Question 1

You execute the following netcat command: c:	arget
c -1 -p 53 -d -e cmd.exe What action do you want to perform by issuing the above command?

Accepted Answer

D

Explanation: The command nc -l -p 53 -d -e cmd.exe configures netcat to act as a server. The -l flag puts it in listen mode. The -p 53 flag specifies that it should listen on TCP port 53. The crucial part is -e cmd.exe, which instructs netcat to execute the Windows command shell (cmd.exe) and bind its standard input and output to the network socket as soon as a client connects. This creates a "bind shell," effectively giving the connecting party remote command execution capabilities on the machine. The -d flag is a Windows-specific option to detach the process from the console, allowing it to run in the background.

Question 2

John works as a Network Administrator for We-are-secure Inc. He finds that TCP port 7597 of the
Weare- secure server is open. He suspects that it may be open due to a Trojan installed on the server.
He presents a report to the company describing the symptoms of the Trojan. A summary of the
report is given below:
Once this Trojan has been installed on the computer, it searches Notpad.exe, renames it Note.com,
and then copies itself to the computer as Notepad.exe. Each time Notepad.exe is executed, the
Trojan executes and calls the original Notepad to avoid being noticed.
Which of the following Trojans has the symptoms as the one described above?

Accepted Answer

B

Explanation: The behavior described in the report is the unique and well-documented signature of the Qaz Trojan (also known as W32.Qaz.Worm). This malware specifically targets the Notepad.exe executable. Upon infection, it renames the legitimate Notepad.exe to Note.com and then replaces the original Notepad.exe with a copy of itself. When a user launches Notepad, they are unknowingly executing the Trojan, which in turn runs the original program (Note.com) to avoid suspicion. The mention of TCP port 7597 being open further corroborates this, as it is a known port used by the Qaz Trojan for its backdoor component.

Question 3

Which of the following types of attacks come under the category of hacker attacks? Each correct answer represents a complete solution. Choose all that apply.

Accepted Answer

B, D

Explanation: NIST and university security courseware group “unauthorized-access” techniques—such as password cracking and IP (source) spoofing—under the broad class of hacker or intrusion attacks because they are used to gain illicit entry or masquerade as a trusted host. Conversely, Smurf and Teardrop are classified by CERT and NIST as denial-of-service (DoS) floods that exhaust resources rather than break authentication, so they do not fall under the “hacker-attack” category specified in the question.

Question 4

You are hired as a Database Administrator for Jennifer Shopping Cart Inc. You monitor the server
health through the System Monitor and found that there is a sudden increase in the number of
logins.
A case study is provided in the exhibit. Which of the following types of attack has occurred?
(Click the Exhibit button on the toolbar to see the case study.)

Accepted Answer

D

Explanation: A sudden and significant increase in login attempts is a primary indicator of a brute-force or credential-stuffing attack. The goal of such an attack is often to overwhelm the authentication service, consuming critical system resources like CPU cycles, memory, and network connections. This resource exhaustion prevents legitimate users from accessing the service, which is a form of a Denial-of-Service (DoS) attack. The high volume of login requests effectively denies the authentication service to authorized users.

Question 5

Peter works as a Network Administrator for the PassGuide Inc. The company has a Windows-based
network. All client computers run the Windows XP operating system. The employees of the company
complain that suddenly all of the client computers have started working slowly. Peter finds that a
malicious hacker is attempting to slow down the computers by flooding the network with a large
number of requests. Which of the following attacks is being implemented by the malicious hacker?

Accepted Answer

B

Explanation: The scenario describes an attacker "flooding the network with a large number of requests" to "slow down the computers." This is the classic definition of a Denial-of-Service (DoS) attack. The primary goal of a DoS attack is to make a machine or network resource unavailable to its intended users by overwhelming it with traffic. This consumption of resources, such as bandwidth, CPU, or memory, leads to the performance degradation observed by the employees. The attack's intent is to disrupt service, not to steal data or gain unauthorized control, which aligns perfectly with the symptoms described.

Question 6

TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device
during standard layer 4 network communications. The combination of parameters may then be used
to infer the remote operating system (OS fingerprinting), or incorporated into a device fingerprint.
Which of the following Nmap switches can be used to perform TCP/IP stack fingerprinting?

Accepted Answer

C

Explanation: The Nmap -O switch is specifically designed to enable active operating system (OS) detection. This technique, a form of TCP/IP stack fingerprinting, sends a series of specially crafted TCP, UDP, and ICMP probes to the target host. Nmap then analyzes the responses, examining various parameters of the target's TCP/IP stack implementation, such as the initial TCP window size (IW), Time-To-Live (TTL), and supported TCP options. These unique characteristics are compared against the nmap-os-db database, which contains over 2,600 known OS fingerprints, to infer the remote operating system. This is the direct method within Nmap for performing the function described in the question.

Question 7

Which of the following Trojans is used by attackers to modify the Web browser settings?

Accepted Answer

A

Explanation: Win32/FlyStudio is a family of multi-component Trojans specifically designed to install adware and modify web browser settings without the user's consent. Its primary functions include changing the browser's default homepage, altering the search provider, and redirecting web traffic to malicious or ad-laden websites. This behavior is a defining characteristic of the FlyStudio malware family, making it the correct answer. The Trojan achieves persistence and carries out its functions by installing various components, including browser helper objects (BHOs) and services, to maintain control over the browser's configuration.

