GCIH Exam Questions
829 real GCIH exam questions with expert-verified answers and explanations. Page 14 of 17.
- Question #663Reconnaissance, Scanning, and Enumeration
Analyze the data shown below. Where does this data originate from?
ARP cachenetwork forensicsdata identificationhost discovery - Question #664Malware Analysis & Advanced Persistent Threats
Which volatility plugin shows the command line path for a recently launched application?
Volatility frameworkmemory forensicsprocess analysisforensic plugins - Question #665Reconnaissance, Scanning, and Enumeration
Which of the following commands will enumerate a list of shares on a Windows target machine?
SMB enumerationWindows sharesnet commandsnetwork reconnaissance - Question #666Incident Response & Cyber Kill Chain
What is the definition of an event as it applies to incident handling?
incident handling terminologyevent definitionIR fundamentalsNIST framework - Question #667Incident Response & Cyber Kill Chain
Which of the following is a normal finding that an incident handler would expect to see while reviewing the squid proxy logs for a small business with a single office?
proxy log analysisuser agent analysisanomaly detectionbaseline behavior - Question #668Vulnerability Exploitation & Privilege Escalation
What hash type is being cracked in the command below? hashcat -m 1000 -a 0 customer.ntds wordlist.txt --potfile-path ./hashcat.potfile
hashcat modesNTLM hashespassword crackingcredential attacks - Question #669Vulnerability Exploitation & Privilege Escalation
Which of the following occurs when a penetration tester attempts to connect to a host with the following command? net use \\192.168.44.213
SMB authenticationcredential exposurenull sessionWindows networking - Question #670Vulnerability Exploitation & Privilege Escalation
A security auditor is using John the Ripper to review password strength on Windows machines. The auditor knows that the company requires a 15-character minimum in their passwords....
John the RipperLANMAN hashNT hashpassword length policy - Question #671Incident Response & Cyber Kill Chain
Which of the following would be exposed to an attacker as a result of a remote employee attempting to connect to company resources without a VPN?
VPN securitycredential exposureremote accessauthentication - Question #672Reconnaissance, Scanning, and Enumeration
Which of the following is the most effective technique for identifying live client systems on a LAN?
host discoveryICMP echonetwork scanningLAN reconnaissance - Question #673Malware Analysis & Advanced Persistent Threats
Where would an incident handler search for autostart extensibility points (ASEPs) on a Windows host?
ASEPsWindows registrypersistence mechanismsmalware persistence - Question #674Vulnerability Exploitation & Privilege Escalation
How can an adversary use a hash that was stolen from a Windows account to compromise a Linux server?
pass-the-hashSAMBA authenticationcross-platform attackscredential reuse - Question #675Vulnerability Exploitation & Privilege Escalation
What is the outcome of the command below? hashcat -m 3000 -a 3 ntds.dat --potfile-path ntds.potfile -1 ?u?d?s --increment ?1?1?1?1?1?1
hashcatLANMAN hash crackingbrute force attackmask attack - Question #676Vulnerability Exploitation & Privilege Escalation
Which file would an attacker need to read in order to crack passwords on a modern Linux system?
Linux password files/etc/shadowpassword crackingLinux authentication - Question #677Incident Response & Cyber Kill Chain
Which of the following squid proxy log fields is easiest for an attacker to spoof?
proxy log analysisuser agent spoofinglog tamperingattacker evasion - Question #678Web Application Attacks & Post-Exploitation
What do drive-by attacks typically take advantage of when delivering exploits?
drive-by downloadsbrowser exploitationclient-side attacksweb-based malware - Question #679Malware Analysis & Advanced Persistent Threats
A responder runs the two commands below looking for the number of lines that contain the word powershell. Which of the following is a reason why the output is different between the...
Volatility psscanhidden processesrootkit detectionmemory forensics - Question #680Reconnaissance, Scanning, and Enumeration
Alice is checking for unusual activity on the LAN that she administers. Based on the CAM table excerpt below, what port should be investigated further?
CAM table analysisMAC floodingswitch port securitynetwork forensics - Question #681Web Application Attacks & Post-Exploitation
An attacker has tricked a user into executing content he placed on a social networking site. The malicious content executes in the victim's browser and allows the attacker to deter...
cross-site scriptingbrowser exploitationfirewall bypasssocial engineering - Question #682Reconnaissance, Scanning, and Enumeration
Following the recent acquisition of a new business, your manager asks you to investigate their DNS service and report back on its status. He is concerned as they only have one DNS...
DNS zone transferDNS securitynetwork enumerationsecurity hardening - Question #683Web Application Attacks & Post-Exploitation
A system administrator finds the entry below in an Apache log. What can be done to mitigate against this? 192.168.116.201 - - [22/Apr/2016:13:43:26 -0400] 'GET +mysql.user+limit+0%...
SQL injectioninput validationApache log analysisweb application defense - Question #684Reconnaissance, Scanning, and Enumeration
Which of the following user accounts is the default Administrator account?
Windows accountsdefault administratoruser identificationaccount enumeration - Question #685Reconnaissance, Scanning, and Enumeration
What request methods are exploited in a Lanturtle + Responder access attack?
ResponderLLMNR/NBT-NSDNS poisoningcredential capture - Question #686Web Application Attacks & Post-Exploitation
In addition to special characters, certain keywords in log files may indicate a SQL injection attack. Which words could indicate a SQL injection attack?
