GCIH Exam Questions
829 real GCIH exam questions with expert-verified answers and explanations. Page 12 of 17.
- Question #562Reconnaissance, Scanning, and Enumeration
An analyst discovers an undocumented host showing up in some IDS alerts with IP address 10.0.1.123. A port scan indicates listening services on the host. What step can the analyst...
nmapOS detectionservice enumerationport scanning - Question #563Vulnerability Exploitation & Privilege Escalation
Which of the following describes an attack where false Data Link Layer information is sent to a victim host to redirect packets to the attacker's host on the same subnet?
ARP cache poisoningData Link Layernetwork spoofingMITM - Question #564Reconnaissance, Scanning, and Enumeration
Which of the following is a feature of Netcat that is not present in telnet?
NetcatUDP supporttelnetnetwork tools - Question #565Web Application Attacks & Post-Exploitation
Analyze the screenshot below. What action should the penetration tester recommend to the security team?
session managementsession IDURL parametersserver-side validation - Question #566Reconnaissance, Scanning, and Enumeration
Examine the packet capture below. What can be determined based on the packet information?
source routingpacket analysisIP optionsnetwork forensics - Question #567Vulnerability Exploitation & Privilege Escalation
How can the information below be used in a penetration test?
credential harvestingOSINTpenetration testinginformation gathering - Question #568Incident Response & Cyber Kill Chain
As an incident handler for the XYZ Widget Company, you have responded to the breach of your mail server. The server is not in a DMZ but on your internal network and was being used...
incident responselog preservationevidence collectioncontainment - Question #569Vulnerability Exploitation & Privilege Escalation
Canaries help to implement what protective mechanisms in the stack?
stack canariesbuffer overflow protectionmemory integrityexploit mitigation - Question #570Reconnaissance, Scanning, and Enumeration
What element of the DNSSec standard would help stop DNS cache poisoning attacks?
DNSSecDNS cache poisoningdigital signaturesDNS security - Question #571Web Application Attacks & Post-Exploitation
Which three components must be included in a SQL update statement?
SQL syntaxUPDATE statementSQL injectiondatabase - Question #572Vulnerability Exploitation & Privilege Escalation
In general, which method is the fastest for cracking a password?
password crackingdictionary attackbrute forcecredential attacks - Question #573Reconnaissance, Scanning, and Enumeration
Why do protocol parsers such as sniffers often run with root or system privileges?
packet sniffingpromiscuous moderoot privilegesnetwork interface - Question #574Vulnerability Exploitation & Privilege Escalation
You are a Windows XP user and you want to ensure that your account does not have a LANMAN hash. How can this be achieved?
LANMAN hashWindows authenticationpassword policycredential security - Question #575Malware Analysis & Advanced Persistent Threats
Detecting Virtual Machine Environments (VMEs) is the purpose of which of the following pieces of software?
VM detectionRed Pillanti-analysismalware evasion - Question #576Incident Response & Cyber Kill Chain
A company's internal LAN is being scanned by a compromised workstation. Which of the following is a 'Containment Phase' action that protects volatile data?
incident containmentvolatile dataRAM imagingnetwork isolation - Question #577Malware Analysis & Advanced Persistent Threats
After reviewing your firewall logs for the past week, you notice that a specific workstation is surfing the Internet at the same time every night when employees would not be on the...
reverse shellC2 communicationcovert channelport 80 - Question #578Vulnerability Exploitation & Privilege Escalation
An attacker is attempting to sniff packets on a switched network. He has forced his network interface to run in promiscuous mode, and set up IP forwarding on his machine. All packe...
ARP spoofinggratuitous ARPswitched networkMITM - Question #579Reconnaissance, Scanning, and Enumeration
Which of the following tools will show all TCP and UDP connections on a Windows system?
TCPViewnetwork connectionsWindows toolsnetwork monitoring - Question #580Reconnaissance, Scanning, and Enumeration
An analyst ran a Nessus scan with Dangerous plugins enabled for performing a vulnerability scan against a business critical system running on the production network. This brought d...
Nessusvulnerability scanningdangerous pluginsproduction network - Question #581Reconnaissance, Scanning, and Enumeration
If a sniffer is installed on a host residing on a switched environment network, what packets will it capture?
network sniffingswitched networkpacket capturepromiscuous mode - Question #582Vulnerability Exploitation & Privilege Escalation
How does Karmetasploit acquire the user credentials of wireless clients?
Karmetasploitrogue access pointwireless credential harvestingevil twin attack - Question #583Incident Response & Cyber Kill Chain
What is one of the first actions you should take in the containment phase of incident handling?
incident containmentmanagement escalationnetwork isolationincident handling phases - Question #584Incident Response & Cyber Kill Chain
Your incident handling team is gathering a list of data owners and contact numbers for high-value targets. In which stage of the incident handling process does this action belong?
incident preparationdata ownerscontact inventoryhigh-value assets - Question #585Reconnaissance, Scanning, and Enumeration
The scanning algorithm in a port scanning tool is designed to continue sending SYN packets to targets rather than actively listening for a response from each one before proceeding....
SYN scanningasynchronous scanningport scan optimizationscan speed - Question #586Incident Response & Cyber Kill Chain
During routine examination of bandwidth data for your company's DMZ, an anomaly was discovered with the activity to a public-facing, download only FTP server. To begin your investi...
anomaly detectionFTP serverbandwidth analysislog review timeframe - Question #587Web Application Attacks & Post-Exploitation
What is an effective mitigation for an HTTP flood attack?
