Question 1

You want to connect to your friend's computer and run a Trojan on it. Which of the following tools will you use to accomplish the task?

Accepted Answer

C

Explanation: PsExec is a command-line tool from the Microsoft Sysinternals suite designed to execute processes on remote systems. It is a legitimate administration utility that functions as a lightweight telnet replacement. An attacker with appropriate credentials for a target machine can use PsExec to connect to it over the network (via the SMB protocol) and remotely launch any executable, such as a Trojan. This capability makes it a common tool for lateral movement and remote code execution during penetration tests without requiring prior installation of client software on the target.

Question 2

Which protocol would need to be available on a target in order for Nmap to identify services like IMAPS and POP3S?

Accepted Answer

D

Explanation: Nmap's service and version detection (-sV) identifies services like IMAPS and POP3S by initiating a cryptographic handshake. These services are standard application protocols (IMAP, POP3) tunneled over a security layer. The modern and standard protocol for this security layer is Transport Layer Security (TLS). Nmap sends a TLS "ClientHello" probe to the target port. By analyzing the server's response, specifically the "ServerHello" message and the digital certificate presented, Nmap can accurately identify the underlying service (e.g., IMAP, POP3) running over the TLS-encrypted channel.

Question 3

Which of the following vulnerability scanner scans from CGI, IDA, Unicode, and Nimda vulnerabilities?

Accepted Answer

A

Explanation: Hackbot was a simple, automated Perl script scanner that became prevalent in the early 2000s. It was specifically designed to scan IP address ranges for a narrow set of well-known Microsoft Internet Information Services (IIS) vulnerabilities. Its primary checks included the Unicode directory traversal vulnerability, the .ida/.idq vulnerability (exploited by the Code Red worm), and other CGI-related weaknesses. The Nimda worm exploited several of these same vulnerabilities, making Hackbot a common tool used by attackers to find systems susceptible to Nimda and similar threats of that era.

Question 4

Which of the following Web attacks is performed by manipulating codes of programming languages such as SQL, Perl, Java present in the Web pages?

Accepted Answer

D

Explanation: A code injection attack is a general class of vulnerability where an attacker supplies untrusted input to a program, which is then executed or interpreted as part of a command or query. The question specifically mentions manipulating the code of languages like SQL, Perl, and Java. This directly describes code injection, where the injected data is code written in one of these languages. The vulnerable application mistakenly processes this input as executable code, leading to unauthorized actions. This category includes more specific attacks like SQL injection and server-side code injection involving languages like Perl or Java.

Question 5

You work as a Web developer in the IBM Inc. Your area of proficiency is PHP. Since you have proper
knowledge of security, you have bewared from rainbow attack. For mitigating this attack, you design
the PHP code based on the following algorithm:
key = hash(password + salt)
for 1 to 65000 do
key = hash(key + salt)
Which of the following techniques are you implementing in the above algorithm?

Accepted Answer

A

Explanation: The algorithm described implements key strengthening, also known as key stretching. This technique makes a potentially weak key, such as a user's password, more secure by feeding it into a computationally intensive algorithm. The for loop, which iterates 65,000 times, deliberately slows down the process of generating the final hash. This significantly increases the time and computational resources required for an attacker to conduct offline brute-force or dictionary attacks, even if the salt and the final hash value are compromised. While the process uses hashing and salting, the core technique defined by the iterative loop is key strengthening.

Question 6

You work as a Network Penetration tester in the Secure Inc. Your company takes the projects to test
the security of various companies. Recently, Secure Inc. has assigned you a project to test the
security of a Web site. You go to the Web site login page and you run the following SQL query:
SELECT email, passwd, login_id, full_name
FROM members
WHERE email = '[email protected]'; DROP TABLE members; --'
What task will the above SQL query perform?

Accepted Answer

B

Explanation: The provided SQL string is a classic example of an SQL injection attack utilizing "stacked queries." The semicolon (;) is used to terminate the initial SELECT statement and begin a new, malicious one: DROP TABLE members. This second command instructs the database to delete the entire members table, including its structure and all contained data. The double-hyphen (--) at the end acts as a comment, neutralizing any subsequent characters from the original server-side query (like a closing single quote), thus preventing a syntax error and ensuring the malicious command executes successfully.

Question 7

Which of the following tools is spyware that makes Windows clients send their passwords as clear text?

Accepted Answer

D

Explanation: C2MYAZZ is a well-known piece of spyware that modifies a specific registry key on Windows clients: HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword. By setting the value of this key to 1, it reconfigures the system's SMB redirector (the LanmanWorkstation service) to permit the sending of passwords in clear text. When the compromised client attempts to connect to a malicious SMB server that requests plaintext authentication, the client will comply, exposing the user's credentials to network sniffing.

Question 8

You want to search the Apache Web server having version 2.0 using google hacking. Which of the following search queries will you use?

Accepted Answer

B

Explanation: The default installation or test page for the Apache HTTP Server version 2.x series characteristically contains the exact phrase "It worked!". Combining this string with a common page title, such as intitle:"Test Page for Apache Installation", creates a highly specific and effective Google Hacking query. This "dork" precisely targets the unique content of the default welcome page generated by many common distributions of Apache 2.0, allowing an attacker to easily enumerate potentially unconfigured or forgotten servers.

