A network security analyst, while conducting penetration testing, is aiming to identify a service account password using the Kerberos authentication protocol. They have a valid user authentication ticket (TGT) and decided to carry out a
Kerberoasting attack.
In the scenario described, which of the following steps should the analyst take next?
A. Carry out a passive wire sniffing operation using Internet packet sniffers
B. Extract plaintext passwords, hashes, PIN codes, and Kerberos tickets using a tool like Mimikatz
C. Perform a PRobability INfinite Chained Elements (PRINCE) attack
D. Request a service ticket for the service principal name of the target service account
Correct Answer: D
A Kerberoasting attack is a technique that exploits the weak encryption of Kerberos service tickets to obtain the password hashes of service accounts that have a Service Principal Name (SPN) associated with them. The attacker can then crack the hashes offline and use the plaintext passwords to impersonate the service accounts and access network resources. A Kerberoasting attack follows these steps: The attacker impersonates a legitimate Active Directory user and authenticates to the Key Distribution Center (KDC) in the Active Directory environment. They then request a Ticket Granting Ticket (TGT) from the KDC to access network resources. The KDC complies because the attacker is impersonating a legitimate user. The attacker enumerates the service accounts that have an SPN using tools like GetUserSPNs.py or PowerView. They then request a service ticket for each SPN from the KDC using their TGT. The KDC grants the service tickets, which are encrypted with the password hashes of the service accounts. The attacker captures the service tickets and takes them offline. They then attempt to crack the password hashes using tools like Hashcat or John the Ripper. They can use various methods, such as brute force, dictionary, or hybrid attacks, to guess the passwords. Alternatively, they can use a PRINCE attack, which is a probabilistic password generation technique that combines common words, patterns, and transformations to generate likely passwords2. Once the attacker obtains the plaintext passwords of the service accounts, they can use them to authenticate as the service accounts and access the network resources that they are authorized to. Therefore, the next step that the analyst should take after obtaining a valid TGT is to request a service ticket for the SPN of the target service account. This will allow them to capture the service ticket and extract the password hash of the service account. References: How to Perform Kerberoasting Attacks: The Ultimate Guide - StationX PRINCE: PRobability INfinite Chained Elements
Question 62:
Sarah, a system administrator, was alerted of potential malicious activity on the network of her company. She discovered a malicious program spread through the instant messenger application used by her team. The attacker had obtained access to one of her teammate's messenger accounts and started sending files across the contact list. Which best describes the attack scenario and what measure could have prevented it?
A. Instant Messenger Applications; verifying the sender's identity before opening any files.
B. Insecure Patch Management; updating application software regularly.
C. Rogue/Decoy Applications; ensuring software is labeled as TRUSTED.
D. Portable Hardware Media/Removable Devices; disabling Autorun functionality.
Correct Answer: A
The attack scenario is best described as Instant Messenger Applications, and the measure that could have prevented it is verifying the sender's identity before opening any files. Instant Messenger Applications are communication tools that allow users to exchange text, voice, video, and file messages in real time. However, they can also be used as attack vectors for spreading malware, such as viruses, worms, or Trojans, by exploiting the trust and familiarity between the users. In this scenario, the attacker compromised one of the team member's messenger account and used it to send malicious files to the other team members, who may have opened them without suspicion, thus infecting their systems. This type of attack is also known as an instant messaging worm. To prevent this type of attack, the users should verify the sender's identity before opening any files sent through instant messenger applications. This can be done by checking the sender's profile, asking for confirmation, or using a secure channel. Additionally, the users should also follow other security tips, such as using strong passwords, updating the application software, scanning the files with antivirus software, and reporting any suspicious activity. References:
1: Instant Messaging Worm - Techopedia
2: Cybersecurity's Silent Foe: A Comprehensive Guide to Computer Worms | Silent Quadrant
4: Increased phishing attacks on instant messaging platforms: how to prevent them | Think Digital Partners
Question 63:
A Certified Ethical Hacker (CEH) is given the task to perform an LDAP enumeration on a target system. The system is secured and accepts connections only on secure LDAP. The CEH uses Python for the enumeration process. After successfully installing LDAP and establishing a connection with the target, he attempts to fetch details like the domain name and naming context but is unable to receive the expected response. Considering the circumstances, which of the following is the most plausible reason for this situation?