HTTP floodapplication layer DDoSCAPTCHA mitigationrate limiting - Question #588Reconnaissance, Scanning, and Enumeration
What is the name of the GUI-based front end for Nmap?
NmapZenmapport scanning toolsnetwork discovery - Question #589Incident Response & Cyber Kill Chain
Where could you refer to a honeypot web page in order to lure and identify possible attackers?
honeypotrobots.txtattacker deceptionthreat detection - Question #590Incident Response & Cyber Kill Chain
What is the first line of defense against BGP hijacking?
BGP hijackingtraceroute baselinerouting securitynetwork monitoring - Question #591Incident Response & Cyber Kill Chain
How could you determine if your system is the victim of a SYN flood?
SYN flood detectionnetstatSYN_RECEIVED stateDoS detection - Question #592Web Application Attacks & Post-Exploitation
An attacker wishes to steal browser cookies through a Cross-Site Scripting attack. Which website provides the best attack vector?
cross-site scriptingcookie theftuser-generated contentXSS attack vector - Question #593Vulnerability Exploitation & Privilege Escalation
Which of the following functionalities is offered by Abel?
Abel toolpassword hash dumpingWindows credentialscredential access - Question #594Vulnerability Exploitation & Privilege Escalation
A new buffer overflow vulnerability in the Remote Procedure Call (RPC) mechanism for all versions of Windows has been announced, and exploit code has already been made available on...
buffer overflowRPC vulnerabilitypatch managementWindows exploit mitigation - Question #595Vulnerability Exploitation & Privilege Escalation
Which of the following is a protocol that, like TFTP, can be used to transfer Netcat to a victim machine in order to open a backdoor listener?
Netcatbackdoor installationfile transfer protocolsHTTPS tunneling - Question #596Incident Response & Cyber Kill Chain
You run a network using the 10.0.0.0/8 address range. You notice a strange increase in traffic coming from one of your DMZ servers one day. You collect a packet trace using Tcpdump...
SYN floodTcpdump analysisDDoS detectiontraffic pattern recognition - Question #597Reconnaissance, Scanning, and Enumeration
Which of the following security benefits does DNSSEC provide?
DNSSECdigital signaturesDNS data integrityDNS security extensions - Question #598Reconnaissance, Scanning, and Enumeration
As an incident handler, you are checking DNS server logs for DNS transfers. What protocol and port might indicate a zone transfer?
DNS zone transferTCP port 53DNS reconnaissanceAXFR request - Question #599Malware Analysis & Advanced Persistent Threats
The Conficker worm can run every time Windows starts on infected machines. What tool would you use to test whether the worm will do this on a machine that you think may have been i...
Conficker wormregistry persistencereg commandmalware startup mechanisms - Question #600Reconnaissance, Scanning, and Enumeration
You have many software packages available to choose from when preparing for a vulnerability scan. What precautions should be taken when running a basic vulnerability scan, regardle...
vulnerability scanningDoS plugin preventionscan safety practicesscanner configuration - Question #601Reconnaissance, Scanning, and Enumeration
Which of the following TTL values on an incoming packet allow it to be forwarded to the next router in the path?
TTLpacket forwardingIPv4network fundamentals - Question #602Incident Response & Cyber Kill Chain
A company is running a Windows network segment with Windows 8 for its users and wants to do a statistical analysis of the workstations to help detect malware. What would be a good...
Kansalive responsemalware detectionWindows forensics - Question #603Malware Analysis & Advanced Persistent Threats
How could an attacker insert malware into the kernel of a Windows system?
kernel rootkitNtoskrnl.exeWindows internalsmalware persistence - Question #604Reconnaissance, Scanning, and Enumeration
Analyze the screenshot below. What will the search return?
Google dorkingfiletype searchOSINTpassive reconnaissance - Question #605Web Application Attacks & Post-Exploitation
You cane across the following code snippet when investigating an incident that involved a business critical system. This code crashed right after the user passed the following inpu...
format string attackmemory corruptionprintf vulnerabilityC code analysis - Question #606Incident Response & Cyber Kill Chain
Stacy is the lead of the network services team. She suspects that Keith, one of the network administrators, is not spending as much time working as he states he is. She suspects he...
IR ethicsHR escalationmonitoring policyincident handling procedure - Question #607Vulnerability Exploitation & Privilege Escalation
Examine the image below. Based on the log file and directory entry below why was the .bash_history file empty after Eve terminated her session?
bash historyanti-forensicsprivilege escalationlog tampering - Question #608Reconnaissance, Scanning, and Enumeration
What advantage does running netstat with the flags '-nao' have over running netstat with the '-na' flags in Windows?
netstatPIDWindows network commandslive response - Question #609Reconnaissance, Scanning, and Enumeration
If a router received an IPv6 packet with a Hop Limit of 1, which of the following ICMP messages would it send back to the originating host?
IPv6Hop LimitICMPv6Time Exceeded - Question #610Web Application Attacks & Post-Exploitation
Which of the following commands can be used to create a backdoor shell on port 1234 on a Linux or Unix system?
netcatbackdoor shellbind shellpost-exploitation - Question #611Malware Analysis & Advanced Persistent Threats
Which of the following best describes a statically linked binary?
static linkingbinary analysismalware analysisPE structure