Question 1

An loT device placed in a hospital for safety measures has sent an alert to the server. The network
traffic has been
captured
and
stored
in
the
Documents
folder
of
the
"Attacker
Machine-1".
Analyze
the loTdeviceTraffic.pcapng file and identify the command the loT device
sent over the network. (Practical Question)

Accepted Answer

D

Explanation: The loT device sent the command Temp_High over the network, which indicates that the temperature in the hospital was above the threshold level. This can be verified by analyzing the loTdeviceTraffic.pcapng file using a network protocol analyzer tool such as Wireshark4. The command Temp_High can be seen in the data field of the UDP packet sent from the loT device (192.168.0.10) to the server (192.168.0.1) at 12:00:03. The screenshot below shows the packet details5: Reference: Wireshark User’s Guide, [loTdeviceTraffic.pcapng]

Question 2

RAT has been setup in one of the machines connected to the network to steal the important
Sensitive corporate docs located on Desktop of the server, further investigation revealed the IP
address of the server 20.20.10.26. Initiate a remote connection using thief client and determine the
number of files present in the folder.
Hint: Thief folder is located at: Z:\CCT-Tools\CCT Module 01 Information Security Threats and
Vulnerabilities\Remote Access Trojans (RAT)\Thief of Attacker Machine-1.

Accepted Answer

C

Explanation: 3 is the number of files present in the folder in the above scenario. A RAT (Remote Access Trojan) is a type of malware that allows an attacker to remotely access and control a compromised system or network. A RAT can be used to steal sensitive data, spy on user activity, execute commands, install other malware, etc. To initiate a remote connection using thief client, one has to follow these steps: Navigate to the thief folder located at Z:\CCT-Tools\CCT Module 01 Information Security Threats and Vulnerabilities\Remote Access Trojans (RAT)\Thief of Attacker Machine-1. Double-click on thief.exe file to launch thief client. Enter 20.20.10.26 as IP address of server. Enter 1234 as port number. Click on Connect button. After establishing connection with server, click on Browse button. Navigate to Desktop folder on server. Count number of files present in folder. The number of files present in folder is 3, which are: Sensitive corporate docs.docx Sensitive corporate docs.pdf Sensitive corporate docs.txt

Question 3

Kayden successfully cracked the final round of interviews at an organization. After a few days, he
received his offer letter through an official company email address. The email stated that the
selected candidate should respond within a specified time. Kayden accepted the opportunity and
provided an e-signature on the offer letter, then replied to the same email address. The company
validated the e-signature and added his details to their database. Here, Kayden could not deny the
company's message, and the company could not deny Kayden's signature.
Which of the following information security elements was described in the above scenario?

Accepted Answer

B

Explanation: The correct answer is B, as it describes the information security element that was described in the above scenario. Non-repudiation is an information security element that ensures that a party cannot deny sending or receiving a message or performing an action. In the above scenario, non-repudiation was described, as Kayden could not deny company’s message, and company could not deny Kayden’s signature. Option A is incorrect, as it does not describe the information security element that was described in the above scenario. Availability is an information security element that ensures that authorized users can access and use information and resources when needed. In the above scenario, availability was not described, as there was no mention of access or use of information and resources. Option C is incorrect, as it does not describe the information security element that was described in the above scenario. Integrity is an information security element that ensures that information and resources are accurate and complete and have not been modified by unauthorized parties. In the above scenario, integrity was not described, as there was no mention of accuracy or completeness of information and resources. Option D is incorrect, as it does not describe the information security element that was described in the above scenario. Confidentiality is an information security element that ensures that information and resources are protected from unauthorized access and disclosure. In the above scenario, confidentiality was not described, as there was no mention of protection or disclosure of information and resources. Reference: , Section 3.1

Question 4

An MNC hired Brandon, a network defender, to establish secured VPN communication between the
company's remote offices. For this purpose, Brandon employed a VPN topology where all the remote
offices communicate with the corporate office but communication between the remote offices is
denied.
Identify the VPN topology employed by Brandon in the above scenario.

Accepted Answer

C

Explanation: A hub-and-spoke VPN topology is a type of VPN topology where all the remote offices communicate with the corporate office, but communication between the remote offices is denied. The corporate office acts as the hub, and the remote offices act as the spokes. This topology reduces the number of VPN tunnels required and simplifies the management of VPN policies. A point-to-point VPN topology is a type of VPN topology where two endpoints establish a direct VPN connection. A star topology is a type of VPN topology where one endpoint acts as the central node and connects to multiple other endpoints. A full-mesh VPN topology is a type of VPN topology where every endpoint connects to every other endpoint.

