miércoles, 10 de abril de 2019

Examen del Master in Cybersecurity (IE School of HST) 2018 / 2019

Como ya sabéis muchos de vosotros, soy profesor del Master in Cybersecurity del IE School of HST. Todos los años por estas fechas, toca poner a prueba los conocimientos adquiridos por mis alumnos durante las diferentes sesiones que hemos pasado juntos. De forma directa o indirecta, se repasan todos los conceptos que les he proporcionado a través de las slides, sesiones prácticas y ejercicios que debe realizar cada semana.

A continuación veréis la parte tipo Test del examen de este año, que tienen que realizar en papel, durante un examen de de una hora y media en el que, además, también deben completar una parte práctica con ejercicios de XSS, SQLi, OSINT, Criptografía o Password Cracking entre otras muchas cosas...

Si os animáis, también podéis hacerlo vosotros y saber como andáis de conocimientos. El master se imparte en inglés, por lo que os dejo el examen directamente con alguna pequeña variación }:)


What is the primary goal of an Ethical Hacker?
    A. Avoiding detection
    B. Determining return on investment (ROI) for security measures
    C. Resolving security vulnerabilities
    D. Testing security controls

An ethical hacker is hired by an organization to gain remote access to their internal network. He has not received any information about the internal network of the organization. What kind of test is carried out here?

    A. black box testing
    B. grey box testing
    C. white box testing

Mary has added an apostrophe after an ?id= parameter within the URL of a webpage. She now sees an error, saying there was a syntax error. What did Mary find?

    A. Cross-Site Scripting vulnerability
    B. PostgreSQL database exploit
    C. SQL Injection

A site uses dynamically generated content. By making use of a specific technique, it is possible to steal login credentials of the user. Which technique is meant here?

    A. Session Hijacking
    B. SQL injection
    C. Cross Site Scripting (XSS)

You have found a live system on IP address Which nmap command lets you detect the Operating System of a target?

    A. nmap -O
    B. nmap -Os
    C. nmap -os

A service scan including fingerprint showed that a target machine is running Apache 2.2.14. What could be the next step to check if this service is vulnerable?

    A. Check online resources such as Exploit-DB, OSVDB for known vulnerabilities.
    B. Use nslookup to determine Apache configuration and patch level.
    C. Use burp to gain access to the machine through this service.

You know the table and column names from a database, you can expand your SQL Injection to retrieve data. What should you use?


Before beginning the ethical hack at a client, a penetration tester should always be prepared for any legal issues. What should the penetration tester do to prevent legal liability?

    A. Analyze the environment of the client to see if there are any vulnerabilities that might cause issues before the actual ethical hack.
    B. Sign a contract with the client before performing the ethical hack.
    C. Talk to the client before the test and make sure whether the test has to be a black, grey or white box test.

At what point in the Ethical Hacking process is the attacker most likely to use a port scanning tool?

    A. Attack execution
    B. Attack preparation
    C. Information gathering
    D. Report writing

A penetration tester wants to know what IP addresses are currently active on the network. He uses nmap to do so. What nmap switch does he need to perform this test?

    A. -sU
    B. -sO
    C. -sP

A client has said that he created a case-insensitive filter for 'script' from being inserted in any forms to prevent an XSS PoC. How can you bypass this?

    A. <sCrIPt>alert(1);</ScRiPT>
    B. <javascript>alert(1);</script>
    C. <img src=x onerror=alert(1)>

A hacker managed to find an XSS vulnerability. Now she wants to take over sessions.Where does she need the data retrievable from?

    A. document.session
    B. session.cookie
    C. document.cookie

When creating an XSS PoC, what is the function that provides a pop-up?

    A. popup()
    B. alert()
    C. window.popup()

A penetration tester is asked to scan a machine, but is only allowed to check if TCP/IP ports 21, 22, 80 and 443 are open. What should she use?

    A. nmap -vv -A -p 21,22,80,https <target>
    B. nmap -vv -p 21,22,80,443 <target>
    C. nmap -sV ftp, ssh, http, https <target>

An Ethical Hacker is asked to perform a penetration test for a client and all he has received is a URL. What kind of test is this?

    A. Black box penetration test
    B. Black hat hacking test
    C. White box penetration test

A penetration tester is testing a web application. To check for vulnerabilities she decides to check if SQL injections are possible. Which character is typically used first by the penetration tester?

    A. Dollar sign
    B. Semicolon
    C. Single quote

An ethical hacker is trying to breach a website through SQL Injection. He also changed his UserAgent HTTP header, sent by his browser. What can he achieve with this action?

    A. He acquires a matching SSL connection.
    B. He obtains better performance of the website so that it responds faster to his requests.
    C. He prevents forensics from revealing his real browser that was used during the attac

When looking at webserver log files, Pete wants to know what browser was used during the attack against his website. Pete should look for information that is generally being sent through the <answer> header. Which <answer> header does it concern?

    A. Accept-Language:
    B. Host:
    C. User-Agent:

A company has suffered from a DDoS attack. They have the IP address of the attacker and want to contact their Internet Service Provider to report an abuse. What must they perform?

    A. DNS Lookup
    B. GeoIP Location Lookup
    C. WHOIS Lookup

A penetration tester is scanning the network environment of his client with a tool. This tool has the following properties:

 - It uses a ranking to show the impact of a vulnerability.
 - It detects all sorts of vulnerabilities on various operating systems such as Windows, Linux and Mac OS.
 - It is able to detect bots, trojans and other malware that might be installed on the computers connected to the network.
What is the name of the tool the penetration tester is using?
    A. Nessus
    B. Nmap
    C. Nikto

What will an open port return from an ACK scan?

