You have successfully run a buffer overflow attack against a default IIS installation running on a Windows 2000 Server. The server allows you to spawn a shell. In order to perform the actions you intend to do, you need elevated permission. You need to know what your current privileges are within the shell. Which of the following options would be your current privileges?
D. Whatever account IIS was installed with
If you manage to get the system to start a shell for you,that shell will be running as LOCAL_SYSTEM.
You wish to determine the operating system and type of web server being used. At the same time you wish to arouse no suspicion within the target organization.
While some of the methods listed below work, which holds the least risk of detection?
A. Make some phone calls and attempt to retrieve the information using social engineering.
B. Use nmap in paranoid mode and scan the web server.
C. Telnet to the web server and issue commands to illicit a response.
D. Use the netcraft web site look for the target organizationos web site.
Netcraft is providing research data and analysis on many aspects of the Internet. Netcraft has explored the Internet since 1995 and is a respected authority on the market share of web servers,operating systems,hosting providers,ISPs,encrypted transactions,electronic commerce,scripting languages and content technologies on the internet.
Bart is looking for a Windows NT/2000/XP command-line tool that can be used to assign, display, or modify ACLos (access control lists) to files or folders and also one that can be used within batch files.
Which of the following tools can be used for that purpose? (Choose the best answer)
Cacls.exe is a Windows NT/2000/XP command-line tool you can use to assign,display,or modify ACLs (access control lists) to files or folders. Cacls is an interactive tool,and since it’s a command-line utility,you can also use it in batch files.
Which of the following buffer overflow exploits are related to Microsoft IIS web server? (Choose three)
A. Internet Printing Protocol (IPP) buffer overflow
B. Code Red Worm
C. Indexing services ISAPI extension buffer overflow
D. NeXT buffer overflow
Both the buffer overflow in the Internet Printing Protocol and the ISAPI extension buffer overflow is explained in Microsoft Security Bulletin MS01-023. The Code Red worm was a computer worm released on the Internet on July 13,2001. It attacked computers running Microsoft’s IIS web server.
On a default installation of Microsoft IIS web server, under which privilege does the web server software execute?
If not changed during the installation,IIS will execute as Local System with way to high privileges.
You are gathering competitive intelligence on XYZ.com. You notice that they have jobs listed on a few Internet job-hunting sites. There are two job postings for network and system administrators. How can this help you in footprint the organization?
A. The IP range used by the target network
B. An understanding of the number of employees in the company
C. How strong the corporate security policy is
D. The types of operating systems and applications being used.
From job posting descriptions one can see which is the set of skills,technical knowledge,system experience required,hence it is possible to argue what kind of operating systems and applications the target organization is using.
What are the three phases involved in security testing?
Preparation phase – A formal contract is executed containing non-disclosure of the client’s data and legal protection for the tester. At a minimum,it also lists the IP addresses to be tested and time to test. Conduct phase – In this phase the penetration test is executed,with the tester looking for potential vulnerabilities. Conclusion phase – The results of the evaluation are communicated to the pre-defined organizational contact,and corrective action is advised.
You visit a website to retrieve the listing of a company’s staff members. But you can not find it on the website. You know the listing was certainly present one year before. How can you retrieve information from the outdated website?
A. Through Google searching cached files
B. Through Archive.org
C. Download the website and crawl it
D. Visit customers’ and prtners’ websites
Archive.org mirrors websites and categorizes them by date and month depending on the crawl time. Archive.org dates back to 1996,Google is incorrect because the cache is only as recent as the latest crawl,the cache is over-written on each subsequent crawl. Download the website is incorrect becausethat’s the same as what you see online. Visiting customer partners websites is just bogus. The answer is then Firmly,C,archive.org
You work as security technician at XYZ.com. While doing web application testing, you might be required to look through multiple web pages online which can take a long time. Which of the processes listed below would be a more efficient way of doing this type of validation?
A. Use mget to download all pages locally for further inspection.
B. Use wget to download all pages locally for further inspection.
C. Use get* to download all pages locally for further inspection.
D. Use get() to download all pages locally for further inspection.
Wget is a utility used for mirroring websites,get* doesnot work,as for the actual FTP command to work there needs to be a space between get and * (ie. get *),get(); is just bogus,thatos a C function thatos written 100% wrong. mget is a command used from pwithinq ftp itself,ruling out A. Which leaves B use wget,which is designed for mirroring and download files,especially web pages,if used with the ɃR option (ie. wget ɃR http://www.XYZ.com) it could mirror a site,all expect protected portions of course.
Note: GNU Wget is a free network utility to retrieve files from the World Wide Web using HTTP and FTP and can be used to make mirrors of archives and home pages thus enabling work in the background,after having logged off.
This packet was taken from a packet sniffer that monitors a Web server.
This packet was originally 1514 bytes long, but only the first 512 bytes are shown here. This is the standard hexdump representation of a network packet, before being decoded. A hexdump has three columns: the offset of each line, the hexadecimal data, and the ASCII equivalent. This packet contains a 14-byte Ethernet header, a 20-byte IP header, a 20-byte TCP header, an HTTP header ending in two line-feeds (0D 0A 0D 0A) and then the data. By examining the packet identify the name and version of the Web server?
A. Apache 1.2
B. IIS 4.0
C. IIS 5.0
D. Linux WServer 2.3
We see that the server is Microsoft,but the exam designer didnot want to make it easy for you. So what they did is blank out the IIS 4.0. The key is in line p0B0q as you see:
0B0 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 34 2E 30 ..Microsoft
49 is I,so we get II 53 is S,so we get IIS 2F is a space 34 is 4 2E is . 30 is 0 So we get IIS 4.0
The answer is B
If you donot remember the ASCII hex to Character,there are enough characters and numbers already converted. For example,line p050q has STRIDER which is 53 54 52 49 44 45 52 and gives you the conversion for the pI:q and pSq characters (which is p49q and p53q).