SANS (SEC504) Sample Questions
Ques1 . What type of attack occurs when an attacker exploits a valid computer session to gain unauthorized access to information or services?
- A. Piggybacking
- B. Hacking
- C. Session hijacking
- D. Keystroke logging
Correct Answer: C
Explanation: Session hijacking is an attack where an intruder takes over a legitimate session between two entities. The attacker gains access to information or services without proper authorization by exploiting an active session. This type of attack often involves stealing session cookies or session IDs, allowing the attacker to impersonate a legitimate user.
Ques 2 – Which network worm exploits the vulnerability in the Microsoft Windows RPC sub-system?
- A. Win32/Agent
- B. WMA/TrojanDownloader.GetCodec
- C. Win32/Conflicker
- D. Win32/PSW.OnLineGames
Correct Answer: C
Explanation: The Conficker worm (also known as Downadup) exploits a vulnerability in the Microsoft Windows RPC (Remote Procedure Call) sub-system. This vulnerability allows the worm to spread rapidly across networks, infecting computers by exploiting the weakness in the RPC handling code, specifically in the way Windows processes remote procedure calls. Conficker can disable security services, block access to security websites, and propagate itself via network shares and removable drives, making it a particularly destructive and widespread threat.
Ques 3 – What kind of DoS attack primarily targets Windows computers by sending corrupted UDP packets?
- A. Fraggle
- B. Ping flood
- C. Bonk
- D. Smurf
Correct Answer: C
Explanation: The Bonk DoS attack specifically targets Windows computers by sending malformed UDP packets to port 53, which is commonly used for DNS services. These corrupted packets exploit vulnerabilities in the Windows operating system, causing it to crash or become unresponsive. This attack disrupts normal network communication and can significantly impact the availability of services on the targeted computer.
Ques 4 – Which of the following is one of the most common methods of attacking in which incorrect IP addresses are distributed?
- A. IP spoofing
- B. Mac flooding
- C. DNS poisoning
- D. Man-in-the-middle
Correct Answer: C
Explanation: DNS poisoning, also known as DNS spoofing, is a common method of attack where incorrect IP addresses are distributed to DNS resolvers. The attacker manipulates DNS records so that legitimate domain names are resolved to malicious IP addresses controlled by the attacker. Users attempting to access legitimate websites are redirected to fake sites that may steal sensitive information or distribute malware. DNS poisoning can have widespread implications as it affects the entire DNS infrastructure, compromising the integrity and security of internet communications.
Ques 5 – Which scanning technique does Windows employ to inspect only RST packets, regardless of whether the port is open or closed?
- A. TCP FIN
- B. FTP bounce
- C. XMAS
- D. TCP SYN
Correct Answer: A
Explanation: The TCP FIN scanning method sends TCP packets with the FIN flag set. Windows interprets responses to these packets differently, allowing it to distinguish between open ports (which respond with RST packets) and closed ports (which do not respond or respond with other ICMP messages).
Ques 6 – Which of the following functions should be used to mitigate a command injection attack?
- A. escapeshellarg()
- B. escapeshellcmd()
- C. htmlentities()
- D. strip_tags()
Correct Answer: A, B
Explanation:escapeshellarg() and escapeshellcmd() are PHP functions used to escape special characters in command-line arguments and commands, respectively, to prevent command injection vulnerabilities.
Question 7 – What is the best method for identifying vulnerabilities in web applications that could potentially allow attackers to infiltrate the network, as identified by the security officer at a company heavily dependant on web applications?
- A. Manual penetration testing
- B. Code review
- C. Automated penetration testing
- D. Vulnerability scanning
Correct Answer: D
Explanation: Vulnerability scanning is an automated method used to identify security vulnerabilities in software applications, including web applications. It helps detect weaknesses that could be exploited by attackers to gain unauthorized access.
Ques 8 – Which of the following attacks is specifically used for cracking a password?
- A. PING attack
- B. Dictionary attack
- C. Vulnerability attack
- D. DoS attack
Correct Answer: B
Explanation: A dictionary attack involves systematically trying all words in a predefined list (dictionary) as passwords to gain unauthorized access to a system.
Ques 9 – Which of the following statements holds TRUE regarding session hijacking?
- A. Session hijacking is reduced when the session key is a long and random number or string.
- B. This slows down the functioning of the victim’s network resources.
- C. A TCP session hijack is when a hacker takes over a TCP connection between two devices.