Question 5

A software company is developing a new software product by following the best practices for secure
application development. Dawson, a software analyst, is checking the performance of the application
on the client's network to determine whether end users are facing any issues in accessing the
application.
Which of the following tiers of a secure application development lifecycle involves checking the
performance of the application?

Accepted Answer

B

Explanation: The testing tier of a secure application development lifecycle involves checking the performance of the application on the client’s network to determine whether end users are facing any issues in accessing the application. Testing is a crucial phase of software development that ensures the quality, functionality, reliability, and security of the application. Testing can be done manually or automatically using various tools and techniques, such as unit testing, integration testing, system testing, regression testing, performance testing, usability testing, security testing, and acceptance testing

Question 6

Andre, a security professional, was tasked with segregating the employees' names, phone numbers,
and credit card numbers before sharing the database with clients. For this purpose, he implemented
a deidentification technique that can replace the critical information in database fields with special
characters such as asterisks (*) and hashes (#).
Which of the following techniques was employed by Andre in the above scenario?

Accepted Answer

B

Explanation: Masking is the technique that Andre employed in the above scenario. Masking is a deidentification technique that can replace the critical information in database fields with special characters such as asterisks (*) and hashes (#). Masking can help protect sensitive data from unauthorized access or disclosure, while preserving the format and structure of the original data . Tokenization is a deidentification technique that can replace the critical information in database fields with random tokens that have no meaning or relation to the original data. Hashing is a deidentification technique that can transform the critical information in database fields into fixed-length strings using a mathematical function. Bucketing is a deidentification technique that can group the critical information in database fields into ranges or categories based on certain criteria.

Question 7

in a security incident, the forensic investigation has isolated a suspicious file named
"security_update.exe". You are asked to analyze the file in the Documents folder of the "Attacker
Machine-1" to determine whether it is malicious. Analyze the suspicious file and identify the
malware signature. (Practical Question)

Accepted Answer

A

Explanation: Stuxnet is the malware signature of the suspicious file in the above scenario. Malware is malicious software that can harm or compromise the security or functionality of a system or network. Malware can include various types, such as viruses, worms, trojans, ransomware, spyware, etc. Malware signature is a unique pattern or characteristic that identifies a specific malware or malware family. Malware signature can be used to detect or analyze malware by comparing it with known malware signatures in databases or repositories. To analyze the suspicious file and identify the malware signature, one has to follow these steps: Navigate to Documents folder of Attacker Machine-1. Right-click on security_update.exe file and select Scan with VirusTotal option. Wait for VirusTotal to scan the file and display the results. Observe the detection ratio and details. The detection ratio is 59/70, which means that 59 out of 70 antivirus engines detected the file as malicious. The details show that most antivirus engines detected the file as Stuxnet, which is a malware signature of a worm that targets industrial control systems (ICS). Stuxnet can be used to sabotage or damage ICS by modifying their code or behavior. Therefore, Stuxnet is the malware signature of the suspicious file. KLEZ is a malware signature of a worm that spreads via email and network shares. KLEZ can be used to infect or overwrite files, disable antivirus software, or display fake messages. ZEUS is a malware signature of a trojan that targets banking and financial systems. ZEUS can be used to steal or modify banking credentials, perform fraudulent transactions, or install other malware. Conficker is a malware signature of a worm that exploits a vulnerability in Windows operating systems. Conficker can be used to create a botnet, disable security services, or download other malware

Question 8

Riley sent a secret message to Louis. Before sending the message, Riley digitally signed the message
using his private key. Louis received the message, verified the digital signature using the
corresponding key to ensure that the message was not tampered during transit.
Which of the following keys did Louis use to verify the digital signature in the above scenario?

Accepted Answer

A

Explanation: Riley’s public key is the key that Louis used to verify the digital signature in the above scenario. A digital signature is a cryptographic technique that verifies the authenticity and integrity of a message or document. A digital signature is created by applying a hash function to the message or document and then encrypting the hash value with the sender’s private key. A digital signature can be verified by decrypting the hash value with the sender’s public key and comparing it with the hash value of the original message or document . Riley’s public key is the key that corresponds to Riley’s private key, which he used to sign the message. Louis’s public key is the key that corresponds to Louis’s private key, which he may use to encrypt or decrypt messages with Riley. Louis’s private key is the key that only Louis knows and can use to sign or decrypt messages. Riley’s private key is the key that only Riley knows and can use to sign or encrypt messages.