Question 9

Which of the following is the most common method for an attacker to spoof email?

Accepted Answer

D

Explanation: An open relay is an SMTP server misconfigured to accept and forward email from any IP address to any recipient. Attackers exploit this vulnerability to send spoofed emails because the server does not authenticate the sender's identity. The attacker can specify any address in the MAIL FROM command of the SMTP transaction, effectively forging the sender's identity. This method obscures the true origin of the email, making it a historically common and effective technique for distributing spam, phishing, and malware while bypassing IP-based reputation filters.

Question 10

Which of the following tools is used to verify the network structure packets and confirm that the packets are constructed according to specification?

Accepted Answer

C

Explanation: The Snort decoder is the component within the Snort architecture specifically responsible for processing packets captured from the network. Its primary function is to parse the various protocol layers of each packet, such as Ethernet (Layer 2), IP (Layer 3), and TCP/UDP (Layer 4). During this decoding process, it verifies that the packet's structure, headers, and fields conform to the relevant protocol specifications (e.g., RFCs). It identifies anomalies, malformed packets, and other structural irregularities before passing the normalized data to the preprocessors and the detection engine for further analysis. This makes it the correct tool for verifying packet structure against specifications.

Question 11

John works as a Penetration Tester in a security service providing firm named you-are-secure Inc.
Recently, John's company has got a project to test the security of a promotional Website
www.missatlanta.com and assigned the pen-testing work to John. When John is performing
penetration testing, he inserts the following script in the search box at the company home page:

After pressing the search button, a pop-up box appears on his screen with the text - "Hi, John."
Which of the following attacks can be performed on the Web site tested by john while considering
the above scenario?

Accepted Answer

D

Explanation: The scenario describes a Reflected Cross-Site Scripting (XSS) attack. The tester, John, injects a JavaScript payload into a search field. The web application insecurely includes this script in the immediate response without proper validation or output encoding. When John's browser receives the response, it executes the script because it trusts the content coming from the server. The appearance of the alert box confirms that the application is vulnerable to executing arbitrary client-side scripts within the context of a user's browser session. This vulnerability could be exploited to steal session cookies, deface the site, or redirect users to malicious pages.

Question 12

Which of the following can be used as a countermeasure against the SQL injection attack? Each correct answer represents a complete solution. Choose two.

Accepted Answer

A, B

Explanation: Prepared statements (also known as parameterized queries) are the most effective and recommended countermeasure against SQL injection. This method separates the SQL logic from the data. The database engine is sent the query template first and then the user-supplied parameters, ensuring the parameters are treated strictly as data and not as executable SQL code. The mysqlrealescapestring() function is a valid, though now deprecated, defense mechanism. It works by escaping special characters (e.g., \x00, 
, , ', ", \x1a) within user-provided strings before the string is used in a SQL query, preventing them from being misinterpreted by the database as control characters or delimiters.

Question 13

Analyze the output of the two commands below: https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/GIAC_GPEN/page_45_img_1.jpg Which of the following can be factually inferred from the results of these commands?

Accepted Answer

B

Explanation: The first command is a standard UDP-based traceroute. It successfully identifies the first two hops but then times out for all subsequent probes. A UDP traceroute relies on the final destination host returning an ICMP "Port Unreachable" message to signal that the trace is complete. The repeated timeouts ( ) indicate this message is not being received. The second command is an ICMP-based traceroute (-I), which successfully completes and identifies the destination host 10.63.104.1. This confirms that a network path exists and that the host is responsive to ICMP Echo Requests. The combination of these two results leads to the inference that the host 10.63.104.1 is receiving the UDP packets from the first traceroute but is configured (likely via a firewall) not to send a response. This action is known as silently dropping packets.

Question 14

You run the following bash script in Linux:
for i in 'cat hostlist.txt' ;do nc -q 2 -v $i 80 < request.txt done where, hostlist.txt file contains the list of
IP addresses and request.txt is the output file.
Which of the following tasks do you want to perform by running this script?

Accepted Answer

C

Explanation: The script iterates through a list of IP addresses stored in hostlist.txt. For each IP address ($i), it uses Netcat (nc) to establish a connection to port 80. The < request.txt part redirects the content of request.txt (presumably a valid HTTP request like GET / HTTP/1.0) to the server. The -v (verbose) flag ensures that the response from the server is printed to standard output. This response from a web server on port 80 includes HTTP headers containing version and server type information, a process known as banner grabbing. The -q 2 option ensures the connection closes 2 seconds after the request is sent.

Question 15

Peter, a malicious hacker, obtains e-mail addresses by harvesting them from postings, blogs, DNS
listings, and Web pages. He then sends large number of unsolicited commercial e-mail (UCE)
messages on these addresses. Which of the following e-mail crimes is Peter committing?

Accepted Answer

B

Explanation: The scenario describes the act of sending a large volume of Unsolicited Commercial E-mail (UCE) to a list of harvested email addresses. This is the precise definition of e-mail spam. The key elements that identify the activity as spam are the unsolicited nature of the messages, their commercial content, and the bulk distribution method to a wide audience. The initial step of harvesting email addresses from public sources is a common precursor to a spam campaign.

Free GIAC GPEN Actual Exam Questions