GCIH Exam Questions
829 real GCIH exam questions with expert-verified answers and explanations. Page 11 of 17.
- Question #512Reconnaissance, Scanning, and Enumeration
What is a penetration tester likely to be looking to accomplish with the following screen?
version scanningservice enumerationvulnerability identificationpenetration testing - Question #513Web Application Attacks & Post-Exploitation
Which describes a Web Application Firewall?
WAFlayer 7 inspectionapplication firewallweb security controls - Question #514Malware Analysis & Advanced Persistent Threats
Which of the following is an effective method of detecting a covert communication tunnel such as ptunnel?
ICMP tunnelingptunnelcovert channel detectionnon-zero ICMP payload - Question #515Reconnaissance, Scanning, and Enumeration
Which of the following would prevent an active discovery toll like InSSIDer from detecting a wireless access point?
wireless reconnaissanceSSID cloakingInSSIDerAP beacon response - Question #516Incident Response & Cyber Kill Chain
Roman Enterprises' network perimeter and internal servers are suspected to have been compromised by an advanced attacker over a period of several weeks. Which of the following shou...
out-of-band communicationsAPT responsesecure IR communicationscompromised network - Question #517Incident Response & Cyber Kill Chain
A company's external DNS server was used by an attacker in a DDoS attack against a third party. Which of the following configurations should be changed to prevent this from happeni...
DNS amplificationrecursive DNSDDoS preventionDNS hardening - Question #518Web Application Attacks & Post-Exploitation
An attacker has gained the ability to sniff client traffic on a local subnet. Which technique would they use to cause clients to reauthenticate to internal applications in an attem...
TCP RST injectioncredential capturesession disruptionnetwork sniffing - Question #519Malware Analysis & Advanced Persistent Threats
What payload data would be difficult for an IDS/IPS signatures to analyze?
encrypted trafficSSHIDS evasionsignature analysis limitations - Question #520Incident Response & Cyber Kill Chain
What kind of topics should be addressed by the Lessons Learned report?
lessons learned reportprocess improvementincident documentationIR lifecycle - Question #521Malware Analysis & Advanced Persistent Threats
Which of the following methods is the most likely to detect a user mode rootkit?
rootkit detectionfile integrityTripwireuser mode rootkit - Question #522Malware Analysis & Advanced Persistent Threats
A user opened a PDF he downloaded from the web, that contained a URL to an executable called FreeCoupons.exe. The user downloaded and ran FreeCoupons.exe, and now that file is on t...
malware classificationworm propagationRDP brute forcesocial engineering - Question #523Reconnaissance, Scanning, and Enumeration
Which Linus command will list locally defined Windows users, groups, and SID's?
rpcclientSMB enumerationWindows usersSID enumeration - Question #524Reconnaissance, Scanning, and Enumeration
Your CIO, Thomas Fischer, has complained that vendors are cold calling him to get more information about your organization's new domain name (tvf-prod.com). You've extracted the in...
WHOISinformation disclosuredomain registrationcontact privacy - Question #525Reconnaissance, Scanning, and Enumeration
Which of the following protocol header values would indicate an IPv4 packet?
IPv4 headerspacket analysisprotocol identificationType of Service - Question #526Malware Analysis & Advanced Persistent Threats
Which of the following activities would the fast flux technique be most useful in helping a bot- herder accomplish?
fast fluxDNSbotnetphishing infrastructure - Question #527Reconnaissance, Scanning, and Enumeration
You are reviewing summarized logs from your central log server. You see a large number of packets from an internal host traveling to your primary DNS server with a destination port...
DNS zone transferTCP port 53log analysisDNS reconnaissance - Question #528Web Application Attacks & Post-Exploitation
You want to ensure that the data that is returned to your web server during an online transaction is the same data that was sent to the customer. You have found several vendors off...
reverse proxydata integrityweb server architectureMITM protection - Question #529Malware Analysis & Advanced Persistent Threats
What is a histogram as it applies to an alphabetic cipher?
frequency analysisalphabetic ciphercryptanalysishistogram - Question #530Reconnaissance, Scanning, and Enumeration
Based on the tcpdump output below, what is an attacker attempting to do?
DNS zone transfertcpdumppacket analysisDNS reconnaissance - Question #531Web Application Attacks & Post-Exploitation
How does a web application that is vulnerable to SQL injection attacks usually tie into a database?
SQL injectiondatabase interactionuser inputweb application - Question #532Reconnaissance, Scanning, and Enumeration
An attacker configured nmap with command line options that specified the destination port, destination IP address, and TCP flags to be set to SYN/FIN/PSH/URG. No other command line...
OS fingerprintingnmapTCP flagsXmas scan - Question #533Vulnerability Exploitation & Privilege Escalation
One typical way to help secure applications such as Virtual Network Computing (VNC) is to send the application traffic using which of the following?
SSH tunnelingVNCremote accessport forwarding - Question #534Malware Analysis & Advanced Persistent Threats
HYDAN uses functionally-equivalent instructions to steganographically embed information in which one of the following data formats?
steganographyHYDANx86 binariescovert channels - Question #535Malware Analysis & Advanced Persistent Threats
Analyze the screenshot below. Which event described below is taking place in the output shown?
