Thanks for everybosy's feedbacks
Skel: thanks for the feedbacks.
Negrita: i will read the RFCs..

I wish to apologise if i had caused any dis-comforts to anyone here... I do not wish to re-produce the question but i afraid i would have produced the questions wrongly, which act according to my thoughts.

moderator: u can erase this thread anytime.

I took the test and pass with rather good results.  Once again, i really appreciate those who help me to clarify some doubts along the way. A reminder to those who's taking, dont trust the answers too much, whether its TK,AT, etc..

cheers,
Dareth

Hi skel,
i had found the Q4 and re-wrote it.

Take a look at the following attack on a web server using obstructed URL:
http://www.example.com/script.ext?template%2e%2e%2e%2e%2e%2f%65%74%63%2f%7

The request is made up of:
1. %2e%2e%2e%2e%2e%2f = ../../../
2. %65%74%63 = etc
3. %2f = /
4. %70%61%73%73%77%64 = passwd

how would you protect information systems from these attacks

A. Configure web server to deny alerts from these attacks
B. Create rules in IDS to alert on strange Unicode requests
C. Use SSL authentication on Web Servers
D. Enable Active scri[ts detection at the firewall and routers.

Answer given is B, and i thought answer should be A.

I suppose 'these attacks' are referring to the unicode expoilts

IDS, unlike IPS (Intrusion Prevention Devices) only detect but couldnt prevent the expoilts. If its is a IPS deployed infront of the web server, it will
able to 'match' the expoilts based on the created rules.

8.
While examining audit logs, you discover that people able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrong doings.

However, you are concerned about affecting the normal functionality
of the email server. From the following options, choose how best you can achieve this objective?

A. Block port 25 at the firewall
B. Shut off the SMTP service on the server
C. Force all connections to use a username and password
D. Switch from Windows Echange to UNIX sendmail.
E. None of the above.

Answer is  E.
I thought the answer is C.

Most of the ISP had enforced smtp authentication or 'pop before send'. Probably i think a step ahead, like security measures/controls... 

The only reason I can think of about AT chose E; initally when we telnet in
port 25, we do not need to authenticate.

Guys, do you agree?? 

6.
You are conducting a port scan on a subnet that has ICMP blocked. You have discovered 23
live systems and after scanning each of them, you notice that they all show port 21
in closed state.

What should be the next logical step that should be performed?

A. Connect to open ports to discover applications.
B. Perform a ping sweep to identify any additional systems that might be up.
C. Perform a SYN scan on port 21 to identify any additional systems that might be up
D. Re-scan every pc to vertify results

Ans is C.


I dont understand this. Since we had performed a scan and discovered 23 'live' system.
Port 21 in 23 systems are closed. I believe there's a TCP port scan on a specific subnet to discover 23 'live' system.

Why do we need to perform another syn scan on port 21 to discover more 'live' systems!!
The only reason i derived is to perform another tcp scan on another subnet.


7.
Which of the following statements about a zone transfer correct? (Choose 3)

A. A zone transfer is accomplished with DNS
B. A zone transfer is accomplished with the nslookup service
C. A zone transfer passes all zone information that a DNS server maintains
D. A zone transfer passes all zone information that a nslookup server maintains
E. A zone transfer can be prevented by blocking all inbound TCP port 53 connections
F. Zone transfer cannot occur on the Internet.

Ans: A , C , E

i thought the answer should be B,C,E
why B -> http://support.microsoft.com/kb/200525

any comments/replies are welcomed. 

I did a check and the answer is indeed 1 hour


I will look for the question once more.

Hi,
i did actualtest paper and i found their answer rather suspicous.

Q1
Doug is conducting a port scan of a target network. He knows that his client target network
has a web server and that there is a mail server which is up and running. Dough has been sweeping the network but has not been able to elicit any response from the remote target.
Which of the following could be the most likely cause behind this lack of response?  Select 4

a. UDP is filtered by a gateway
b. The packet TTL value is too low and cannot reach the target
c. The host might be down
d. The destination network might be down
e. The TCP windows size does not match
f. ICMP is filterd by a gateway

ans: A,B,C,D

i thought the answer is A,C,D,F



Q2
You have the SOA presented below in you Zone. Your secondary servers have not been able to contact your primary server to synchronise information. How long will the secondary servers attempt to conact the primary server before it considers that zone is dead and stops responding to queries?
college.edu (200302028 3600 3600 6+4800 3600)

a. 1 day
b. 1 hour
c. 1 week
d. 1 month

Answer: C

i thought the answer is 1 hour??
60sec x 60 = 3600seconds


Q3
Joe worried that network adminstrator miht detect the wiretap program by querying
the interfaces to see of they are running in promiscuous mode.

a. Block output to the console whenever the user runs ifconfig command by running screen
capture utility
b. Run the wiretap program in stealth mode from being detected by the ifconfig command
c. Repalce original ifconfig utility with the rootkit version of ifconfig hiding
Promiscuous information being displayed on the console
d. You cannor disable Promiscuous mode detection on Linux Systems.

Answer given is D, and I thought answer should be C.

I thought we can disable it by entering -> ifconfig eth0 -promisc

Q 4
A following attack on web server using obstructed URL:
http://www.example.com/scri[t.ext?template%2e%2e%2e%2e%2e%2f%65%74%63%2f%7

how to protect information systems from these attacks

A. Configure web server to deny alerts from these attacks
B. Create rules in IDS to alert on strange Unicode requests
C. Use SSL authentication on Web Servers
D. Enable Active scri[ts detection at the firewall and routers.

Answer given is B

The only reason i thought of its IDS deployed infront of the web server (DMZ segment)

what about A? can we configure the webserver to deny unicode request?


5.
Bubba has just accessed he preferred ecommerce web site and has spotted an item that he would like to buy. Bubba considers the price a bit too steep. He looks at the source code of the webpage and decides to
save the page locally, so that he can modify the page variables. In the context of web application security,
what do you think Bubba has changes?

A. A hidden form field value.
B. A hidden price value.
C. An integer variable.
D. A page cannot be changed locally, as it is served by a web server.

Answer given is A.

I was thinking whether the answer could be D.
Even the entire page is downloaded into our PC, we changed the value locally, but it doesnt reflect in the server such via POST method...