SQL injectionlog analysisUNION attackattack indicators - Question #687Reconnaissance, Scanning, and Enumeration
What is the Linux administrator doing with the commands below? $ rpcclient -U fezzik florin rpcclient $> lsaenumsid
rpcclientSID enumerationActive DirectoryWindows enumeration - Question #688Incident Response & Cyber Kill Chain
How can a system be configured to ignore gratuitous ARPs for specific IP addresses?
ARP poisoningARP table hardeningnetwork defensegratuitous ARP - Question #689Vulnerability Exploitation & Privilege Escalation
What built-in Windows tool can be used to collect Active Directory database data and the SYSTEM registry hive for off-line password cracking?
ntdsutilActive DirectoryNTDS.ditoffline password cracking - Question #690Reconnaissance, Scanning, and Enumeration
Examine the image below. What share would a user typically connect to when they execute the NET USE command below? C:\> net use \\10.0.10.123
SMBIPC$ shareNET USEWindows networking - Question #691Web Application Attacks & Post-Exploitation
When probing for command injection opportunities on a remote host, why would an attacker target her own address space from the remote host?
command injectionblind injectionout-of-band verificationattack methodology - Question #692Web Application Attacks & Post-Exploitation
An administrator needs to protect his organization's IIS webservers from Cross-Site Scripting attacks. Which action should he take?
XSS mitigationIIS securityAnti-XSS libraryweb application defense - Question #693Incident Response & Cyber Kill Chain
What information is commonly found in both the header and the possession log of a Chain of Custody?
chain of custodydigital forensicsevidence handlingincident documentation - Question #694Vulnerability Exploitation & Privilege Escalation
Which of the following Metasploit module types would contain privilege escalation capabilities?
Metasploitpost-exploitation modulesprivilege escalationframework architecture - Question #695Malware Analysis & Advanced Persistent Threats
Which of the following describes a suspicious event in the service data below? root@kali:~/volatility# ./vol.py -f ../mem/Desk005.vmem svcscan
Volatilitymemory forensicssvcscanmalware detection - Question #696Incident Response & Cyber Kill Chain
Which file contains information about failed login attempts on a Unix system?
Unix logsbtmpfailed login attemptslog files - Question #697Vulnerability Exploitation & Privilege Escalation
What is one of the simplest AND most common ways for an attacker to camouflage files on a UNIX system?
file hidingUnix filesystemanti-forensicsstealth techniques - Question #698Reconnaissance, Scanning, and Enumeration
Which of the following packets saved in the file pingout.pcap would be returned with the following Berkley Packet Filters? tcpdump -nn -r pingout.pcap '榠cmp and (dst host 8.8.8.8)'
tcpdumpBPF filterICMPpacket analysis - Question #699Vulnerability Exploitation & Privilege Escalation
What is the goal of an attacker who has entered the commands shown in the screenshot?
credential dumpinghash extractionoffline crackingpassword harvesting - Question #700Web Application Attacks & Post-Exploitation
During the identification phase of a Web server compromise, you notice the following entries in the web server logs. If "admin" is a valid username, but its corresponding password...
web server logssession hijackingattack identificationlog analysis - Question #701Incident Response & Cyber Kill Chain
What information will be returned when an administrator executes the command below? # last -f /var/log/btmp
Linux logsfailed loginbtmplog analysis - Question #702Incident Response & Cyber Kill Chain
Which of the following Volatility commands will display the date and time an image was collected?
Volatilitymemory forensicsimageinfodigital forensics - Question #703Reconnaissance, Scanning, and Enumeration
When switching traffic on a LAN, what element of the Ethernet frame does a switch use to make its decision on where to send the data?
EthernetMAC addressswitchingnetworking fundamentals - Question #704Malware Analysis & Advanced Persistent Threats
How would an attacker hide an executable from being viewed by Windows Explorer?
ADSNTFSfile hidingWindows evasion - Question #705Malware Analysis & Advanced Persistent Threats
What is an alternate data stream?
ADSNTFSfile streamsWindows - Question #706Incident Response & Cyber Kill Chain
Which tcpdump command will open the capture.dmp pcap file and display the ASCII output of traffic going to and from 192.168.122.12?
tcpdumppacket capturepcap analysisnetwork forensics - Question #707Reconnaissance, Scanning, and Enumeration
Which is the normal response from live hosts to the discovery packets sent during a default Nmap sweep?
Nmaphost discoveryTCP handshakenetwork scanning - Question #708Malware Analysis & Advanced Persistent Threats
An administrator is inspecting a machine that starts more slowly than it used to. Which key under HKLM\Software\Microsoft\Windows\ should be examined to determine if malware is exe...
Windows registrystartup persistencemalware detectionHKLM - Question #709Cloud Incident Response & Threat Hunting
Tools like RITA use which of the following characteristics to identify C2 traffic?
RITAC2 detectionbeaconingthreat hunting - Question #710Vulnerability Exploitation & Privilege Escalation
Where would salted hashes be found on a Linux machine?
/etc/shadowLinux passwordsalted hashescredential storage - Question #711Vulnerability Exploitation & Privilege Escalation
What type of hash is used in the password hash below?
hash identificationSHA-512password hashingcryptography - Question #712Malware Analysis & Advanced Persistent Threats
A fake installer exploit is delivered using which attack?
watering holefake installersocial engineeringmalware delivery