GCIH Online Practice Questions and Answers

Which of the following takes control of a session between a server and a client using TELNET, FTP, or any other non-encrypted TCP/IP utility?

A. Dictionary attack

B. Session Hijacking

C. Trojan horse

D. Social Engineering

Adam works as an Incident Handler for Umbrella Inc. His recent actions towards the incident are not up to the standard norms of the company. He always forgets some steps and procedures while handling responses as they are very hectic

to perform.

Which of the following steps should Adam take to overcome this problem with the least administrative effort?

A. Create incident manual read it every time incident occurs.

B. Appoint someone else to check the procedures.

C. Create incident checklists.

D. Create new sub-team to keep check.

A user is sending a large number of protocol packets to a network in order to saturate its resources and to disrupt connections to prevent communications between services. Which type of attack is this?

A. Vulnerability attack

B. Impersonation attack

C. Social Engineering attack

D. Denial-of-Service attack

John works as an Ethical Hacker for PassGuide Inc. He wants to find out the ports that are open in PassGuide's server using a port scanner. However, he does not want to establish a full TCP connection.

Which of the following scanning techniques will he use to accomplish this task?

A. TCP FIN

B. TCP SYN/ACK

C. TCP SYN

D. Xmas tree

FILL BLANK

Fill in the blank with the correct numeric value.

ARP poisoning is achieved in ______ steps.

A. 2

Which of the following tools is used for port scanning?

A. NSLOOKUP

B. NETSH

C. Nmap

D. L0phtcrack

When containing an incident, who makes the final decision on whether a box should be taken offline?

A. IT auditor

B. Law enforcement

C. Incident handler

D. Management

E. Security department

Which tool is used to provide 128-bit encryption of passwords?

A. John the Ripper

B. LC5

C. passfilt.dll

D. SYSKEY

Which of the following incident handling mistakes would occur as part of the eradication phase?

A. Failure to create working images

B. Mishandling or destroying evidence

C. Failure to report an incident or ask for help

D. Failure to prevent re-infection or repeated compromise

An attacker issues the command shown below. Which of the following best describes what the attacker is attempting to do? C:\> nc.exe –L –p 43567 –e cmd.exe

A. Start a netcat listener on port 43567 that when connected to will provide access to the Windows Command Prompt

B. Connect to a netcat listener with a process id of 43567 and subsequently receive access to the Windows Command Prompt

C. Connect to a netcat listener on port 43567 and subsequently receive access to the Windows Command Prompt

D. Start a netcat listener with a process id of 43567 that when connected to will provide access to the Windows Command Prompt

In an attempt to contain an incident, the response team shut down a critical server without communicating with the Network Operations team. This led to upset management, poor customer service, and profit loss. The incident has since been closed, and Sam is leading a follow-up meeting.

Which of the following questions is most appropriate for the focus of this meeting?

A. Should these issues be included in the report?

B. Which member of the team turned off the server?

C. What consequences did the organization suffer from the mistake?

D. Do we need to change any steps in our process?

An attacker has gained the ability to sniff client traffic on a local subnet. Which technique would they use to cause clients to reauthenticate to internal applications in an attempt to capture user credentials?

A. Decrement the TTL values of client requests to application servers

B. Spoof client DNS queries for application server lookups

C. Replay captured DHCP client requests and server responses on the network

D. Inject crafted RESET packets with the clients' and servers' IP addresses

Which of the following is a normal finding that an incident handler would expect to see while reviewing the squid proxy logs for a small business with a single office?

A. Incrementing protocol numbers

B. Consistent set of user agents

C. Sequential protocol methods

D. Predictable set of session identifiers

What is the goal of an attacker who has entered the commands shown in the screenshot?

A. Enumerate listening ports on the target machine

B. Create a mountable snapshot to access older versions of the filesystem

C. Gather password and hash data for off-line cracking

D. Corrupt system backups

During the identification phase of a Web server compromise, you notice the following entries in the web server logs. If "admin" is a valid username, but its corresponding password is not "pass1", and "root" is not a valid username, what can you infer solely from these logs?

A. This is a web spidering attack using wget

B. This is an account harvesting attack

C. This is a session hijacking attack

D. This is a password brute-forcing attack