VM detectionsandbox evasionanti-analysismalware behavior - Question #536Web Application Attacks & Post-Exploitation
An attacker has used an infected USB thumb drive to compromise an internal host. The host is firewalled, blocking all inbound ports and protocols, and allowing tcp port 8080 outbou...
reverse shellHTTP tunnelingfirewall bypasscovert channel - Question #537Reconnaissance, Scanning, and Enumeration
What type of activity is occurring in the screenshot?
war dialingmodem scanningtelephone reconnaissancelegacy enumeration - Question #538Reconnaissance, Scanning, and Enumeration
Analyze the command output below. Why did OS detection fail?
OS fingerprintingnmapsignature databasenetwork scanning - Question #539Web Application Attacks & Post-Exploitation
Analyze the code snippet below. What is the main purpose of this code?
anti-forensicsshell historylog tamperingpost-exploitation - Question #540Incident Response & Cyber Kill Chain
Which of the following is a key aspect of an emergency incident response?
incident responseemergency proceduresIR best practicesfirst responder - Question #541Malware Analysis & Advanced Persistent Threats
What is the term used to describe a Worm that is able to infect a host by exploiting many different application or operating system vulnerabilities?
worm typesmulti-exploit wormmalware classification - Question #542Incident Response & Cyber Kill Chain
Who is responsible for the decision to take a machine critical to a company's operations out of a production environment?
incident response rolesIR team structurebusiness continuitydecision authority - Question #543Malware Analysis & Advanced Persistent Threats
Which is a requirement to ensure the success of the following command? C:\> notepad helloworld.txt:goodbye.txt
NTFS alternate data streamsWindows filesystemADS steganography - Question #544Malware Analysis & Advanced Persistent Threats
You are copying files from the C:\WINDOWS\system32 directory to a USB memory stick and encounter the pop-up shown in the image. What does this indicate?
NTFSfilesystem compatibilityUSB storagealternate data streams - Question #545Malware Analysis & Advanced Persistent Threats
How would a worm be able to affect hosts running different operating systems be classified?
worm typesmulti-platform wormmalware classification - Question #546Reconnaissance, Scanning, and Enumeration
An administrator creates a rule to block outgoing ICMP Time Exceeded messages from leaving the network border. What will the effect of this be?
ICMP time exceededtraceroutefirewall rulesnetwork reconnaissance - Question #547Incident Response & Cyber Kill Chain
Your incident handling team receives the following information: - The help desk is getting password reset requests from remote employees. - When contacted by the help desk technici...
incident classificationevent vs incidentincident handlingpassword reset attack - Question #548Malware Analysis & Advanced Persistent Threats
Which of the following techniques can malware employ to avoid detection by honey ports installed on virtual machines?
VM detectionmalware evasionMAC address fingerprintinganti-analysis - Question #549Incident Response & Cyber Kill Chain
You are planning to upgrade several packet filtering firewalls to proxy firewalls and need to make a presentation to management. During the presentation, a member of management ask...
packet filteringproxy firewallfirewall typesnetwork defense - Question #550Web Application Attacks & Post-Exploitation
How could an attacker bypass client-side filtering of user input?
client-side filter bypassweb proxyinput validationweb application security - Question #551Reconnaissance, Scanning, and Enumeration
You suspect that someone located outside your organization has been searching for open ports on your web server. How can you see whether the web server is being scanned?
port scanning detectionfirewall logsnetwork monitoring - Question #552Incident Response & Cyber Kill Chain
An employee is sending personally threatening email through the company's email server to a supervisor and external business partners. Which type of incident is this?
incident typesunauthorized usepolicy violationemail abuse - Question #553Web Application Attacks & Post-Exploitation
Which of the following protocols is resistant to session hijacking attacks?
session hijackingSSHv2protocol securityencrypted sessions - Question #554Vulnerability Exploitation & Privilege Escalation
You are recovering a password. The password is encoded as an MD5 hash with salt. Which attack will have a 100% success rate at recovering the original password, given enough time a...
password crackingMD5 hash with saltbrute force attackrainbow tables - Question #555Reconnaissance, Scanning, and Enumeration
What is the first type of packet sent when the ping command is executed on a Windows system?
ICMPpingecho requestnetwork protocols - Question #556Reconnaissance, Scanning, and Enumeration
Which of the following devices would return information about internal targets during an ACK scan?
ACK scanstateless firewallport scanningfirewall bypass - Question #557Reconnaissance, Scanning, and Enumeration
What is the penetration tester looking for in the following screenshot?
SWF objectsweb reconnaissancecontent discoveryFlash exploitation - Question #558Malware Analysis & Advanced Persistent Threats
From the choices below, which type of defense is the best way to protect against User-Mode RootKits?
user-mode rootkitproactive defenserootkit mitigation - Question #559Vulnerability Exploitation & Privilege Escalation
Which of the following BEST represents a true virtual machine escape?
VM escapevirtualization securityhypervisor attackguest-to-host breakout - Question #560Vulnerability Exploitation & Privilege Escalation
Which of the following methods does Netcat use to act as a relay (transferring data from machine to machine)?
NetcatI/O redirectionnetwork relaypivoting - Question #561Incident Response & Cyber Kill Chain
A company is reviewing its systems. The review includes travelling laptops with insecure connections, and is focused on finding connections to known malicious locations. What would...
DNS logsmalware domainsthreat huntinglog analysis