A. The Python version installed on the CEH's machine is incompatible with the Idap3 library
B. The secure LDAP connection was not properly initialized due to a lack of 'use_ssl = True' in the server object creation
C. The enumeration process was blocked by the target system's intrusion detection system
D. The system failed to establish a connection due to an incorrect port number
Correct Answer: B
The most plausible reason for the situation is that the secure LDAP connection was not properly initialized due to a lack of `use_ssl = True' in the server object creation. To use secure LDAP (LDAPS), the CEH needs to specify the use_ssl parameter as True when creating the server object with the ldap3 library in Python. This parameter tells the library to use SSL/TLS encryption for the LDAP communication. If the parameter is omitted or set to False, the library will use plain LDAP, which may not be accepted by the target system that only allows secure LDAP connections. For example, the CEH can use the following code to create a secure LDAP server object: from ldap3 import Server, Connection, ALL server = Server('ldaps://', use_ssl=True, get_info=ALL) connection = Connection(server, user='', password='') connection.bind() The other options are not as plausible as option B for the following reasons:
A. The Python version installed on the CEH's machine is incompatible with the ldap3 library: This option is unlikely because the ldap3 library supports Python versions from 2.6 to 3.9, which covers most of the commonly used Python
versions3. Moreover, if the Python version was incompatible, the CEH would not be able to install the library or import it in the code, and would encounter errors before establishing the connection. C. The enumeration process was blocked by
the target system's intrusion detection system: This option is possible but not very plausible because the CEH was able to establish a connection with the target, which means the intrusion detection system did not block the initial handshake.
Moreover, the enumeration process would not affect the response of the target system, but rather the visibility of the results. If the intrusion detection system detected and blocked the enumeration, the CEH would receive an error message or
a blank response, not an unexpected response.
D. The system failed to establish a connection due to an incorrect port number:
This option is incorrect because the CEH was able to establish a connection with the target, which means the port number was correct. If the port number was incorrect, the CEH would not be able to connect to the target system at all, and
would receive a connection refused error.
References:
1: ldap3 - LDAP library for Python
2: How to use LDAPS with Python - Stack Overflow
3: ldap3 2.9 documentation
Question 64:
As a part of an ethical hacking exercise, an attacker is probing a target network that is suspected to employ various honeypot systems for security. The attacker needs to detect and bypass these honeypots without alerting the target. The attacker decides to utilize a suite of techniques. Which of the following techniques would NOT assist in detecting a honeypot?
A. Probing system services and observing the three-way handshake
B. Using honeypot detection tools like Send-Safe Honeypot Hunter
C. Implementing a brute force attack to verify system vulnerability
D. Analyzing the MAC address to detect instances running on VMware
Correct Answer: C
A brute force attack is a method of trying different combinations of passwords or keys to gain access to a system or service. It is not a reliable way of detecting a honeypot, as it may trigger an alert or response from the target. Moreover, a brute force attack does not provide any information about the system's characteristics or behavior that could indicate a honeypot. A honeypot is a decoy system that is designed to attract and trap attackers, while providing security teams with valuable intelligence and insights. Therefore, an ethical hacker needs to use more subtle and stealthy techniques to detect and avoid honeypots. The other options are valid techniques for detecting a honeypot. Probing system services and observing the three-way handshake can reveal anomalies or inconsistencies in the system's responses, such as abnormal banners, ports, or protocols. Using honeypot detection tools like Send-Safe Honeypot Hunter can scan the target network and identify potential honeypots based on various criteria, such as IP address, domain name, or open ports. Analyzing the MAC address can detect instances running on VMware, which is a common platform for deploying honeypots. A honeypot running on VMware will have a MAC address that starts with 00:0C:29, 00:50:56, or 00:05:69. References: What is a Honeypot? Types, Benefits, Risks and Best Practices Using Honeypots for Network Intrusion Detection Detecting Honeypot Access With Varonis
Question 65:
An audacious attacker is targeting a web server you oversee. He intends to perform a Slow HTTP POST attack, by manipulating 'a' HTTP connection. Each connection sends a byte of data every 'b' second, effectively holding up the
connections for an extended period. Your server is designed to manage 'm' connections per second, but any connections exceeding this number tend to overwhelm the system. Given `a=100' and variable 'm', along with the attacker's intention
of maximizing the attack duration 'D=a*b', consider the following scenarios.
Which is most likely to result in the longest duration of server unavailability?
