Written by Pavs on September 1st, 2007

---

Question 1: During a penetration text, you found several systems connected to the Internet that have a low security level, which allows for the free recording of cookies. This creates a risk because cookies locally store which of the following?

A. Information about the web server

B. Information about the user

C. Information for the Internet connection

D. Specific Internet pages

Answer 1: B. A cookie file resides on a client system and can contain data passed from websites so that web-sites can communicate with this file when the same client returns. Cookie files have caused some issues with respect to privacy because they can be used with form authentication and they can contain passwords. Answers A, C, and D are incorrect. Even though they all relate to a cookie, they do not specifically address the security risks to the user.

Question 2: You have been asked to analyze the following portion of a web page:

[View full width]
<!– Begin
function Login(){
var done=0;
var username=document.login.username.value;
username=username.toLowerCase();
var password=document.login.password.value;
password=password.toLowerCase();
if (username==”customer” && password==”solutions”) { window.location=”customer.html”;
done=1; }
if (done==0) { alert(”Invalid login!”); }
}
// End –>

What do you surmise?

A. This is part of a web script that is used for PKI authentication.

B. This is part of a web script for a customer solutions page.

C. This is part of a web script that uses an insecure authentication mechanism.

D. You see no problems with the script as written.

Answer 2: C. This script is insecure because it allows anyone with a username of customer and a password of solutions to access the customer.html web page. Anyone reading the source code could determine this information. Answer A is incorrect because no PKI is used here, only security by obscurity. Answer B is incorrect because it is part of a page for authentication users. Answer D is incorrect because there are problems, as anyone viewing the source code can see the username and password in clear text.

Question 3: While performing a penetration test for an ISP that provides. Internet connection services to airports for their wireless customers, you have been presented with the following issues: The ISP uses Wireless Transport Layer Security (WTLS) and Secure Socket Layers (SSL) technology to protect the airports end users’ authentication and payment transactions. Which of the following are you most concerned about?

A. If a hacker were to compromise the Wireless Application Protocol (WAP) gateway

B. If a hacker installed a sniffing program in front of the server

C. If a hacker stole a user’s laptop at the security checkpoint

D. If a hacker sniffed the wireless transmission

Answer 3: A. The WAP gateway is a critical junction because encrypted messages from end customers must be decrypted for transmission to the Internet. If the hacker could hack the gateway, all the data traffic would be exposed. WTLS provides authentication, privacy, and integrity SSL protects users from sniffing attacks on the Internet, which limits disclosure of the customer’s information. Answer B is incorrect, as sniffing in front of the server would only provide encrypted traffic. Answer C is incorrect, as the laptop would not be useful without a username and password. Answer D is incorrect, as the wireless transmission is encrypted.

Question 4: Peter has successfully stolen the SAM from a system he has been examining for several days. Here is the output:

Administrator:1008:6145CBC5A0A3E8C6AAD3B435B51404EE
Donald:1000:16AC416C2658E00DAAD3B435B51404EE
Tony:1004:AA79E536EDFC475E813EFCA2725F52B0
Chris:0:A00B9194BEDB81FEAAD3B435B51404EE
George:1003:6ABB219687320CFFAAD3B435B51404EE
Billy:500:648948730C2D6B9CAAD3B435B51404EE:

From the preceding list, identify the user with Administrator privileges?

A. Administrator

B. Donald

C. Chris

D. Billy

Answer 4: D. The true administrator account has a RID of 500. Therefore, answers A, B, and C are incorrect.

Question 5: You have been asked to set up an access point and override the signal of a real access point. This way, you can capture the user’s authentication as he attempts to log in. What kind of attack is this?

A. Wardriving

B. Rogue access point

C. Denial of service

D. Bluejacking

Answer 5: B. The most common definition of a rogue access point is an access point that was set up without permission by the network owners to allow individuals to capture users’ wireless MAC addresses. Answer A is incorrect because wardriving is the act of searching for wireless points. Answer C is incorrect, as the purpose of a DoS is specifically to deny service, not to capture information. Answer D is incorrect because Bluejacking involves Bluetooth connections.

Linux Q&A