Question 31: Microservices are most closely related to what other established term?
A. API
B. AWS
C. SEO
D. PaaS
Correct Answer: A. API
Explanation: In recent years, API-based and microservices architectures have become common terminology among IT pros. While the two types of technology are related, it’s important to know the difference. Microservices is a type of architecture that divides functionality between small web services. APIs, on the other hand, are interfaces that can be used to interact with applications. Microservices often use APIs to communicate to other microservices.
At one point, microservices were more commonly associated with SOA, since they’re largely an outgrowth of that approach. But as the techniques and technologies matured, the ubiquity of APIs has pushed them to the forefront for microservices architects.
Question 32: When would a microservices architecture be favorable for a company?
A. If a cloud architecture requires scalability.
B. If an application would benefit from low coupling.
C. A and B.
D. None of the above.
Correct Answer: C. A and B.
Explanation: Microservices architectures are made up of loosely coupled, yet still independent services that can be deployed and scaled individually. To scale this type of application architecture, IT teams can scale specific components to optimize resource usage. Also, these services are not interdependent, enabling IT team to test them discretely.
Question 33: What is a notable disadvantage to using microservices?
A. There is the potential for too much granularity.
B. Complex testing is required.
C. Latency issues can occur during heavy use.
D. All of the above.
Correct Answer: D. All of the above.
Explanation: A microservices architecture requires extra effort to design communication pathways between services. Microservices are designed to relieve the frustrations of monoliths; however, failure is inevitable if IT teams don’t know the nuances of this architectural approach prior to deployment.
Question 34: True or false: Microservices are only meant for smaller businesses.
A. True
B. False
Correct Answer: B. False
Explanation: Despite the “micro” in its name, larger businesses have taken to this design fairly well. Amazon and Netflix are just two of the famously large enterprises that have pioneered this style of architecture.
Question 35: Claire is surfing the Web and, after some time, a message pops up stating her system has been infected by malware and offering a button to click for removal of the virus. After she clicks the button, another message window appears stating the system has been quarantined due to the nature of the infection and provides a link with instructions to pay in order to regain control and to clear the virus. Which of the following best describes this infection?
A. Spyware
B. Ransomware
C. Trojan
D. Adware
Correct Answer: B. Ransomware
Explanation: Ransomware isn’t anything new, but it sure has attracted new attention from EC-Council. The name itself gives away its purpose: the malware infects your system and then restricts access to your files and folders, demanding a ransom payment to get control back. ECC lists five different ransomware families: Cryptorbit, Cryptolocker, Cryptodefense, Cryptowall, and police-themed. Usually the online payment involves bitcoin, but can take other avenues. In any case, never pay off the attacker — you’re only signing yourself up for future terror. Cleaning off ransomware may involve booting into Safe Mode, or even using a system restore on Windows systems. You may even get away with an external AV scan as a fix action, but be sure to scrub the system for hidden files and folders the ransomware may have left behind. Lastly, I can’t overstate enough the value of good, solid, dependable backups. Even if you’re foolish enough to pay the ransom, there is no guarantee any of your files will remain accessible after the “unlock” — and could you trust them anyway? Invest in good backups and run them religiously.
Spyware is incorrect because this does not describe spyware. Spyware is type of malware that covertly collects information about a user.
Trojan is incorrect because this does not describe a Trojan. A Trojan is a non-self-replicating program that appears to have a useful purpose but in reality has a different, malicious purpose.
Adware is incorrect because this does not describe adware. Adware is software that has advertisements embedded within it. It generally displays ads in the form of pop-ups.
Question 36: Pen test team member Amy attempts to guess the ISN for a TCP session. Which attack is she most likely carrying out?
A. XSS
B. Session splicing
C. Session hijacking
D. Multipartite attack
Correct Answer: C. Session hijacking
Explanation: The idea behind session hijacking is fairly simple: the attacker waits for a session to begin and, after all the pesky authentication gets done, jumps in to steal the session for herself. In practice, it’s a little harder and more complicated than that, but the key to the whole attack is in determining the initial sequence number (ISN) used for the session. The ISN is sent by the initiator of the session in the first step (SYN). This is acknowledged in the second step of the handshake (SYN/ACK) by incrementing that ISN by 1, and then another ISN is generated by the recipient. This second number is acknowledged by the initiator in the third step (ACK), and from there on out communication can occur. Per EC-Council, the following steps describe the session hijack:
- Sniff the traffic between the client and the server.
- Monitor the traffic and predict the sequence numbering.
- Desynchronize the session with the client.
- Predict the session token and take over the session.
- Inject packets to the target server.
For what it’s worth, pulling this attack off via EC-Council’s take on the whole matter requires you to do some fairly significant traffic sniffing. And if you’re already positioned to sniff the traffic in the first place, wouldn’t the whole scenario possibly be a moot point? You need to know it for the exam, but real-world application may be rare.
XSS is incorrect because cross-site scripting is a web application attack.
Session splicing is incorrect because session splicing is an IDS evasion method. The attacker delivers a payload that the IDS would have otherwise seen by “slicing” it over multiple packets. The payload can be spread out over a long period of time.
Multipartite attack is incorrect because multipartite refers to a virus type, not an attack that requires ISN determination.
Question 37: An attacker is attempting a DoS attack against a machine. She first spoofs the target’s IP address and then begins sending large amounts of ICMP packets containing the MAC address FF:FF:FF:FF:FF:FF. What attack is underway?
