill sets that are used.

 

7.      Which of the following answers is not a reason why company employees should understand how attacks take place?

A.     This insight can be used in offensive techniques when needed.

B.     This insight can be used to identify when an attack is around the corner.

C.     This understanding can better prepare staff members to detect and react to attacks.

D.     This understanding can relate to better configurations of countermeasures.

 

8.      There are several reasons why so many different attacks are successful today. Which of the following reasons is not an example of this?

A.     The LOC of software is increasing.

B.     The use of mobile code is decreasing.

C.     The functionality of software is increasing.

D.     The complexity of software and its integration methods with other software is increasing.

 

9.      Which of the following is true statement?

A.     More and more software vendors are implementing security in effort to protect the nation’s infrastructure.

B.     Customers are willing to pay more for security if needed and vendors are willing to increase the delay in product delivery for the purposes of security.

C.     Vendors will not increase security in software until the market truly demands it.

D.     It is not up to the customers or the vendors to worry about programming flaws.

 

10.  The best reason for studying and understanding ethical hacking can be described as how

A.     To advance the level and sophistication of the types of attacks that can be carried out.

B.     To advance the hacker’s skill set so that they can identify organizations’ vulnerabilities.

C.     To advance and increase the degree of damage that can result from certain types of attacks.

D.     To advance the knowledge and skill set to better protect from malicious activity.

 

11.  Paul is a network administrator for a company, NoWaySecure, Inc. One day he notices that one of the servers in the DMZ has a smaller number of services running, unnecessary subsystems are disabled, and the system seems more “locked down.” Paul is the only one on the staff who does this type of work on the systems and he is positive he did not implement these changes. Which of the following describes that probably took place?

A.     An attacker got into this system, installed a rootkit, and reconfigured the software so that other attackers could not modify his conquered system.

B.     The operating system is from Microsoft and it comes out of the box locked down in this fashion.

C.     CERT and the FBI have a covert exercise going on to lock down systems that the nation’s infrastructure is dependent upon.

D.     Paul is misreading his log information and misunderstands what he is looking at.

 

12.  Any security evaluation carried out by an ethical attacker contains three main components: preparation, conduct, and conclusion. Which of the following best describes what takes place when carrying out these phases of an evaluation?

A.     Preparation is when non-disclosures and technical reports are signed. Conduct is when the testing and evaluation are carried out. Conclusion is when the report and corrective advice are reported to the organization.

B.     Preparation is when non-disclosures and formal contracts are signed. Conduct is when the testing and corrective advice are reported. Conclusion is when the report and the technical report are prepared.

C.     Preparation is when non-disclosures are signed and corrective advice is reported. Conduct is when the testing and evaluation are carried out and the technical report is prepared. Conclusion is when the formal contract is signed.

D.     Preparation is when non-disclosures and formal contracts are signed. Conduct is when the testing and evaluation are carried out and the technical report is prepared. Conclusion is when the report and corrective advice are reported to the organization.

 

13.  Today, the U.S. has specific federal laws that have been developed to prosecute individuals for different types of computer crimes. Why would a legal team need to also look to state laws for these types of cases?

A    If the damages do not reach $5,000.

B     When the prosecution team wants to implement less strict penalties.

C    If the damages add up to over $20,000.

D    When the prosecution team needs to identify a suspect overseas.

 

14.  The Electronic Communication Privacy Act (ECPA) is made up of which of the following acts and what do they deal with?

A    The Wiretap Act protects data from being illegally captured while being stored, and the Stored Communications Act protects data from being illegally captured while being stored.

B     The Wiretap Act protects data from being illegally captured while it is in transit, and the Stored Communications Act protects data from being illegally captured while being stored.

C    The Wiretap Act protects data from being illegally captured while it is in transit, and the Computer Fraud and Abuse Act protects data from being illegally captured while being stored.

D    The Wiretap Act protects data from being illegally captured while it is in transit, and 18 USC Section 1029 protects data from being illegally captured while being stored.

 

15.  If you choose to install zombies on different computers to carry out a distributed denial-of-service attack, what type of punishment would you most likely be faced with?

A    Fine and/or up to 5 years in prison, up to 10 years if it is a repeated offense.

B     Fine and/or up to 1 years in prison, up to 5 years if it is a repeated offense.

C    Fine and/or up to 2 years in prison, up to 10 years if it is a repeated offense.

D    Fine and/or up to 5 years in prison, up to 5 years if it is a repeated offense.

