CySA+ Practice Tests: Ch. 1 Domain 1: Threat Management 1-20 correct answers 2022

CySA+ Practice Tests: Ch. 1 Domain 1: Threat Management 1-20 correct answers 20221. Charles wants to use active discovery techniques as part of his reconnaissance efforts. Which of the following techniques fits his criteria? A. Google searching B. Using a Shodan search C. Using DNS reverse lookup D. Querying a PGP key server C. DNS reverse lookup is an active technique. Google and Shodan are both search engines, while a PGP key server does not interact with the target site and is considered passive reconnaissance. If you're not immediately familiar with a technique or technology, you can often reduce the possible options. Here, ruling out a Google search or querying a PGP server are obviously not active techniques, and Shodan also says it is a search, making a DNS reverse lookup a good guess, even if you're not familiar with it. 2. During the reconnaissance stage of a penetration test, Cynthia needs to gather information about the target organization's network infrastructure without causing an IPS to alert the target to her information gathering. Which of the following is her best option? A. Perform a DNS brute-force attack. B. Use an nmap ping sweep. C. Perform a DNS zone transfer. D. Use an nmap stealth scan. A. While it may seem strange, a DNS brute-force attack that queries a list of IPs, common subdomains, or other lists of targets will often bypass intrusion detection and prevention systems that do not pay particular attention to DNS queries. Cynthia may even be able to find a DNS server that is not protected by the organization's IPS! nmap scans are commonly used during reconnaissance, and Cynthia can expect them to be detected since they are harder to conceal. Cynthia shouldn't expect to be able to perform a zone transfer, and if she can, a well-configured IPS should immediately flag the event. 3. Tiffany needs to assess the patch level of a Windows 2012 server and wants to use a freely available tool to check the system for security issues. Which of the following tools will provide the most detail about specific patches installed or missing from her machine? A. nmap B. Nessus C. MBSA D. Metasploit C. The Microsoft Baseline Security Analyzer (MBSA) is a tool provided by Microsoft that can identify installed or missing patches as well as common security misconfigurations. Since it is run with administrative rights, it will provide a better view than normal nmap and Nessus scans and provides more detailed information about specific patches that are installed. Metasploit provides some limited scanning capabilities but is not the best tool for the situation. 4. Charleen is preparing to conduct a scheduled reconnaissance effort against a client site. Which of the following is not typically part of the rules of engagement that are agreed to with a client for a reconnaissance effort? A. Timing B. Scope C. Exploitation methods D. Authorization C. Reconnaissance efforts do not include exploitation, and Charleen should not expect to need to include exploitation limitations in the rules of engagement. If she was conducting a full penetration test, she would need to make sure she fully understands any concerns or limitations her client has about exploitation of vulnerabilities. 5. A port scan of a remote system shows that port 3306 is open on a remote database server. What database is the server most likely running? A. Oracle B. Postgres C. MySQL D. Microsoft SQL C. MySQL uses port 3306 as its default port. Oracle uses 1521, Postgres uses 5432, and Microsoft SQL uses 1433/1434. 6. Maria wants to deploy an anti-malware tool to detect zero-day malware. What type of detection method should she look for in her selected tool? A. Signature based B. Heuristic based C. Trend based D. Availability based B. Heuristic detection methods run the potential malware application and track what occurs. This can allow the anti-malware tool to determine whether the behaviors and actions of the program match those common to malware, even if the file does not match the fingerprint of known malware packages. 7. During a port scan of her network, Cynthia discovers a workstation that shows the following ports open. What should her next action be? *****END***** Starting Nmap 7.25BETA2 ( ) at :08 EDT Nmap scan report for deptsrv (192.168.2.22) Host is up (0.00023s latency). Not shown: 65524 filtered ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 7680/tcp open unknown 49677/tcp open unknown MAC Address: AD:5F:F4:7B:4B:7D (Intel Corporation) Nmap done: 1 IP address (1 host Up) scanned in 105.78 seconds *****START***** A. Determine the reason for the ports being open. B. Investigate the potentially compromised workstation. C. Run a vulnerability scan to identify vulnerable services. D. Reenable the workstation's local host firewall. A. Cynthia's first action should be to determine whether there is a legitimate reason for the workstation to have the listed ports open. 8. Charles wants to provide additional security for his web application that currently stores passwords in plain text in a database. Which of the following options is his best option to prevent theft of the database from resulting in exposed passwords? A. Encrypt the database of plain-text passwords. B. Use MD5 and a salt. C. Use SHA-1 and a salt. D. Use bcrypt. D. bcrypt is a strong password hashing algorithm that includes salts for the stored values. If Charles uses bcrypt, he will have made the best choice from the list, as both MD5 and SHA-1 are not as strong, even with a salt. Encrypting the database may seem like a good idea, but storing plain-text passwords means that an exploit that can read the database while it is decrypted will get plain-text passwords! 