- D. This involves obtaining unauthorized access to data or services on a computer through the use of a valid computer session.
Correct Answer: A, C, D
Explanation: Session hijacking involves taking over a legitimate session between two entities to gain unauthorized access to data or services. A strong, random session key and hijacking TCP connections are valid statements related to session hijacking.
Ques 10 – The most widely used tool for steganography is ______________________.
- A. Image hide
- B. Stegbreak
- C. Snow.exe
- D. Anti-x
Correct Answer: A, C
Explanation: Image hide and Snow.exe are tools commonly used for steganography, the practice of hiding messages or files within other non-suspicious media.
Ques 11 – Which tool combines two programs and encrypts the resulting package to tamper with an antivirus program, making it harder to detect?
- A. Trojan Man
- B. EliteWrap
- C. Tiny
- D. NetBus
Correct Answer: A
Explanation: EliteWrap is a tool that combines two programs and encrypts the resulting package to evade detection by antivirus software, making it a threat for compromising security.
Ques 12 – A Trojan has been planted on your friend Steven’s computer, and you aim to ensure it launches every time the computer restarts. Which of the provided registry entries would you modify to achieve this
- A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Startup
- B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Auto
- C. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Start
Correct Answer: C
Explanation: Editing the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices allows a Trojan or any program to start automatically when the computer boots up.
Ques 13 – Which of the given tools should be used while performing a brute force attack on a remote database?
- A. SQLBF
- B. SQLDict
- C. FindSA
- D. nmap
Correct Answer: A, B, C
Explanation: SQLBF, SQLDict, and FindSA are tools specifically designed for performing brute force attacks against remote databases to guess passwords or access credentials.
Ques 14 – In the context of DNS cache poisoning, which option is specifically designed to prevent falsified DNS data from reaching Internet resolvers (clients)?
- A. Stub resolver
- B. BINDER
- C. Split-horizon DNS
- D. Domain Name System Extension (DNSSEC)
Correct Answer: D
Explanation: DNSSEC (Domain Name System Security Extensions) is designed to prevent DNS cache poisoning by providing authentication and integrity verification for DNS data, ensuring that forged DNS data doesn’t reach Internet resolvers.
Ques 15 – Adam, a malicious hacker, is focused on performing a comprehensive scan of a remote target without needing to remain stealthy. Which type of scan would offer the highest accuracy and reliability in this scenario?
- A. UDP scan
- B. TCP Connect scan
- C. ACK scan
- D. Fin scan
Correct Answer: B
Explanation: A TCP Connect scan establishes a full TCP connection with the target, providing the most accurate and reliable information about open ports and services.
Ques 16 – What is the term used for a computer worm that slows down general Internet traffic and leads to a denial of service on some Internet hosts?
- A. Klez
- B. Code red
- C. SQL Slammer
- D. Beast
Correct Answer: C
Explanation: SQL Slammer is a computer worm known for its rapid spread and causing a denial of service (DoS) by overwhelming networks with traffic, significantly slowing down general Internet traffic.
Ques 17 – What of the following is the main objective of the incident handling team?
- A. Freezing the scene.
- B. Repairing any damage caused by an incident.
- C. Prevent any further damage.
- D. Informing higher authorities.
Correct Answer: A, B, C
Explanation: The primary goals of an incident handling team include freezing the scene to preserve evidence, repairing any damage caused by the incident, and preventing further damage or recurrence.
Ques 18 – Peter is working at TPT Ltd. He has been receiving ICMP packets flooding his network, but after tracing them down, he found that they originate from multiple IP addresses. Which of the following attacks is Peter facing in this case?
- A. Syn flood
- B. Ping storm
- C. Smurf attack
- D. DDOS
Correct Answer: D
Explanation: A Distributed Denial of Service (DDoS) attack floods a network with a large volume of traffic originating from multiple sources (IP addresses), overwhelming the network and causing disruption.
Ques 19 – For testing the stress of a Web server ________________ tool can be used.
- A. Internet bots
- B. Scripts
- C. Anti-virus software
- D. Spyware
Correct Answer: A,B
Explanation: Internet bots and scripts can be used to simulate high volumes of traffic to test the stress and performance limits of a Web server under load.
Ques 20 – Which of the following tools is used by a local system to download the Web pages of Websites?
- A. wget
- B. jplag
- C. Nessus
- D. Ettercap
Correct Answer: A
Explanation: wget is a command-line tool commonly used to download web pages and files from the internet onto a local system for offline viewing or archival purposes.
