1. Users in a company have complained about network performance. After investigation, the IT staff has determined that an attacker has used a specific technique that affects the TCP three-way handshake. What is the name of this type of network attack?

  • A. DNS poisoning
  • B. SYN flood
  • C. DDoS
  • D. Session hijacking

The TCP SYN flood attack exploits the TCP three-way handshake. The threat actor
continually sends TCP SYN session request packets with a randomly spoofed source IP address to an intended target.

2. Which type of attack involves the unauthorized discovery and mapping of network systems and services?

  • A. DoS
  • B. Access
  • C. Reconnaissance
  • D. Trust exploitation

Network reconnaissance attacks involve the unauthorized discovery and mapping
of the network and network systems. Access attacks and trust exploitation involve unauthorized manipulation of data, access to systems or user privileges. DoS, or Denial of Service attacks, are intended to prevent legitimate users and devices from accessing network resources.

3. In which TCP attack is the cybercriminal attempting to overwhelm a target host with half-open TCP connections?

  • A. Reset attack
  • B. Session hijacking attack
  • C. Port scan attack
  • D. SYN flood attack

In a TCP SYN flood attack, the attacker sends to the target host a continuous flood
of TCP SYN session requests with a spoofed source IP address. The target host responds with a TCP-SYN-ACK to each of the SYN session requests and waits for a TCP ACK that will never arrive. Eventually the target is overwhelmed with half-open TCP connections.

4. What kind of ICMP message can be used by threat actors to map an internal IP network?

  • A. ICMP redirects
  • B. ICMP echo request
  • C. ICMP router discovery
  • D. ICMP mask reply

Common ICMP messages of interest to threat actors include these:
o ICMP echo request and echo reply: used to perform host verification and DoS attacks
o ICMP unreachable: used to perform network reconnaissance and scanning attacks
o ICMP mask reply: used to map an internal IP network
o ICMP redirects: used to lure a target host into sending all traffic through a compromised device
and create a man-in-the-middle attack
o ICMP router discovery: used to inject bogus route entries into the routing table of a target host.

5. What is involved in an IP address spoofing attack?

  • A. A rogue node replies to an ARP request with its own MAC address indicated for the target IP address.
  • B. A rogue DHCP server provides false IP configuration parameters to legitimate DHCP clients.
  • C. A legitimate network IP address is hijacked by a rogue node.
  • D. Bogus DHCPDISCOVER messages are sent to consume all the available IP addresses on a DHCP server.

In an IP address spoofing attack, the IP address of a legitimate network host is
hijacked and used by a rogue node. This allows the rogue node to pose as a valid node on the
network.

6. How is optional network layer information carried by IPv6 packets?

  • A. Inside the Flow Label field
  • B. Inside an extension header attached to the main IPv6 packet header
  • C. Inside an options field that is part of the IPv6 packet header
  • D. Inside the payload carried by the IPv6 packet

IPv6 uses extension headers to carry optional network layer information. Extension headers are not part of the main IPv6 header but are separate headers placed between the IPv6 header and the payload.

7. An attacker is using a laptop as a rogue access point to capture all network traffic from a targeted user. Which type of attack is this?

  • A. Buffer overflow
  • B. Port redirection
  • C. Man in the middle
  • D. Trust exploitation

An access attack tries to gain access to a resource using a hijacked account or other
means. The five types of access attacks include the following:
o password – a dictionary is used for repeated login attempts
o trust exploitation – uses granted privileges to access unauthorized material

o port redirection – uses a compromised internal host to pass traffic through a firewall
o man-in-the-middle – an unauthorized device positioned between two legitimate devices in order to
redirect or capture traffic
o buffer overflow – too much data sent to a memory location that already contains data

8. A disgruntled employee is using some free wireless networking tools to determine information about the enterprise wireless networks. This person is planning on using this information to hack the wireless network. What type of attack is this?

  • A. Access
  • B. DoS
  • C. Trojan horse
  • D. Reconnaissance

A reconnaissance attack is the unauthorized discovery and documentation of
various computing networks, network systems, resources, applications, services, or
vulnerabilities.

9. Which term describes a field in the IPv4 packet header used to detect corruption in the IPv4 header?

  • A. TTL
  • B. Protocol
  • C. Header checksum
  • D. Source IPv4 address

The header checksum is used to determine if any errors have been introduced
during transmission.

10. Which field in the IPv4 header is used to prevent a packet from traversing a network endlessly?

  • A. Differentiated Services
  • B. Acknowledgment Number
  • C. Time-to-Live
  • D. Sequence Number

The value of the Time-to-Live (TTL) field in the IPv4 header is used to limit the
lifetime of a packet. The sending host sets the initial TTL value; which is decreased by one each time the packet is processed by a router. If the TTL field decrements to zero, the router discards the packet and sends an Internet Control Message Protocol (ICMP) Time Exceeded message to the source IP address. The Differentiated Services (DS) field is used to determine the priority of each packet. Sequence Number and Acknowledgment Number are two fields in the TCP header.

11. Which field in an IPv6 packet is used by the router to determine if a packet has expired and should be dropped?

  • A. Address Unreachable
  • B. TTL
  • C. Hop Limit
  • D. No Route to Destination

ICMPv6, like IPv4, sends a Time Exceeded message if the router cannot forward an
IPv6 packet because the packet has expired. However, the IPv6 packet does not have a TTL field. Instead, it uses the Hop Limit field to determine if the packet has expired.

12. A threat actor uses a program to launch an attack by sending a flood of UDP packets to a server on the network. The program sweeps through all of the known ports trying to find closed ports. It causes the server to reply with an ICMP port unreachable message and is similar to a DoS attack. Which two programs could be used by the threat actor to launch the attack? (Choose two.)

  • A. Ping
  • B. Low Orbit Ion Cannon
  • C. Smurf
  • D. WireShark
  • E. UDP Unicorn

A threat actor can use a tool like UDP Unicorn or Low Orbit Ion Cannon to send a
flood of UDP packets to launch a UDP flood attack that causes all the resources on a network to
become consumed. These types of programs will sweep through all the known ports trying to
find closed ports. This causes the server to reply with an ICMP port unreachable message.
Because of the many closed ports on the server, there is so much traffic on the segment that
almost all the bandwidth gets used. The end result is very similar to a DoS attack.

13. A threat actor wants to interrupt a normal TCP communication between two hosts by sending a spoofed packet to both endpoints. Which TCP option bit would the threat actor set in the spoofed packet?

  • A. FIN
  • B. SYN
  • C. RST
  • D. ACK

A TCP reset attack can be used to terminate TCP communications between two hostsby sending a spoofed TCP RST packet. A TCP connection is torn down when it receives an RST bit.