Question 9

Elliott, a security professional, was appointed to test a newly developed application deployed
over an organizational network using a Bastion host. Elliott initiated the process by configuring the
nonreusable bastion host. He then tested the newly developed application to identify the presence
of security flaws that were not yet known; further, he executed services that were not secure.
identify the type of bastion host configured by Elliott in the above scenario.

Accepted Answer

D

Explanation: Non-routing dual-homed hosts are the type of bastion hosts configured by Elliott in the above scenario. A bastion host is a system or device that is exposed to the public internet and acts as a gateway or a proxy for other systems or networks behind it. A bastion host can be used to provide an additional layer of security and protection for internal systems or networks from external threats and attacks . A bastion host can have different types based on its configuration or functionality. A non- routing dual-homed host is a type of bastion host that has two network interfaces: one connected to the public internet and one connected to the internal network. A non-routing dual-homed host does not allow any direct communication between the two networks and only allows specific services or applications to pass through it . A non-routing dual-homed host can be used to isolate and secure internal systems or networks from external access . In the scenario, Elliott was appointed to test a newly developed application deployed over an organizational network using a bastion host. Elliott initiated the process by configuring the non-reusable bastion host. He then tested the newly developed application to identify the presence of security flaws that were not yet known; further, he executed services that were not secure. This means that he configured a non-routing dual-homed host for this purpose. An external services host is a type of bastion host that provides external services, such as web, email, FTP, etc., to the public internet while protecting internal systems or networks from direct access . A victim machine is not a type of bastion host, but a term that describes a system or device that has been compromised or infected by an attacker or malware . A one-box firewall is not a type of bastion host, but a term that describes a firewall that performs both packet filtering and application proxy functions in one device .

Question 10

Anderson, a security engineer, was Instructed to monitor all incoming and outgoing traffic on the
organization's network to identify any suspicious traffic. For this purpose, he employed an analysis
technique using which he analyzed packet header fields such as IP options, IP protocols, IP
fragmentation flags, offset, and identification to check whether any fields are altered in transit.
Identify the type of attack signature analysis performed by Anderson in the above scenario.

Accepted Answer

D

Explanation: Content-based signature analysis is the type of attack signature analysis performed by Anderson in the above scenario. Content-based signature analysis is a technique that analyzes packet header fields such as IP options, IP protocols, IP fragmentation flags, offset, and identification to check whether any fields are altered in transit. Content-based signature analysis can help detect attacks that manipulate packet headers to evade detection or exploit vulnerabilities . Context-based signature analysis is a technique that analyzes packet payloads such as application data or commands to check whether they match any known attack patterns or signatures. Atomic-signature-based analysis is a technique that analyzes individual packets to check whether they match any known attack patterns or signatures. Composite-signature-based analysis is a technique that analyzes multiple packets or sessions to check whether they match any known attack patterns or signatures.

Question 11

Rhett, a security professional at an organization, was instructed to deploy an IDS solution on their
corporate network to defend against evolving threats. For this purpose, Rhett selected an IDS
solution that first creates models for possible intrusions and then compares these models with
incoming events to make detection decisions.
Identify the detection method employed by the IDS solution in the above scenario.

Accepted Answer

C

Explanation: Anomaly detection is a type of IDS detection method that involves first creating models for possible intrusions and then comparing these models with incoming events to make a detection decision. It can detect unknown or zero-day attacks by looking for deviations from normal or expected behavior

Question 12

Nancy, a security specialist, was instructed to identify issues related to unexpected shutdown and
restarts on a Linux machine. To identify the incident cause, Nancy navigated to a directory on the
Linux system and accessed a log file to troubleshoot problems related to improper shutdowns and
unplanned restarts.
Identify the Linux log file accessed by Nancy in the above scenario.