A. m=110, b=20: Despite the attacker sending 100 connections, the server can handle 110 connections per second, therefore likely staying operative, regardless of the hold-up time per connection
B. m=90, b=15: The server can manage 90 connections per second, but the attacker's 100 connections exceed this, and with each connection held up for 15 seconds, the attack duration could be significant
C. 95, b=10: Here, the server can handle 95 connections per second, but it falls short against the attacker's 100 connections, albeit the hold-up time per connection is lower
D. m=105, b=12: The server can manage 105 connections per second, more than the attacker's 100 connections, likely maintaining operation despite a moderate hold-up time
Correct Answer: B
A Slow HTTP POST attack is a type of denial-of-service (DoS) attack that exploits the way web servers handle HTTP requests. The attacker sends a legitimate HTTP POST header to the web server, specifying a large amount of data to be sent in the request body. However, the attacker then sends the data very slowly, keeping the connection open and occupying the server's resources. The attacker can launch multiple such connections, exceeding the server's capacity to handle concurrent requests and preventing legitimate users from accessing the web server. The attack duration D is given by the formula D = a * b, where a is the number of connections and b is the hold-up time per connection. The attacker intends to maximize D by manipulating a and b. The server can manage m connections per second, but any connections exceeding m will overwhelm the system. Therefore, the scenario that is most likely to result in the longest duration of server unavailability is the one where a > m and b is the largest. Among the four options, this is the case for option B, where a = 100, m = 90, and b = 15. In this scenario, D = 100 * 15 = 1500 seconds, which is the longest among the four options. Option A has a larger b, but a < m, so the server can handle the connections without being overwhelmed. Option C has a > m, but a smaller b, so the attack duration is shorter. Option D has a > m, but a smaller b and a smaller difference between a and m, so the attack duration is also shorter. References: What is a Slow POST Attack and How to Prevent One? (Guide) Mitigate Slow HTTP GET/POST Vulnerabilities in the Apache HTTP Server - Acunetix What is a Slow Post DDoS Attack? | NETSCOUT
Question 66:
In the process of implementing a network vulnerability assessment strategy for a tech company, the security analyst is confronted with the following scenarios:
1) A legacy application is discovered on the network, which no longer receives updates from the vendor.
2) Several systems in the network are found running outdated versions of web browsers prone to distributed attacks.
3) The network firewall has been configured using default settings and passwords.
4) Certain TCP/IP protocols used in the organization are inherently insecure.
The security analyst decides to use vulnerability scanning software. Which of the following limitations of vulnerability assessment should the analyst be most cautious about in this context?
A. Vulnerability scanning software is limited in its ability to perform live tests on web applications to detect errors or unexpected behavior.
B. Vulnerability scanning software cannot define the impact of an identified vulnerability on different business operations.
C. Vulnerability scanning software is limited in its ability to detect vulnerabilities at a given point in time.
D. Vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed.
Correct Answer: D
Vulnerability scanning software is a tool that can help security analysts identify and prioritize known vulnerabilities in their systems and applications. However, it is not a perfect solution and has some limitations that need to be considered. One of the most critical limitations is that vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed. This means that the software itself might have bugs, errors, or oversights that could affect its accuracy, reliability, or performance. For example, the software might: Fail to detect some vulnerabilities due to incomplete or outdated databases, incorrect signatures, or insufficient coverage of the target system or application. Produce false positives or false negatives due to misinterpretation of the scan results, incorrect configuration, or lack of context or validation. Cause unintended consequences or damage to the target system or application due to intrusive or aggressive scanning techniques, such as exploiting vulnerabilities, modifying data, or crashing services. Be vulnerable to attacks or compromise by malicious actors who could exploit its weaknesses, tamper with its functionality, or steal its data. Therefore, the security analyst should be most cautious about this limitation of vulnerability scanning software, as it could lead to a false sense of security, missed opportunities for remediation, or increased exposure to threats. The security analyst should always verify the scan results, use multiple tools and methods, and update and patch the software regularly to mitigate this risk. References: [CEHv12 Module 03: Vulnerability Analysis] 7 limitations of vulnerability scanners The pros and cons of vulnerability scanning tools
Question 67:
A large corporate network is being subjected to repeated sniffing attacks. To increase security, the company's IT department decides to implement a combination of several security measures. They permanently add the MAC address of the gateway to the ARP cache, switch to using IPv6 instead of IPv4, implement the use of encrypted sessions such as SSH instead of Telnet, and use Secure File Transfer Protocol instead of FTP. However, they are still faced with the threat of sniffing. Considering the countermeasures, what should be their next step to enhance network security?
A. Use HTTP instead of HTTPS for protecting usernames and passwords.
B. Implement network scanning and monitoring tools.
C. Enable network identification broadcasts.
D. Retrieve MAC addresses from the OS.
Correct Answer: B
Sniffing attacks are a type of network attack that involves intercepting and analyzing data packets as they travel over a network. Sniffing attacks can be used to steal sensitive information, such as usernames, passwords, credit card numbers,
etc. Sniffing attacks can also be used to perform reconnaissance, spoofing, or man-in-the-middle attacks.
