GIAC-GPEN

If the privacy bit is set in the 802.11 header, what does it indicate?

You are pen testing a network and have shell access to a machine via Netcat. You try to use ssh to access another machine from the first machine. What is the expected result?

A pen tester is able to pull credential information from memory on a Windows system. Based on the command and output below, what advantage does this technique give a penetration tester when trying to access another windows system on the network?

During a penetration test you discover a valid set of SSH credentials to a remote system. How can this be used to your advantage in a Nessus scan?

You've been contracted by the owner of a secure facility to try and break into their office in the middle of the night. Your client requested photographs of any sensitive information found as proof of your accomplishments. The job you've been hired to perform is an example of what practice?

What is the purpose of die following command:nc.exe -I -p 2222 -e cmd.exe

A tester has been contracted to perform a penetration test for a corporate client. The scope of the test is limited to end-user workstations and client programs only.Which of die following actions is allowed in this test?

Analyze the command output below. What action is being performed by the tester?

A penetration tester used a client-side browser exploit from metasploit to get an unprivileged shell prompt on the target Windows desktop. The penetration tester then tried using the getsystem command to perform a local privilege escalation which failed. Which of the following could resolve the problem?

Analyze the screenshot below. What event is depicted?

Analyze the excerpt from a packet capture between the hosts 192.168.116.9 and 192.168.116.101. What factual conclusion can the tester draw from this output?

What is the main difference between LAN MAN and NTLMv1 challenge/responses?

You have been contracted to penetration test an e-mail server for a client that wants to know for sure if the sendmail service is vulnerable to any known attacks.You have permission to run any type of test, how will you proceed to give the client the most valid answer?

Analyze the screenshot below, which of the following sets of results will be retrieved using this search?

Which protocol would need to be available on a target in order for Nmap to identify services like IMAPS and POP3S?

What is the sequence in which packets are sent when establishing a connection to a secured network?

You work as a professional Ethical Hacker. You are assigned a project to perform blackhat testing on www.we-are-secure.com. You visit the office of we-are- secure.com as an air-condition mechanic. You claim that someone from the office called you saying that there is some fault in the air-conditioner of the server room. After some inquiries/arguments, the Security Administrator allows you to repair the air-conditioner of the server room.When you get into the room, you found the server is Linux-based. You press the reboot button of the server after inserting knoppix Live CD in the CD drive of the server. Now, the server promptly boots backup into Knoppix. You mount the root partition of the server after replacing the root password in the /etc/shadow file with a known password hash and salt. Further, you copy the netcat tool on the server and install its startup files to create a reverse tunnel and move a shell to a remote server whenever the server is restarted. You simply restart the server, pull out the Knoppix Live CD from the server, and inform that the air-conditioner is working properly.After completing this attack process, you create a security auditing report in which you mention various threats such as social engineering threat, boot from LiveCD, etc. and suggest the countermeasures to stop booting from the external media and retrieving sensitive data. Which of the following steps have you suggested to stop booting from the external media and retrieving sensitive data with regard to the above scenario?Each correct answer represents a complete solution. Choose two.

Which of the following tools is used for vulnerability scanning and calls Hydra to launch a dictionary attack?

Which of the following attacks allows an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether?

Which of the following vulnerability scanner scans from CGI, IDA, Unicode, and Nimda vulnerabilities?

Which of the following is a tool for SSH and SSL MITM attacks?

When you conduct the XMAS scanning using Nmap, you find that most of the ports scanned do not give a response. What can be the state of these ports?