9. Cameron needs to set up a Linux iptables-based firewall ruleset to prevent access from hosts A and B, while allowing SMTP traffic from host C. Which set of the following commands will accomplish this? ****START**** Destination Host IP 192.168.2.11 *FIREWALL* Host A IP 10.1.1.170 Host B IP 10.2.0.134 Host C IP 10.2.0.130 *****END***** A. # iptables -I INPUT 2 -s 10.1.1.170 -j DROP # iptables -I INPUT 2 -s 10.2.0.0/24 --dport 25 -j DROP # iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW B. # iptables -I INPUT 2 -s 10.1.1.170 -j DROP # iptables -I INPUT 2 -s 10.2.0.0.134 -j DROP # iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW C. # iptables -I INPUT 2 -s 10.1.1.170 -j ALLOW # iptables -I INPUT 2 -s 10.2.0.0.134 -j ALLOW # iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j DROP D. # iptables -I INPUT 2 -s 10.1.1.170 -j DROP # iptables -I INPUT 2 -s 10.2.0.0.134 -j DROP # iptables -I INPUT 2 -s 10.2.0.130 -j ALLOW B. These commands will add filters to the INPUT ruleset that block traffic specifically from hosts A and B, while allowing only port 25 from host C. Option D might appear attractive, but it allows all traffic instead of only SMTP. Option A only drops SMTP traffic from host B (and all of the other hosts in its /24 segment), while Option C allows traffic in from the hosts you want to block! 10. After filling out the scoping document for a penetration test, including details of what tools,techniques, and targets are included in the test, what is the next step that Jessica needs to take to conduct the test? A. Port scan the target systems. B. Get sign-off on the document. C. Begin passive fingerprinting. D. Notify local law enforcement. B. While it may be tempting to start immediately after finishing scoping, Jessica's next step should be to ensure that she has appropriate sign-off and agreement to the scope, timing, and effort involved in the test. 11. Brian's penetration testing efforts have resulted in him successfully gaining access to a target system. Using the diagram shown here, identify what step occurs at point B in the NIST SP800-115 process flow. ****START**** [Gaining Access]->[B]->[System Browsing]->[Install Additional Tools]*arrow back to start* *****END***** A. Vulnerability scanning B. Discovery C. Escalating privileges D. Pivoting C. The NIST process focuses on escalating privileges before browsing the system. If Brian was fortunate enough to compromise an administrative account remotely, he could skip this step, but in most cases, his next step is to find a local exploit or privilege escalation flaw that will allow him to have more control over the system. 12. Chris wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use ssh? A. Add an iptables rule blocking root logins. B. Add root to the sudoers group. C. Change sshd_config to deny root login. D. Add a network IPS rule to block root logins. C. Fortunately, the sshd service has a configuration setting called PermitRootLogin. Setting it to no will accomplish Chris's goal. 13. What term is often used for attackers during a penetration test? A. Black team B. Blue team C. Red team D. Green team C. During penetration tests, red teams are attackers, blue teams are defenders, and the white team establishes the rules of engagement and performance metrics for the test. 14. Charles uses the following command while investigating a Windows workstation used by his organization's vice president of finance who only works during normal business hours. Charles believes that the workstation has been used without permission by members of his organization's cleaning staff after-hours. What does he know if the user ID shown is the only user ID able to log into the system, and he is investigating on August 12, 2017? ****START**** C:Usersbigfish>wmic netlogin get name,lastlogon,badpasswordcount BadPasswordCount NT AUTHORITYSYSTEM 0 LastLogon 03748.-240 Name Financebigfish *****END***** A. The account has been compromised. B. No logins have occurred. C. The last login was during business hours. D. Charles cannot make any determinations from this information. A. Charles can see that no invalid logins occurred and that someone logged in as the user after business hours. This means that the account has likely been compromised and that he should