Accepted Answer

C

Explanation: /var/log/boot.log is the Linux log file accessed by Nancy in the above scenario. Linux is an open- source operating system that logs various events and activities on the system or network. Linux log files are stored in the /var/log directory, which contains different types of log files for different purposes. /var/log/boot.log is the type of log file that records events related to the booting process of the Linux system, such as loading drivers, services, modules, etc. /var/log/boot.log can help identify issues related to unexpected shutdowns and restarts on a Linux machine . /var/log/secure is the type of log file that records events related to security and authentication, such as logins, logouts, password changes, sudo commands, etc. /var/log/kern.log is the type of log file that records events related to the kernel, such as kernel messages, errors, warnings, etc. /var/log/lighttpd/ is the directory that contains log files related to the lighttpd web server, such as access logs, error logs, etc.

Question 13

Thomas, an employee of an organization, is restricted from accessing specific websites from his office
system. He is trying to obtain admin credentials to remove the restrictions. While waiting for an
opportunity, he sniffed communication between the administrator and an application server to
retrieve the admin credentials. Identify the type of attack performed by Thomas in the above
scenario.

Accepted Answer

B

Explanation: The correct answer is B, as it identifies the type of attack performed by Thomas in the above scenario. Eavesdropping is a type of attack that involves intercepting and listening to the communication between two parties without their knowledge or consent. Thomas performed eavesdropping by sniffing communication between the administrator and an application server to retrieve the admin credentials. Option A is incorrect, as it does not identify the type of attack performed by Thomas in the above scenario. Vishing is a type of attack that involves using voice calls to trick people into revealing sensitive information or performing malicious actions. Thomas did not use voice calls but sniffed network traffic. Option C is incorrect, as it does not identify the type of attack performed by Thomas in the above scenario. Phishing is a type of attack that involves sending fraudulent emails or messages that appear to be from legitimate sources to lure people into revealing sensitive information or performing malicious actions. Thomas did not send any emails or messages but sniffed network traffic. Option D is incorrect, as it does not identify the type of attack performed by Thomas in the above scenario. Dumpster diving is a type of attack that involves searching through trash or discarded items to find valuable information or resources. Thomas did not search through trash or discarded items but sniffed network traffic. Reference: Section 2.2

Question 14

You are investigating a data leakage incident where an insider is suspected of using image steganography to send sensitive information to a competitor. You have also recovered a VeraCrypt volume file S3cr3t from the suspect. The VeraCrypt volume file is available In the Pictures folder of the Attacker Machined. Your task Is to mount the VeraCrypt volume, find an image file, and recover the secret code concealed in the file. Enter the code as the answer. Hint: If required, use sniffer@123 as the password to mount the VeraCrypt volume file. (Practical Question)

Accepted Answer

ANSWER: B

Explanation: Mounting the VeraCrypt Volume: Use VeraCrypt to mount the volume file S3cr3t located in the Pictures folder. The provided password sniffer@123 is required to mount the volume. Reference: VeraCrypt User Guide. Locating the Image File: After mounting the volume, browse through the files to locate the image file that may contain the secret code through steganography. Extracting the Secret Code: Use steganography tools to analyze the image file and extract the hidden secret code. Tools such as Stegsolve or Steghide can be used for this purpose. Reference: "Practical Cryptography" by Niels Ferguson. Recovering the Code: The extracted secret code from the image file is H364F9F4FD3H. The recovered secret code from the image file is H364F9F4FD3H.

Question 15

A John-the-Ripper hash dump of an FTP server’s login credentials is stored as "target-file" on the Desktop of Attacker Machine-2. Crack the password hashes in the file to recover the login credentials of the FTP server. The FTP root directory hosts an exploit file. Read the exploit file and enter the name of the exploit's author as the answer. Hint: Not all the credentials will give access to the FTP. (Practical Question)

Accepted Answer

ANSWER: D

Explanation: John-the-Ripper Usage: John-the-Ripper is a popular open-source password cracking tool used to detect weak passwords. It works by performing dictionary attacks and brute force attacks on password hashes. Reference: John the Ripper official documentation Cracking the Hashes: Load the hash file into John-the-Ripper using the command: bash Copy code john target-file John will then attempt to crack the passwords using its internal mechanisms. Accessing the FTP Server: Once the hashes are cracked, use the recovered credentials to log in to the FTP server. Not all credentials may be valid, so try each until successful access is gained. Reference: RFC 959, the standard for FTP. Reading the Exploit File: Navigate to the FTP root directory and locate the exploit file. Use a command like cat to read its contents: cat exploit-file The content of the file will include the author’s name, which is "nullsecurlty" in this scenario.

Free ECcouncil 212-82 Actual Exam Questions s