 

16.  If you reverse-engineer software used to encrypt data protected by the copyright law, what law will most likely be used to prosecute you?

A    Computer Fraud and Abuse Act

B     Digital Millennium Copyright Act

C    18 USC Section 1029

D    Electronic Communication Privacy Act

 

17.  John is a security expert who is stress testing a new server in his lab. He notices a security flaw one day and to ensure that his assumptions are correct, he exploits it. Which of the following terms would John be characterized as?

A    White hat

B     Black hat

C    Gray hat

D    Red hat

 

18.  Advocates of full disclosure argue all of the following except which?

A    Full disclosure forces vendors to provide a timely fix.

B     Full disclosure improves the overall security of computer systems.

C    Full disclosure promotes the existence of script kiddies.

D    Full disclosure is the public’s right.

 

19.  According to CERT’s full disclosure policy, when will software vulnerability be released to the public after it is first reported and assuming all stipulations are met by the vendor?

A    7 days

B     14 days

C    45 days

D    90 days

 

20.  Which disclosure policy states that a vendor has five days to respond to a vulnerability report or the finder can take the information public?

A    CERT

B     OIS

C    FCC

D    Full Disclosure RFP

 

21.  On what type of assessment would you most likely find social engineering attacks?

A    Pen-test

B     Red team

C    System test

D    Vulnerability assessment

 

22.  Of the following choices, who should be the most experienced, technical hacker?

A    Team chief

B     Tech lead

C    Team member

D    Customer

 

23.  What should be the first step in a pen-test?

A    TCP and UDP port scan

B     Alive scan

C    Open source research into information publicly available on Google, Netcraft, etc.

D    War driving

 

24.  Which is the best type of test to find new vulnerabilities in a recently deployed application?

A    Pen-test

B     Red team

C    System test

D    Ad hoc testing

 

25.  Red teaming is best at simulating which threat?

A    Insider threat

B     Script kiddie

C    Automated attack from the Internet

D    Focused hacker attack from the Internet

 

26.  What ICMP response (type and code) will a machine running Microsoft Windows send in response to an ICMP Echo Request Type 8 Code 222 packet?

A    Type 8 Code 0

B     Type 0 Code 222

C    Type 222 Code 0

D    Type 0 Code 0

 

27.  The method used by scanrand to identify legitimate responses is called:

A    ISN (Initial Sequence Number)

B     Reverse Statefull Inspection

C    Inverse SYN Cookies

D    Stateless TCP/IP

 

28.  Which of the following is not a method for active sniffing?

A    ARP spoofing

B     ARP cache poisoning

C    DNS resolver cache poisoning

D    IP address spoofing

 

29.  Paratrace is based on

A    The pen-testing tool scanrand.

B     The clever, and fast tool traceroute.

C    The knowledge of common firewall configuration practice.

D    The knowledge of common features of routers and switches.

 

30.  The design idea of paratrace can be best described as

A    It probes through stateful firewalls without getting rejected as unauthorized traffic.

B     It piggybacks on an existing, fully authorized TCP session to a server beyond the firewall.

C    Any legal TCP traffic could be utilized by it to probe the internal network behind the firewall.

D    All of the above.

 

31.  “OS fingerprint” refers to

A    Banner grabbing.

B     Gathering as much information as possible on the target machine.

C    Determining which hosts in the target network are alive and reachable.

D    Learning remote OS types and versions.

 

32.  “Passive sniffing” refers to

A    Listening for frames and analyzing them without affecting the environment in which the sniffer exists.

B     Listening for traffic on switched networks and hub-based networks.

C    Steering the traffic through the sniffing machine before it reaches its destination.

D    ARP cache poisoning.

 

33.  Snort is a

A    Behavior-based network packet analyzer.

B     Lightweight HIDS.

C    Knowledge-based NIDS.

D    Passive fingerprinting tool.

 

34.  What is the name of the Metasploit payload that connects from the exploited machine back to the attacker with a command shell? 

A    winexec

B     winbind

C    winreverse

D    winadduser

 

35.  The most commonly used variable types in C are:

A    single, double, int, float

B     int, char, double, float

C    double, buffer, float, int

D    char, array, string, int

 

36.  The memory structure called a stack can best be described as:

A    A first-in first-out data structure that grows from the highest to the lowest memory addresses on Intel architectures.

B     A first-in last-out data structure that grows from the lowest to the highest memory addresses on Intel architectures.

C    A last-in first-out data structure that grows from the lowest to the highest memory addresses on Intel architectures.