Question 8

Firewalking is a technique that can be used to gather information about a remote network protected
by a firewall. This technique can be used effectively to perform information gathering attacks. In this
technique, an attacker sends a crafted packet with a TTL value that is set to expire one hop past the
firewall. Which of the following are pre-requisites for an attacker to conduct firewalking?
Each correct answer represents a complete solution. Choose all that apply.

Accepted Answer

A, B, D

Explanation: Firewalking is a network reconnaissance technique used to determine the packet filtering rules of a firewall. The process involves sending a probe packet (e.g., TCP or UDP) towards a destination host behind the firewall with a Time-To-Live (TTL) value set to one greater than the hop count to the firewall itself. If the firewall allows the packet, it is forwarded to the next-hop router, where the TTL expires. This router then sends an ICMP "Time Exceeded" message back to the attacker. Receiving this message confirms the firewall rule allows that specific traffic. This process requires knowing the last gateway before the firewall (to calculate hop count), a target IP behind the firewall, and that outbound ICMP is not blocked.

Question 9

In which of the following steps of the incident handling processes does the Incident Handler make
sure that all business processes and functions are back to normal and then also wants to monitor the
system or processes to ensure that the system is not compromised again?

Accepted Answer

C

Explanation: The Recovery phase of the incident handling lifecycle is dedicated to restoring systems and services to full operational capability after a threat has been eradicated. A critical component of this phase is not only bringing systems back online but also validating their functionality to ensure business processes are normal. Furthermore, heightened monitoring is implemented during this stage to verify that the recovery was successful and to detect any signs of the system being compromised again, ensuring the threat has been fully neutralized.

Question 10

Which of the following languages are vulnerable to a buffer overflow attack? Each correct answer represents a complete solution. Choose all that apply.

Accepted Answer

B, C

Explanation: C and C++ are highly vulnerable to buffer overflow attacks. These languages provide low-level memory access via pointers and contain standard library functions (e.g., strcpy, gets, sprintf) that do not automatically perform bounds checking. This allows a program to write data beyond the allocated buffer's boundary, overwriting adjacent memory. This can corrupt data, crash the program, or, in a targeted attack, be exploited to execute arbitrary code. In contrast, managed languages like Java and ActionScript run in virtual machines that enforce memory safety, including automatic bounds checking, which prevents this class of vulnerability by throwing an exception instead of allowing memory corruption.

Question 11

You want to add a netbus Trojan in the chess.exe game program so that you can gain remote access
to a friend's computer. Which of the following tools will you use to accomplish the task?
Each correct answer represents a complete solution. Choose all that apply.

Accepted Answer

B, C

Explanation: The objective is to embed a Trojan (Netbus) within a legitimate executable (chess.exe). This process is accomplished using software utilities known as binders or wrappers. A binder combines two or more executables into a single file. When this file is executed, all bundled programs run, often with the legitimate program in the foreground and the malicious one hidden. A wrapper serves a similar purpose, often adding layers of obfuscation or encryption to evade antivirus detection. "Yet Another Binder" and "Pretator Wrapper" are well-known examples of these types of tools used for creating Trojan horses.

Question 12

Which of the following is an Internet mapping technique that relies on various BGP collectors that collect information such as routing updates and tables and provide this information publicly?

Accepted Answer

C

Explanation: AS PATH Inference is a technique used to map the internet's structure at the Autonomous System (AS) level. It functions by analyzing data from public Border Gateway Protocol (BGP) collectors, such as Route Views and RIPE RIS. These collectors peer with numerous BGP routers globally to gather routing updates and full routing tables. The core data point used is the ASPATH attribute in BGP updates, which lists the sequence of ASes a route has traversed. By aggregating and analyzing these paths from multiple vantage points, one can infer the connectivity and routing policies between different Autonomous Systems, effectively creating a map of the internet's inter-domain topology.

Question 13

Fill in the blank with the appropriate name of the attack. ______ takes best advantage of an existing authenticated connection

Accepted Answer

SESSION HIJACKING

Explanation: Session Hijacking is an attack where an adversary takes control of a valid user session. After a user authenticates and establishes a session, the attacker steals the session identifier (e.g., a session cookie). The attacker then uses this identifier to impersonate the user, gaining all the privileges associated with that authenticated session. This method directly exploits the trust established between the user and the server without needing the user's credentials, thus taking the best advantage of the existing authenticated connection.

Question 14

Fill in the blank with the correct numeric value. ARP poisoning is achieved in ______ steps.

Accepted Answer

A

Explanation: A standard ARP poisoning or ARP spoofing attack is executed in two primary steps to establish a Man-in-the-Middle (MitM) position. First, the attacker sends a forged ARP reply to the target host, falsely mapping the gateway's IP address to the attacker's MAC address. Second, the attacker sends another forged ARP reply to the gateway, falsely mapping the target host's IP address to the attacker's MAC address. This two-step process successfully poisons the ARP caches of both the target and the gateway, redirecting all their communication through the attacker's machine.

Question 15

Fill in the blank with the appropriate term. ______ is a technique used to make sure that incoming packets are actually from the networks that they claim to be from.

Accepted Answer

INGRESS FILTERING

Explanation: Ingress filtering is a network security technique implemented on edge routers or firewalls to verify the source IP address of incoming packets. The device examines each packet and drops any that have a source address from a range that is not legitimately located on the network from which the packet was received. This practice is a fundamental defense against IP source address spoofing, a method commonly used by attackers to conceal their identity or to conduct reflection and amplification-based Denial of Service (DoS) attacks. This technique is formally documented as a Best Current Practice in IETF RFC 2827.

Free GIAC GCIH Actual Exam Questions