    A. Nothing
    B. SYN/ACK
    C. RST
    D. FIN

Port scanning can be used as part of a technical assessment to determine network vulnerabilities. The TCP XMAS scan is used to identify listening ports on the targeted system. If a scanned port is open, what happens?

    A. The port will ignore the packets
    B. The port will send an RST
    C. The port will send a SYN
    D. The port will send an ACK

Passive reconnaissance involves collecting information through which of the following?

    A. Social engineering
    B. Network traffic sniffing
    C. Man in the middle attacks
    D. Publicly accessible sources

What is the default Password Hash Algorithm used by NTLMv2?

    A. MD4
    B. DES
    C. SHA-1
    D. MD5

Which property ensures that a hash function will not produce the same hashed value for two different messages?

    A. Collision resistance
    B. Bit length
    C. Key strengt
    D. Entropy

This method is used to determine the Operating system and version running on a remote target system. What is it called?

    A. Service Degradation
    B. OS Fingerprinting
    C. Manual Target System
    D. Identification Scanning

Which of the following is designed to identify malicious attempts to penetrate systems?

    A. Intrusion Detection System
    B. Router
    C. Proxy
    D. Firewall

PGP, SSL, and IKE are all examples of which type of cryptography?

    A. Hash Algorithm
    B. Secret Key
    C. Public Key
    D. Digest

NTP allows you to set the clocks on your systems very accurately, to within 100ms and sometimes-even 10ms. Knowing the exact time is extremely important for enterprise security. Various security protocols depend on an accurate source of time information in order to prevent "playback" attacks.

These protocols tag their communications with the current time, to prevent attackers from replaying the same communications, e.g., a login/password interaction or even an entire communication, at a later date.
One can circumvent this tagging, if the clock can be set back to the time the communication was recorded.
An attacker attempts to try corrupting the clocks on devices on your network.
You run Wireshark to detect the NTP traffic to see if there are any irregularities on the network.
What port number you should enable in Wireshark display filter to view NTP packets?
    A. TCP Port 124
    B. UDP Port 125
    C. UDP Port 123
    D. TCP Port 126

You can find XSS vulnerabilities in which of the following?

    A. Search fields that echo a search string back to the user
    B. HTTP headers
    C. Input fields that echo user data
    D. All of the above

Software developers should escape all characters (including spaces but excluding alphanumeric characters) with the HTML entity &#xHH; format to prevent what type of attack?

    A. DDoS attacks
    B. XSS attacks
    C. CSRF attacks
    D. Brute-force attacks

Which of the following tools is used to perform a credential brute force attack?

    A. Hydra
    B. John the Ripper
    C. Hashcat
    D. Peach

Jason, a penetration tester, is testing a web application that he knows is vulnerable to an SQL injection but the results of the injection are not visible to him.

He tried waitfor delay command to check the SQL execution status which confirmed the presence of the SQL injection vulnerability.
Which type of SQL injection Jason is attempting on the web application?
    A. Blind SQL injection
    B. Error-based SQL injection
    C. UNION SQL Injection
    D. Simple SQL Injection

What are the limitations of Vulnerability scanners? (Select 2 answers)

    A. There are often better at detecting well-known vulnerabilities than more esoteric ones
    B. The scanning speed of their scanners are extremely hig
    C. It is impossible for any, one scanning product to incorporate all known vulnerabilities in a timely manner
    D. The more vulnerabilities detected, the more tests required
    E. They are highly expensive and require per host scan license

In order to compromise or to hack a system or network the hackers go through various phases of the hacking.  What is the first hacking phase that hackers perform to gather information about a target prior to launching an attack?

    A. Reconnaissance
    B. Scanning
    C. Gaining Access
    D. Maintaining Access
    E. Clearing Track

Which of the following tools performs comprehensive tests against web servers, including dangerous files and CGIs?

    A. Nmap
    B. John the Ripper
    C. Snort
    D. Nikto

Which tool queries publicly available databases that contain domain name registration contact information?

    A. burp
    B. nikto
    C. whois
    D. nslookup

Which type of scan does NOT open a full TCP connection?

    A. Stealth Scan
    B. XMAS Scan
    C. Null Scan
    D. FIN Scan

What is the best description of SQL Injection?

    A. It is an attack used to gain unauthorized access to a database.
    B. It is an attack used to modify code in an application.
    C. It is a Man-in-the-Middle attack between your SQL Server and Web App Server.
    D. It is a Denial of Service Attack.

What techniques would you use to evade IDS during a Port Scan? (Select 4 answers)

    A. Use fragmented IP packets
    B. Spoof your IP address when launching attacks and sniff responses from the server
    C. Overload the IDS with Junk traffic to mask your scan
    D. Use source routing (if possible)
    E. Connect to proxy servers or compromised Trojaned machines to launch attacks

TCP SYN Flood attack uses the three-way handshake mechanism.

 1. An attacker at system A sends a SYN packet to victim at system B
 2. System B sends a SYN/ACK packet to victim A
 3. As a normal three-way handshake mechanism system A should send an ACK packet to system B, however, system A does not send an ACK packet to system "B". In this case client B is waiting for an ACK packet from client A
This status of client B is called _________________
    A. "half-closed"
    B. "half open"
    C. "full-open"
    D. "xmas-open"

No hay comentarios:

Publicar un comentario