D    A first-in last-out data structure that grows from the highest to the lowest memory addresses on Intel architectures.

 

37.  Which of the following registers are used to control stacks by pointing to the bottom and top of the stack frame?

A    The offset registers: EBP and ESP, respectively.

B     The general purpose registers: EAX and EBX, respectively.

C    The offset registers: EDI and ESI, respectively.

D    The segment registers: stack segment (SS) and extra space (ES), respectively.

 

38.  The statement mov eax, 16h can best be described as:

A    An AT&T format command that moves the value 38 decimal into the register EAX.

B     An NASM format command that moves the value 16 hex into the register EAX.

C    An AT&T format command that moves the value of EAX into memory address 0x16.

D    An NASM format command that moves the value 22 decimal into the register EAX.

 

39.  To compile a program, you would use something like:

A    gcc –d outputname inputname.c

B     gcc –o outputname inputname.c

C    gcc –l links –S simplename –o outputname.o

D    gcc –c inputname.c –o outputnamec

 

40.  What is the main difference between a hacker and a software developer?

A    The hacker has a harder job than the software developer.

B     The hacker has unlimited time, whereas the software developer is constrained in time.

C    The software developer has unlimited time, whereas the hacker is usually competing with others and in a hurry.

D    Money is the major motivating factor that gives the software developer an edge.

 

41.  In assembly code, what does the following code represent?

0x804835c <greeting>:   push %ebp

0x804835d <greeting+1>: mov  %esp, %ebp

0x804835f <greeting+3>: sub  $0x190, %esp

0x8048365 <greeting+9>: push 0xc(%ebp)

A    The epilog

B     The dialog

C    The prolog

D    The function call

 

42.  The process of placing data on the stack and retrieving it later is called:

A    Pushing and popping, respectively.

B     Popping and pushing, respectively.

C    Placing and popping, respectively.

D    Squeezing and pushing, respectively.

 

43.  Which of the following is produced by the following command?

perl –e `print “0x42” x 5`

A    BBBBB

B     AAAAA

C    4242424242

D    0x420x420x420x420x42

 

44.  What do the following gdb command and results indicate?

(gdb) info reg ebp eip

ebp      0x41414141         0x41414141

eip       0x8048300     0x8048300

A    The ebp was overwritten with A’s, but not eip. Four more bytes are required.

B     The eip was overwritten, then ebp was overwritten. Four fewer bytes are required.

C    The ebp was overwritten with A’s, but not eip. Four fewer bytes are required.

D    The eip was overwritten, then ebp was overwritten. Four more bytes are required.

 

45.  The local exploits are:

A    Harder than remote exploits because you have access to local memory.

B     Easier than remote exploits because you have access to remote memory.

C    Harder than remote exploits because you have access to remote memory.

D    Easier than remote exploits because you have access to local memory.

 

46.  Of the ways to write your own shellcode, the easiest way is to:

A    Start with hex opcodes, provides the clearest understanding of your code.

B     Start with a higher level language, then assemble directly to obtain the hex opcodes.

C    Start with assembly, then disassemble to obtain the hex codes.

D    Start with assembly, compile into a higher level language, then obtain the hex opcodes.

 

47.  In penetration testing, “privilege escalation” refers to

A    Providing the tester with the publicly available information about the owner of the network of application in question.

B     Identifying vulnerabilities so that the tester can gain access.

C    After gaining access to the target system, the tester acquires the necessary privilege on the target system.

D    Consolidating information gathered to generate a final presentation and deliverables.

 

48.  Why C is important for hacking?

A    It has low-level unchecked access to memory via the use of pointers.

B     It runs faster than other high-level languages and it is not strong-typed.

C    Compilers, libraries, interpreters, OS, and other system programs are usually written in C.

D    All the above.

 

49.  Which of the following is correct?

A    Little Endian stores the low-order byte of a number in memory at the lowest address.

B     Big Endian stores the low-order byte of a number in memory at the lowest address.

C    Little Endian stores the low-order byte of a number in memory at the highest address.

D    Big Endian stores the high-order byte of a number in memory at the highest address.

 

50.  The shellcode refers to

A    A piece of code that running in a command shell.

B     A piece of code that will return a remote shell when executed.

C    A piece of self-contained binary code that completes a task that may range from issuing a system command or providing a shell back to the attacker.

D    A piece of self-contained C source code that completes a task on an X86 computer with malicious purposes.

 

3. Notes

Should you need help, please contact Dr. Wang at jwang@spsu.edu.