A. ICMP flood
B. Ping of death
C. SYN flood
D. Smurf
E. Fraggle
Correct Answer: D. Smurf
Explanation: A smurf attack is a generic denial-of-service (DoS) attack against a target machine. The idea is simple: have so many ICMP requests going to the target that all its resources are taken up. To accomplish this, the attacker spoofs the target’s IP address and then sends thousands of ping requests from that spoofed IP to the subnet’s broadcast address. This, in effect, pings every machine on the subnet. Assuming it’s configured to do so, every machine will respond to the request, effectively crushing the target’s network resources.
ICMP flood is incorrect because an ICMP flood does not act this way. In this attack, the hacker sends ICMP Echo packets to the target with a spoofed (fake) source address. The target continues to respond to an address that doesn’t exist and eventually reaches a limit of packets per second sent.
Ping of death is incorrect because a ping of death does not act this way. It’s not a valid attack with modern systems because of preventative measures in the OS; in the ping of death, an attacker fragments an ICMP message to send to a target. When the fragments are reassembled, the resulting ICMP packet is larger than the maximum size and crashes the system. As an aside, each OS has its own method of dealing with network protocols, and the implementation of dealing with particular protocols opens up hacking (DDoS and otherwise) options like this.
SYN flood is incorrect because a SYN flood takes place when an attacker sends multiple SYN packets to a target without providing an acknowledgment to the returned SYN/ACK. This is another attack that does not necessarily work on modern systems.
Fraggle is incorrect because in a fraggle attack, UDP packets are used. The same principle applies — spoofed IP and Echo requests sent to the broadcast address — but it’s just with UDP.
Question 38: In May of 2017, this ransomware took advantage of a Windows SMB vulnerability known as the Eternal Blue exploit and spread worldwide in a matter of hours. A hidden kill switch inside the coding was quickly discovered, halting its spread. Which of the following best fits this description?
A. Petya
B. WannaCry
C. Zeus
D. Botnet
Correct Answer: B. WannaCry
Explanation: WannaCry was one of the fastest spreading, most dangerous ransomware variants of all time. Taking advantage of Eternal Blue (interestingly enough, an exploit discovered by and shared from the NSA), WannaCry spread to systems worldwide in a matter of hours, demanding ransom payment in bitcoin. Despite patching being available, due to many and varied reasons, multiple millions of systems were unpatched and unprepared for the attack. A built-in kill switch — sending a reply packet to a nonexistent domain, which was registered by a researcher to stop the spread — was discovered within days.
Petya is incorrect because Petya — while also exploiting Eternal Blue — had a few differences with its WannaCry sibling. Petya, in large measure, appeared to be ransomware you couldn’t pay off. Given its release, appearance, and general exclusivity (at least initially) in Ukraine, speculation was that it was more of a politically motivated and destructive type of malware than a legitimate ransomware effort.
Zeus is incorrect because Zeus is a banking Trojan.
Botnet is incorrect because a botnet refers to a group of zombie systems controlled by an attacker.
Question 39: A pen test team member types the following command:
nc222.15.66.78 –p 8765
Which of the following statements is true regarding this attempt?
A. The attacker is attempting to connect to an established listening port on a remote computer.
B. The attacker is establishing a listening port on his machine for later use.
C. The attacker is attempting a DoS against a remote computer.
D. The attacker is attempting to kill a service on a remote machine.
Correct Answer: A. The attacker is attempting to connect to an established listening port on a remote computer.
Explanation: As stated earlier, Netcat is a wonderful tool that allows remote access wizardry on a machine, and you’ll need to be able to recognize the basics of the syntax. In the command example, Netcat is being told, “Please attempt a connection to the machine with the IP address of 222.15.66.78 on port 8765; I believe you’ll find the port in a listening state, waiting for our arrival.” Obviously at some point previous to issuing this command on his local machine, the pen tester planted the Netcat Trojan on the remote system (222.15.66.78) and set it up in a listening state. He may have set it up with command-shell access (allowing a Telnet-like connection to issue commands at will) using the following command:
nc –L –p 8765 –t –e cmd.exe
“The attacker is establishing a listening port on his machine for later use” is incorrect because this command is issued on the client side of the setup, not the server side. At some point previously, the port was set to a listening state, and this Netcat command will access it.
“The attacker is attempting a DoS against a remote computer” is incorrect because this command is not attempting a denial of service against the target machine. It’s included here as a distractor.
“The attacker is attempting to kill a service on a remote machine” is incorrect because this command is not attempting to kill a process or service on the remote machine. It’s included here as a distractor.
Question 40: Which of the following takes advantage of weaknesses in the fragment reassembly functionality of TCP/IP?
A. Teardrop
B. SYN flood
C. Smurf attack
D. Ping of death
Correct Answer: A. Teardrop
Explanation: ECC can be rather capricious in their choice of which malware to test and which not to, and sometimes they look far into the past for question material. In a teardrop attack, overlapping, mangled packet fragments are sent in an effort to confuse a target system, causing it to reboot or crash. Teardrop attacks exploit an overlapping IP fragment bug present in Windows 95, Windows NT, and Windows 3.1 machines, as well as some early versions of Linux — all more than ten years old. The attack was really more of an annoyance than anything because a reboot clears it all up; however, anything that was open and altered, sitting unsaved on the device, would be lost. In modern systems, finding this attack in use is virtually impossible.
SYN flood is incorrect because a SYN flood attack exhausts connections on a device by flooding it with thousands of open SYN packets, never sending any acknowledgments to the return SYN/ACKs.
Smurf attack is incorrect because a smurf attack involves spoofing the target’s address and then pinging the broadcast address with it. The resulting responses of thousands of ICMP packets kill the machine.
Ping of death is incorrect because the ping of death attack involves sending a ping request with an unusually large payload. The ping would be fragmented and, when put together, would kill the target machine.