The IT department of the company has implemented some security measures to prevent or mitigate sniffing attacks, such as:
Adding the MAC address of the gateway to the ARP cache: This prevents ARP spoofing, which is a technique that allows an attacker to redirect network traffic to their own device by sending fake ARP messages that associate their MAC
address with the IP address of the gateway.
Switching to IPv6 instead of IPv4: This reduces the risk of IP spoofing, which is a technique that allows an attacker to send packets with a forged source IP address, pretending to be another device on the network. Using encrypted sessions
such as SSH instead of Telnet, and Secure File Transfer Protocol instead of FTP: This protects the data from being read or modified by an attacker who can capture the packets, as the data is encrypted and authenticated using cryptographic
protocols.
However, these measures are not enough to completely eliminate the threat of sniffing, as an attacker can still use other techniques, such as:
Passive sniffing: This involves monitoring the network traffic without injecting any packets or altering the data. Passive sniffing can be done on a shared network, such as a hub, or on a switched network, using techniques such as MAC
flooding, port mirroring, or VLAN hopping.
Active sniffing: This involves injecting packets or modifying the data to manipulate the network behavior or gain access to more traffic. Active sniffing can be done using techniques such as DHCP spoofing, DNS poisoning, ICMP redirection, or
TCP session hijacking.
Therefore, the next step to enhance network security is to implement network scanning and monitoring tools, which can help detect and prevent sniffing attacks by:
Scanning the network for unauthorized devices, such as rogue access points, hubs, or sniffers, and removing them or isolating them from the network. Monitoring the network for abnormal traffic patterns, such as excessive ARP requests,
DNS queries, ICMP messages, or TCP connections, and alerting the network administrators or blocking the suspicious sources. Analyzing the network traffic for malicious content, such as malware, phishing, or exfiltration, and filtering or
quarantining the infected or compromised devices.
References:
CEHv12 Module 05: Sniffing
Sniffing attacks - Types, Examples and Preventing it How to Prevent and Detect Packet Sniffing Attacks
Understanding Sniffing in Cybersecurity and How to Prevent It
Question 68:
You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has Snort installed, and the second machine (192.168.0.150) has Kiwi Syslog installed. You perform a SYN scan in your network, and you notice that Kiwi Syslog is not receiving the alert message from Snort. You decide to run Wireshark in the Snort machine to check if the messages are going to the Kiwi Syslog machine. What Wireshark filter will show the connections from the Snort machine to Kiwi Syslog machine?
A. tcp.srcport= = 514 andand ip.src= = 192.168.0.99
B. tcp.srcport= = 514 andand ip.src= = 192.168.150
C. tcp.dstport= = 514 andand ip.dst= = 192.168.0.99
D. tcp.dstport= = 514 andand ip.dst= = 192.168.0.150
Correct Answer: D
Question 69:
The change of a hard drive failure is once every three years. The cost to buy a new hard drive is $300. It will require 10 hours to restore the OS and software to the new hard disk. It will require a further 4 hours to restore the database from the last backup to the new hard disk. The recovery person earns $10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1(100%). What is the closest approximate cost of this replacement and recovery operation per year?
A. $1320
B. $440
C. $100
D. $146
Correct Answer: D
1.
AV (Asset value) = $300 + (14 * $10) = $440 - the cost of a hard drive plus the work of a recovery person, i.e.how much would it take to replace 1 asset? 10 hours for resorting the OS and soft + 4 hours for DB restore multiplies by hourly rate of the recovery person.
2.
SLE (Single Loss Expectancy) = AV * EF (Exposure Factor) = $440 * 1 = $440
3.
ARO (Annual rate of occurrence) = 1/3 (every three years, meaning the probability of occurring during 1 years is 1/3)
4.
ALE (Annual Loss Expectancy) = SLE * ARO = 0.33 * $440 = $145.2
Question 70:
Nedved is an IT Security Manager of a bank in his country. One day. he found out that there is a security breach to his company's email server based on analysis of a suspicious connection from the email server to an unknown IP Address. What is the first thing that Nedved needs to do before contacting the incident response team?
A. Leave it as it Is and contact the incident response te3m right away
B. Block the connection to the suspicious IP Address from the firewall
C. Disconnect the email server from the network
D. Migrate the connection to the backup email server
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only EC-COUNCIL exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 312-50V12 exam preparations and EC-COUNCIL certification application, do not hesitate to visit our Vcedump.com to find your solutions here.