GIAC-GPEN

ACME corporation has decided to setup wireless (IEEE 802.11) network in it's sales branch at Tokyo and found that channels 1, 6, 9,11 are in use by the neighboring offices. Which is the best channel they can use?

Which Metasploitvncinject stager will allow VNC communications from the attacker to a listening port of the attacker's choosing on the victim machine?

What is the MOST important document to obtain before beginning any penetration testing?

While reviewing traffic from a tcpdump capture, you notice the following commands being sent from a remote system to one of your web servers:C:\>sc winternet.host.com create ncservicebinpath- "c:\tools\ncexe -I -p 2222 -e cmd.exe"C:\>sc vJnternet.host.com query ncservice.What is the intent of the commands?

Which of the following best describes a client side exploit?

Which of the following TCP packet sequences are common during a SYN (or half-open) scan?

Which of the following describes the direction of the challenges issued when establishing a wireless (IEEE 802.11) connection?

You have gained shell on a Windows host and want to find other machines to pivot to, but the rules of engagement state that you can only use tools that are already available. How could you find other machines on the target network?

A penetration tester obtains telnet access to a target machine using a captured credential. While trying to transfer her exploit to the target machine, the network intrusion detection systems keeps detecting her exploit and terminating her connection. Which of the following actions will help the penetration tester transfer an exploit and compile it in the target system?

What section of the penetration test or ethical hacking engagement final report is used to detail and prioritize the results of your testing?

You are pen testing a Windows system remotely via a raw netcat shell. You want to quickly change directories to where the Windows operating system resides, what command could you use?

A client with 7200 employees in 14 cities (all connected via high speed WAN connections) has suffered a major external security breach via a desktop which cost them more than SI 72.000 and the loss of a high profile client. They ask you to perform a desktop vulnerability assessment to identify everything that needs to be patched. Using Nessus you find tens of thousands of vulnerabilities that need to be patched. In the report you find workstations running several Windows OS versions and service pack levels, anti-virus software from multiple vendors several major browser versions and different versions of Acrobat Reader. Which of the following recommendations should you provide with the report?

Which Metasploit payload includes simple upload and download functionality for moving files to and from compromised systems?

A junior penetration tester at your firm is using a non-transparent proxy for the first time to test a web server. He sees the web site In his browser but nothing shows up In the proxy. He tells you that he just installed the non-transparent proxy on his computer and didn't change any defaults. After verifying the proxy is running, you ask him to open up his browser configuration, as shown in the figure, which of the following recommendations will correctly allow him to use the transparent proxy with his browser?

Which of the following describe the benefits to a pass-the-hash attack over traditional password cracking?

You are pen testing a Linux target from your windows-based attack platform. You just moved a script file from the windows system to the Linux target, but it will not execute properly. What is the most likely problem?

Which of the following is the JavaScript variable used to store a cookie?

Analyze the command output below. Given this information, which is the appropriate next step for the tester?Starting Nmap4.53 (hnp://insecure.org I at2010-09-30 19:13 EDT interesting ports on 192.163.116.101:PORT STATE SERVICE -130/tcp filtered cisco-fna131/tcp filtered cisco-tna132/tcp filtered cisco-sys133/tcp filtered statsrv134/tcp filtered Ingres-net135/tcp filtered msrpc136/tcp filtered profile137/tcp filtered netbios-ns138/tcp filtered netbios-dgm139/tcp open netbios-ssn140/tcp filtered emfis-dataMAC Address: 00:30:1&:B8:14:8B (Shuttle)warning: OSS can results may be unreliable because we could not find at least l open and l closed portDevice type, general purpose -Running: Microsoft Windows XP -OS details: Microsoft Windows XP SP2Network Distance : 1 hop -Nmap done: I IP address (I host up) scanned in l .263 seconds

You have been contracted to map me network and try to compromise the servers for a client. Which of the following would be an example of scope creep' with respect to this penetration testing project?

You are running a vulnerability scan on a remote network and the traffic Is not making It to the target system. You investigate the connection issue and determine that the traffic is making it to the internal interface of your network firewall, but not making. It to the external Interface or to any systems outside your firewall. What is the most likely problem?

Identify the network activity shown below;

You have compromised a Windows workstation using Metasploit and have injected the Meterpreter payload into the svchost process. After modifying some files to set up a persistent backdoor you realize that you will need to change the modified and access times of the files to ensure that the administrator can't see the changes you made. Which Meterpreter module would you need to load in order to do this?

How can web server logs be leveraged to perform Cross-Site Scripting (XSSI?

What is the impact on pre-calculated Rainbow Tables of adding multiple salts to a set of passwords?

You are done pen testing a Windows system and need to clean up some of the changes you have made. You created an account pentester on the system, what command would you use to delete that account?

Your company has decided that the risk of performing a penetration test Is too great. You would like to figure out other ways to find vulnerabilities on their systems, which of the following is MOST likely to be a valid alternative?

Raw netcat shells and telnet terminals share which characteristic?

How can a non-privileged user on a Unix system determine if shadow passwords are being used?

When DNS is being used for load balancing, why would a penetration tester choose to identify a scan target by its IP address rather than its host name?

What problem occurs when executing the following command from within a netcat raw shell? sudo cat /etc/shadow